Privacy Policy
The Short Version
- You own your data. Your CLAUDE.md, memory, session logs, and customizations belong to you.
- We do not see your AI conversations. Your Claude interactions go directly to Anthropic via your own API key. We never see, store, or process that content.
- We do not sell your data. Not now. Not ever. Not to anyone.
- We collect the minimum necessary to run the service — account info, billing, and basic usage telemetry.
- You can export or delete your data at any time.
1. Who We Are
Refracted Cortex ("RC", "the Service") is operated by Digitally Demented Ventures LLC ("DDV", "we", "us", "our"), based in Alabama, United States.
- Website: https://refractedcortex.ai
- Contact: support@refractedcortex.ai
- Entity: Digitally Demented Ventures LLC
This Privacy Policy explains what data we collect, how we use it, where it is stored, and what rights you have.
2. The BYOK Model — Why It Matters for Privacy
RC operates on a Bring Your Own Key (BYOK) model. This has significant privacy implications:
What goes through RC (we can see it):
- Account information (name, email, role, industry)
- Billing and subscription data
- Onboarding responses (used to build your CLAUDE.md profile)
- Usage telemetry (feature usage, session counts, not conversation content)
What does NOT go through RC (we cannot see it):
- Your AI conversations with Claude
- The content of your prompts and Claude's responses
- Any data you send to Anthropic through your API key
Your AI conversations travel directly between your browser (or desktop client) and Anthropic's servers using your API key. RC provides the architecture that structures those conversations (memory, context, agent instructions), but the actual AI interaction is between you and Anthropic. We are not a middleman for your AI usage.
3. What Data We Collect
3a. Account Information
When you create an account, we collect:
- Name — to personalize your experience and CLAUDE.md profile
- Email address — for account access, billing communications, and support
- Password (hashed — we never store plaintext passwords)
- Role and industry — used during onboarding to configure your architecture
- Working style preferences — used to build your CLAUDE.md profile
3b. Billing Information
When you subscribe, we collect payment information through Stripe (our payment processor). We do not store your full credit card number. Stripe handles all payment processing and PCI compliance. We receive:
- Last four digits of your card
- Card expiration date
- Billing address (for tax purposes)
- Transaction history
3c. Architecture Files
Your architecture consists of files you create and maintain within RC:
- CLAUDE.md — your cognitive profile
- Memory files — persistent knowledge your system accumulates
- Session logs — records of your sessions (metadata, not conversation transcripts)
- Handoff documents — context transferred between agents
- Agent configurations — your customizations to agent behavior
These files are stored in your personal container (Fly.io) and backed up to your GitHub repository. We have infrastructure-level access to these files for the purpose of delivering the service (e.g., deploying your container, troubleshooting issues), but we do not read, analyze, or use your architecture content for any purpose other than delivering and maintaining the service.
3d. Usage Telemetry
We collect anonymized usage data to improve the product:
- Feature usage (which skills and workflows are used, how often)
- Session frequency and duration
- Tier and subscription status
- Error logs and performance metrics
- Onboarding completion rates
We do NOT collect:
- The content of your AI conversations
- The text of your CLAUDE.md or memory files
- The content of your prompts or Claude's responses
- Keystrokes, screenshots, or screen recordings
You may opt out of non-essential telemetry. See Section 9.
3e. Communication Data
When you contact support or we send you service communications:
- Email correspondence with support@refractedcortex.ai
- Transactional emails (billing confirmations, service alerts)
4. How We Use Your Data
We use the data we collect for these purposes and no others:
- Delivering the service — setting up your container, deploying your architecture, maintaining your subscription
- Billing — processing payments, managing subscriptions, issuing receipts
- Support — responding to your questions and troubleshooting issues
- Product improvement — using anonymized, aggregated telemetry to improve RC's features and performance
- Service communications — sending transactional emails (billing, security alerts, service changes)
- Legal compliance — maintaining records as required by law
We do NOT use your data for:
- Advertising or ad targeting
- Selling to third parties
- Training AI models
- Profiling or behavioral targeting
- Any purpose unrelated to delivering and improving RC
5. Where Your Data Is Stored
| Data Type | Provider | Location | Purpose |
|---|---|---|---|
| Account + auth | Supabase | US (AWS) | Authentication, subscription management, onboarding |
| Billing | Stripe | US | Payment processing, invoicing |
| Your container | Fly.io | User-selected region | Architecture files, memory, session data |
| Backup | GitHub | US | Version-controlled backup of your architecture |
| Transactional email | Resend | US | Billing confirmations, service alerts |
| AI conversations | Anthropic | Per Anthropic's policy | NOT stored by RC — direct BYOK connection |
Your Fly.io container region is selected during onboarding. Available regions are subject to Fly.io's infrastructure availability.
