Privacy Policy
The Short Version
- You own your data. Your CLAUDE.md, memory, session logs, and customizations belong to you.
- Our architecture does not store your AI conversations. RC's API proxy routes your requests to AI providers through OpenRouter but does not persist conversation content. Only usage metadata (token counts, costs, model selection) is captured for billing and metering.
- We do not sell your data. Not now. Not ever. Not to anyone.
- We collect the minimum necessary to run the service — account info, billing, and basic usage telemetry.
- You can export or delete your data at any time.
1. Who We Are
Refracted Cortex ("RC", "the Service") is operated by Digitally Demented Ventures LLC ("DDV", "we", "us", "our"), based in Alabama, United States.
- Website: https://refractedcortex.ai
- Contact: support@refractedcortex.ai
- Entity: Digitally Demented Ventures LLC
This Privacy Policy explains what data we collect, how we use it, where it is stored, and what rights you have.
2. AI Data Flow — How Your Conversations Are Handled
RC includes AI access as part of your subscription. AI requests are routed through RC's API proxy to multiple AI providers via OpenRouter. This section explains what data flows where.
How AI requests flow:
- You interact with your private container (hosted on Fly.io).
- Your container sends API requests through RC's proxy server.
- The proxy forwards requests to OpenRouter, which routes them to your selected AI provider (Anthropic, OpenAI, or Google).
- The AI provider processes your request and streams the response back through the proxy to your container.
- Conversation content (your prompts and AI responses) is stored only in your container volume. It is not persisted on RC's central servers.
What RC's proxy captures (metadata only):
- Token counts (input and output)
- Cost per request (in USD)
- Model used and request duration
- A partial client identifier for routing (not your full user ID)
What RC's proxy does NOT capture or store:
- The content of your prompts
- The content of AI responses
- Any data included in your messages to AI providers
RC provides the architecture that structures your AI interactions (memory, context, agent instructions) and handles API routing and usage metering. Conversation content passes through the proxy in transit but is not logged, stored, or analyzed by RC. Your conversations persist only in your personal container.
3. What Data We Collect
3a. Account Information
When you create an account, we collect:
- Name — to personalize your experience and CLAUDE.md profile
- Email address — for account access, billing communications, and support
- Password (hashed — we never store plaintext passwords)
- Role and industry — used during onboarding to configure your architecture
- Working style preferences — used to build your CLAUDE.md profile
3b. Billing Information
When you subscribe, we collect payment information through Stripe (our payment processor). We do not store your full credit card number. Stripe handles all payment processing and PCI compliance. We receive:
- Last four digits of your card
- Card expiration date
- Billing address (for tax purposes)
- Transaction history
3c. Architecture Files
Your architecture consists of files you create and maintain within RC:
- CLAUDE.md — your cognitive profile
- Memory files — persistent knowledge your system accumulates
- Session logs — records of your sessions (metadata, not conversation transcripts)
- Handoff documents — context transferred between agents
- Agent configurations — your customizations to agent behavior
These files are stored in your personal container (Fly.io) and backed up to your GitHub repository. We have infrastructure-level access to these files for the purpose of delivering the service (e.g., deploying your container, troubleshooting issues), but we do not read, analyze, or use your architecture content for any purpose other than delivering and maintaining the service.
3d. Usage Telemetry and AI Metering
We collect usage data to improve the product and meter AI usage:
- Feature usage (which skills and workflows are used, how often)
- Session frequency and duration
- Tier and subscription status
- Error logs and performance metrics
- Onboarding completion rates
- AI usage metadata: input token count, output token count, cost per request (USD), model selected, and request duration
We do NOT collect or store:
- The content of your AI conversations (prompts or responses)
- The text of your CLAUDE.md or memory files
- Keystrokes, screenshots, or screen recordings
You may opt out of non-essential telemetry. See Section 9.
3e. Communication Data
When you contact support or we send you service communications:
- Email correspondence with support@refractedcortex.ai
- Transactional emails (billing confirmations, service alerts)
4. How We Use Your Data
We use the data we collect for these purposes and no others:
- Delivering the service — setting up your container, deploying your architecture, maintaining your subscription
- Billing — processing payments, managing subscriptions, issuing receipts
- Support — responding to your questions and troubleshooting issues
- Product improvement — using anonymized, aggregated telemetry to improve RC's features and performance
- Service communications — sending transactional emails (billing, security alerts, service changes)
- Legal compliance — maintaining records as required by law
We do NOT use your data for:
- Advertising or ad targeting
- Selling to third parties
- Training AI models
- Profiling or behavioral targeting
- Any purpose unrelated to delivering and improving RC
5. Where Your Data Is Stored
| Data Type | Provider | Location | Purpose |
|---|---|---|---|
| Account + auth | Supabase | US (AWS) | Authentication, subscription management, onboarding |
| Billing | Stripe | US | Payment processing, invoicing |
| Your container | Fly.io | User-selected region | Architecture files, memory, session data |
| Backup | GitHub | US | Version-controlled backup of your architecture |
| Transactional email | Resend | US | Billing confirmations, service alerts |
| AI conversations | Your Fly.io container (content); OpenRouter + AI providers (processing) | User-selected region (container); per provider policies (processing) | Content stored only in your container. Routed through RC proxy and OpenRouter for processing — not persisted by RC. |
| AI usage metadata | Supabase | US (AWS) | Token counts, cost, model, duration — for billing and usage metering |
Your Fly.io container region is selected during onboarding. Available regions are subject to Fly.io's infrastructure availability.
