Privacy Policy
Last updated: March 27, 2026
1. Data Controller
The AI Check ("AIC," "we," "us," or "our") is the data controller responsible for your personal data. You can reach us at:
- Controller: Greg Monzar
- Email: [email protected]
- Website: theaicheck.com
If AIC is required to appoint an EU Representative under GDPR Article 27, that appointment and contact details will be published here.
2. What Data We Collect
| Category | Data | Purpose | Legal Basis (GDPR) |
|---|---|---|---|
| Account data | Email address, hashed password | Authentication | Contract (Art. 6(1)(b)) |
| Profile data | Display name, avatar URL, subscription tier, notification preferences | Personalization | Contract (Art. 6(1)(b)) |
| Encrypted vault content | Ciphertext of AI chat history; wrapped encryption keys | Core service | Contract (Art. 6(1)(b)) |
| Billing data | Stripe customer ID, subscription status | Billing | Contract (Art. 6(1)(b)) |
| Extension sync metadata | Platform name, timestamp, turn count, sync status | Diagnostics | Legitimate interest (Art. 6(1)(f)) |
| Analytics | Anonymized page views, events — no personally identifiable information | Product improvement | Legitimate interest (Art. 6(1)(f)) |
| Support data | Support ticket content, correspondence | Customer support | Contract (Art. 6(1)(b)) |
Extension scope: The Universal Bridge Extension only activates on supported AI platform domains (Gemini, ChatGPT, Claude, Grok). It does not track, collect, or monitor your general web browsing history, and has no access to websites outside of these specific platforms.
What We Do NOT Collect
- AI conversation content in plaintext. We store only ciphertext encrypted on your device. We cannot read your archived conversations.
- User API keys in plaintext. BYOK keys are encrypted with your master key on your device. We store only the encrypted form.
- Google Analytics, Facebook Pixel, or any advertising technology. We do not use third-party tracking or advertising networks.
- We do not sell your data. Not now, not ever.
3. The Zero-Knowledge Vault
AIC uses a zero-knowledge encryption architecture called the Zurich Protocol. Your AI chat history and any BYOK API keys are encrypted on your device using AES-GCM-256 encryption before being transmitted to our servers.
- AIC receives and stores ciphertext only.
- AIC staff cannot read, access, or produce your vault content in plaintext under any circumstance.
- AIC cannot provide vault content to third parties, law enforcement, or any government agency in readable form. Valid legal process requests produce only ciphertext.
- If you lose your master encryption key, your vault content is permanently inaccessible. AIC cannot recover it.
For a visual explanation of how the Zurich Protocol protects your data, see our Security page.
4. How We Use Your Data
- Account data: Authentication, password reset, subscription tier enforcement.
- Encrypted vault data: Storage and retrieval as directed by you. We cannot read or process the content.
- Billing data: Subscription management via Stripe.
- Analytics: Aggregated, non-identifiable product improvement metrics.
- Support data: Resolving your support requests.
5. Data Sharing and Sub-Processors
We share data only with the service providers necessary to operate AIC. A complete list is maintained on our Sub-Processor List page. Our current sub-processors include:
- Supabase — Database, authentication, storage (USA; EU on request for enterprise)
- Vercel — Hosting, CDN, edge functions (USA; global edge)
- Stripe — Payment processing (USA)
- Resend — Transactional email delivery (USA)
- Plausible Analytics — Privacy-first analytics; no PII, no cookies, no fingerprinting (EU)
AIC does not share data with AI providers. BYOK API calls are initiated by your device directly to the AI provider — AIC is not in that data flow.
6. International Data Transfers
AIC is operated from Canada. Our sub-processors (Supabase, Vercel, Stripe, Resend) may process data in the United States. For transfers of personal data from the European Economic Area (EEA) or the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
Enterprise customers may request EU data residency. Contact us at [email protected] for details.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Deleted within 30 days of account deletion |
| Encrypted vault content | Cryptographic erasure immediate on deletion; row deletion within 30 days |
| Billing data | Retained as required by financial regulations (typically 7 years) |
| Support tickets | 3 years after closure |
| Analytics | Aggregated and non-identifiable; not subject to deletion requests |
| Inactive Free accounts | AIC reserves the right to cryptographically erase vault data and delete accounts on the Free tier after 24 months of inactivity. We will send at least 30 days' email notice before any such deletion. |
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:
| Right | How to Exercise | Response Time |
|---|---|---|
| Access (Art. 15) | Dashboard data export or email request | 30 days |
| Rectification (Art. 16) | Dashboard settings (self-service) | Immediate |
| Erasure (Art. 17) | Dashboard account deletion (self-service) | Cryptographic erasure immediate; rows within 30 days |
| Portability (Art. 20) | Dashboard JSON export (self-service) | Self-service |
| Object (Art. 21) | Email request to opt out of analytics | 30 days |
| Complaint | You may contact your national supervisory authority (e.g., ICO, CNIL, BfDI) | |
To exercise any right, email [email protected]. We will respond within 30 days.