6. Third-Party Processors
We use the following third-party services to deliver RC. Each processes data only as necessary for their specific function:
Stripe (Payment Processing)
- Data shared: Payment method, billing address, transaction amounts
- Purpose: Subscription billing and payment processing
Supabase (Authentication and Database)
- Data shared: Email, hashed password, account metadata, subscription status
- Purpose: User authentication, account management, onboarding data
Fly.io (Container Hosting)
- Data shared: Your architecture files are stored in your Fly.io container
- Purpose: Hosting your personal, isolated RC environment
GitHub (Backup)
- Data shared: Your architecture files are pushed to your connected GitHub repository
- Purpose: Version-controlled backup. Uses YOUR GitHub account — we do not have a separate copy.
Resend (Transactional Email)
- Data shared: Email address, email content for transactional messages
- Purpose: Sending billing confirmations, service alerts, and support communications
Anthropic (AI Provider — BYOK)
- Data shared by RC: None. Your API key connects you directly to Anthropic.
- Data shared by YOU: Your prompts, conversation content, and any data you include in your messages to Claude
- Purpose: AI language model powering your cognitive architecture
Important: RC does not control, see, or intermediate your Anthropic usage. Your data relationship with Anthropic is governed by their terms, not ours.
We do not share data with any parties beyond those listed above unless required by law.
7. Your Rights
You have the following rights regarding your data:
Access
You can access your architecture files at any time through your RC session or GitHub backup. For account data, contact support@refractedcortex.ai.
Export
You can export your complete architecture at any time by:
- Cloning your GitHub backup repository (contains your full architecture)
- Downloading files directly from your container during a session
- Requesting a complete data export from support@refractedcortex.ai
Correction
You can update your account information at any time through your RC settings. For corrections to billing data, contact support@refractedcortex.ai.
Deletion
You can request deletion of your data at any time:
- Architecture files: Deleted when your container is removed (90 days after cancellation, or immediately upon request).
- Account data: Deleted upon request, subject to legal retention requirements (billing records may be retained for tax/accounting purposes).
- GitHub backup: Remains on your GitHub account — you control it. We do not delete your GitHub repositories.
- Usage telemetry: Anonymized data cannot be traced back to you and is retained in aggregate.
To exercise any of these rights, email support@refractedcortex.ai. We will respond within 30 days.
Portability
Your architecture is designed to be portable. Your CLAUDE.md, memory files, and configurations are standard text files (Markdown). They are not locked into a proprietary format. If you leave RC, your architecture remains usable.
8. Data Security
We implement the following security measures:
- Encryption in transit: All data transmitted between your browser and RC services uses TLS 1.2+.
- Encryption at rest: Data stored in Supabase and Fly.io is encrypted at rest per their infrastructure standards.
- Container isolation: Each user's Fly.io container is isolated. Users cannot access each other's containers.
- Authentication: Password-based authentication with hashed password storage (bcrypt). No OAuth/social login.
- API key security: Your Anthropic API key is stored encrypted and is only used to authenticate your sessions with Anthropic. It is never logged, displayed after entry, or shared.
- Access controls: DDV team access to infrastructure is limited to the service operator (Daniel Walters) and is used only for service delivery and maintenance.
- Security headers: Standard security headers (HSTS, CSP, X-Frame-Options) are implemented on refractedcortex.ai.
What we do not currently have:
- SOC 2 certification
- HIPAA compliance
- ISO 27001 certification
- Independent security audit (planned)
9. Cookies and Tracking
RC uses minimal cookies:
Essential Cookies (Cannot Be Disabled)
- Authentication cookie — maintains your logged-in session
- CSRF token — prevents cross-site request forgery
Analytics (Can Be Disabled)
- Usage telemetry — anonymized feature usage, session counts, and performance metrics
- No third-party advertising cookies
- No tracking pixels
- No social media tracking
To opt out of non-essential telemetry, contact support@refractedcortex.ai or adjust your settings in your RC account.
10. Children's Privacy
RC is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it promptly. Contact support@refractedcortex.ai if you believe a minor has created an account.
11. International Users
RC is operated from the United States. If you access RC from outside the US:
- Your account and billing data is processed in the US (Supabase, Stripe).
- Your container may be hosted in a non-US region if you select one during onboarding (via Fly.io).
- By using RC, you consent to the transfer of your account data to the US.
12. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription + as required by law |
| Billing records | 7 years (tax/accounting requirements) |
| Architecture files (container) | Duration of subscription + 90 days post-cancellation |
| GitHub backup | Indefinite (on your GitHub account — you control it) |
| Usage telemetry | Retained in anonymized, aggregated form indefinitely |
| Support correspondence | 3 years after last contact |
After the retention period, data is permanently deleted unless legal obligations require otherwise.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We will post the updated policy on refractedcortex.ai.
- We will update the "Last updated" date at the top.
- For material changes, we will notify you by email at least 30 days before they take effect.
- Your continued use of RC after the effective date constitutes acceptance.
14. Contact
For questions or concerns about this Privacy Policy or your data:
- Email: support@refractedcortex.ai
- Entity: Digitally Demented Ventures LLC
- Website: https://refractedcortex.ai
We aim to respond to all privacy-related inquiries within 30 days.
Also see: Terms of Service