6. Third-Party Processors
We use the following third-party services to deliver RC. Each processes data only as necessary for their specific function:
Stripe (Payment Processing)
- Data shared: Payment method, billing address, transaction amounts
- Purpose: Subscription billing and payment processing
Supabase (Authentication and Database)
- Data shared: Email, hashed password, account metadata, subscription status
- Purpose: User authentication, account management, onboarding data
Fly.io (Container Hosting)
- Data shared: Your architecture files are stored in your Fly.io container
- Purpose: Hosting your personal, isolated RC environment
GitHub (Backup)
- Data shared: Your architecture files are pushed to your connected GitHub repository
- Purpose: Version-controlled backup. Uses YOUR GitHub account — we do not have a separate copy.
Resend (Transactional Email)
- Data shared: Email address, email content for transactional messages
- Purpose: Sending billing confirmations, service alerts, and support communications
OpenRouter (AI API Routing)
- Data shared: Your prompts and AI responses pass through OpenRouter in transit for routing to AI providers. OpenRouter does not train on user data by default.
- Purpose: API routing and provider selection for AI model access
AI Providers (Anthropic, OpenAI, Google)
- Data shared: Your prompts and conversation content are sent to your selected AI provider for processing via OpenRouter. RC uses its own API credentials — you do not need your own API key.
- Purpose: AI language model processing powering your cognitive architecture
Important: Your conversation content passes through RC's proxy and OpenRouter in transit but is not stored by either. Each AI provider's handling of your data during processing is governed by their respective privacy policies.
We do not share data with any parties beyond those listed above unless required by law.
7. Your Rights
You have the following rights regarding your data:
Access
You can access your architecture files at any time through your RC session or GitHub backup. For account data, contact support@refractedcortex.ai.
Export
You can export your complete architecture at any time by:
- Cloning your GitHub backup repository (contains your full architecture)
- Downloading files directly from your container during a session
- Requesting a complete data export from support@refractedcortex.ai
Correction
You can update your account information at any time through your RC settings. For corrections to billing data, contact support@refractedcortex.ai.
Deletion
You can request deletion of your data at any time:
- Architecture files: Deleted when your container is removed (90 days after cancellation, or immediately upon request).
- Account data: Deleted upon request, subject to legal retention requirements (billing records may be retained for tax/accounting purposes).
- GitHub backup: Remains on your GitHub account — you control it. We do not delete your GitHub repositories.
- Usage telemetry: Anonymized data cannot be traced back to you and is retained in aggregate.
To exercise any of these rights, email support@refractedcortex.ai. We will respond within 30 days.
Portability
Your architecture is designed to be portable. Your CLAUDE.md, memory files, and configurations are standard text files (Markdown). They are not locked into a proprietary format. If you leave RC, your architecture remains usable.
8. Data Security
We implement the following security measures:
- Encryption in transit: All data transmitted between your browser and RC services uses TLS 1.2+.
- Encryption at rest: Data stored in Supabase and Fly.io is encrypted at rest per their infrastructure standards.
- Container isolation: Each user's Fly.io container is isolated. Users cannot access each other's containers.
- Authentication: Password-based authentication with hashed password storage (bcrypt). No OAuth/social login.
- API routing security: AI requests are routed through RC's proxy using RC-managed API credentials. Your conversation content passes through in transit but is not logged or stored by the proxy. Server logs capture only partial client identifiers and timing data.
- Access controls: DDV team access to infrastructure is limited to the service operator (Daniel Walters) and is used only for service delivery and maintenance.
- Security headers: Standard security headers (HSTS, CSP, X-Frame-Options) are implemented on refractedcortex.ai.
What we do not currently have:
- SOC 2 certification
- HIPAA compliance
- ISO 27001 certification
- Independent security audit (planned)
9. Cookies and Tracking
RC uses minimal cookies:
Essential Cookies (Cannot Be Disabled)
- Authentication cookie — maintains your logged-in session
- CSRF token — prevents cross-site request forgery
Analytics (Can Be Disabled)
- Usage telemetry — anonymized feature usage, session counts, and performance metrics
- No third-party advertising cookies
- No tracking pixels
- No social media tracking
To opt out of non-essential telemetry, contact support@refractedcortex.ai or adjust your settings in your RC account.
10. Children's Privacy
RC is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it promptly. Contact support@refractedcortex.ai if you believe a minor has created an account.
11. International Users
RC is operated from the United States. If you access RC from outside the US:
- Your account and billing data is processed in the US (Supabase, Stripe).
- Your container may be hosted in a non-US region if you select one during onboarding (via Fly.io).
- By using RC, you consent to the transfer of your account data to the US.
12. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription + as required by law |
| Billing records | 7 years (tax/accounting requirements) |
| Architecture files (container) | Duration of subscription + 90 days post-cancellation |
| GitHub backup | Indefinite (on your GitHub account — you control it) |
| Usage telemetry | Retained in anonymized, aggregated form indefinitely |
| Support correspondence | 3 years after last contact |
After the retention period, data is permanently deleted unless legal obligations require otherwise.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We will post the updated policy on refractedcortex.ai.
- We will update the "Last updated" date at the top.
- For material changes, we will notify you by email at least 30 days before they take effect.
- Your continued use of RC after the effective date constitutes acceptance.
14. Contact
For questions or concerns about this Privacy Policy or your data:
- Email: support@refractedcortex.ai
- Entity: Digitally Demented Ventures LLC
- Website: https://refractedcortex.ai
We aim to respond to all privacy-related inquiries within 30 days.
Also see: Terms of Service