Important limitation: Because of our zero-knowledge architecture, AIC cannot access or produce your vault content in plaintext. If you request access to or a copy of your vault data, we can provide the ciphertext — but only you can decrypt it using your master key. We recommend using the self-service dashboard export for data portability.
9. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides you with additional rights regarding your personal information.
Categories of Personal Information Collected
| CCPA Category | AIC Data | Collected? |
|---|---|---|
| Identifiers | Email address, account UUID | Yes |
| Personal information (Cal. Civ. Code 1798.80) | Name, account credentials | Yes |
| Commercial information | Subscription status, purchase history | Yes |
| Internet/electronic activity | Sync event metadata, anonymized page views | Yes |
| Encrypted content | Vault ciphertext (AIC cannot access plaintext) | Yes |
| Inferences | None — AIC does not build user profiles | No |
| Sensitive personal information | None intentionally collected | No |
Sale and Sharing of Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. This is consistent with our zero-knowledge architecture — there is nothing to sell.
Your California Rights
- Right to Know: You may request what personal information we have collected about you. Contact [email protected]. We will respond within 45 days (extendable by an additional 45 days with notice).
- Right to Delete: You may delete your account and all associated data through the dashboard at any time. Cryptographic erasure is immediate.
- Right to Correct: You may correct inaccurate personal information through your dashboard settings.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
- Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We will require written authorization and may verify your identity before processing requests submitted by agents.
Shine the Light (Cal. Civ. Code 1798.83)
AIC does not share personal information with third parties for their direct marketing purposes.
10. Your Rights Under PIPEDA (Canadian Residents)
AIC is operated from Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). As a Canadian resident, you have the following rights:
- Access: You may request access to the personal information we hold about you. Contact [email protected]. We will respond within 30 days.
- Correction: You may challenge the accuracy and completeness of your personal information and request corrections through your dashboard settings or by contacting us.
- Consent withdrawal: You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawing consent for data essential to the Service (such as account data) may require account closure.
- Complaint: You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
Cross-border transfers: Some of our sub-processors (Supabase, Vercel, Stripe, Resend) are located in the United States. Under PIPEDA, we ensure that personal information transferred outside of Canada receives a comparable level of protection through contractual arrangements with our sub-processors. Your personal information may be accessible to law enforcement and national security authorities in those jurisdictions.
11. Cookies and Tracking
AIC uses a minimal cookie footprint. We use one strictly necessary first-party cookie: the Supabase authentication session cookie. We use Plausible Analytics for privacy-first product analytics — Plausible does not use cookies, does not collect personally identifiable information, and does not fingerprint users.
We do not use third-party tracking cookies, advertising pixels, Google Analytics, or any advertising technology. For full details, see our Cookie Policy.
12. Children's Privacy
AIC does not knowingly collect personal data from anyone under the age of 18. Our Terms of Service require users to be at least 18 years of age. If we discover that we have inadvertently collected data from a person under 18, we will promptly delete their account and all associated data.
If you believe a minor has created an AIC account, please contact us at [email protected].
13. Data Breach Notification
In the event of a security breach that compromises personal data, AIC will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR (Article 33) or PIPEDA.
- Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms.
- Provide details of the breach, its likely consequences, and the measures taken or proposed to address it.
Important context: Your vault content (AI chat history, BYOK keys) is encrypted client-side with a key AIC does not hold. In the event of a server breach, this data consists of ciphertext that is meaningless without your encryption key. However, account metadata — such as your email address, hashed password, and billing references — is not encrypted at rest and would be subject to standard breach notification requirements.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 30 days' notice via email and an in-app notification before the changes take effect. Non-material changes (such as formatting corrections) may be made without notice.
15. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at [email protected].
This document was last updated on March 27, 2026. It is a pre-launch draft and will be reviewed by legal counsel before becoming effective.