Privacy Policy

We collect four categories of information:

• Account information. Email address, name, and authentication identity supplied by our auth provider (Clerk). Organization name and seat roster for Team and Enterprise plans.
• Billing information. Subscription tier, payment history, and invoice records. Card data is held by our Merchant of Record (Polar); we never see or store full card numbers.
• Customer Data (compression content). The text, code, documents, and prompts you submit via the compression API or MCP gateway, together with the compressed outputs we return. This is transient to request processing — see Section 4 for how long we keep it.
• Technical and usage metadata. Request timestamps, response sizes, compression ratios, tool names called, model attribution (when provided via_meta.model orclientInfo.name), HTTP status codes, user-agent strings, IP address (truncated after 7 days), and error traces. Cookie identifiers for session management and preferences.

We use the information above only for the following purposes:

• to authenticate requests, authorize actions, and enforce plan limits;
• to compute billing, generate invoices, and handle disputes;
• to display your own usage analytics in the dashboard;
• to detect and mitigate abuse, fraud, and security incidents;
• to improve the reliability of the Service — e.g. to diagnose errors or tune caching — using aggregated, de-identified metadata only;
• to send operational notices (billing, security alerts, material changes to these policies);
• to comply with legal obligations.

We do not use your Customer Data — compression inputs or outputs — to train, fine-tune, evaluate, or otherwise improve any foundation model, ours or a third party's. Customer Data does not become part of a training corpus, does not flow to OpenAI / Anthropic / Google for their training, and is not shared with any other Customer.

The compression algorithms that make gotcontext work were trained on public, licensed, or synthetic corpora before the product existed. Those models are deterministic at inference time with respect to your Customer Data: your content flows in, a compressed version flows out, and nothing is retained for model updates.

We retain the different data categories for different periods:

• Customer Data (compression payloads). Processed in memory and written to ephemeral semantic caches with a 24-hour TTL by default. Never persisted beyond the caching window. Enterprise Customers may request Zero Data Retention — once enabled, compression requests are processed and discarded synchronously with no caching.
• Usage metadata. For paid plans, retained for the duration of the billing period plus 90 days; for free-tier accounts, retained for 90 days from your last API call. After that, deleted or anonymized for aggregate analytics. (Aligned with the retention schedule documented on /security.)
• Account information. Retained for the duration of your account. On account closure we delete or anonymize within sixty (60) days, except where longer retention is required by law (e.g. tax records typically kept 7 years).
• Error traces and abuse-detection logs. Retained for up to 30 days, then deleted.
• Backups. Encrypted backups rotate out within 60 days of the underlying record being deleted.

We rely on the following sub-processors. Each has its own security posture and privacy policy:

• Cloudflare — DNS resolution and CDN edge for gotcontext.ai, api.gotcontext.ai, and clerk.gotcontext.ai. No user content stored at edge.
• Clerk — authentication and session management (US).
• Polar — payment processing, invoicing, subscription management (EU; Merchant of Record).
• Supabase — Postgres database hosting, encrypted at rest (US / EU multi-region).
• Upstash — Redis cache for rate-limiting and the semantic cache layer (US / EU).
• Fly.io — compute for the API + MCP gateway, TLS termination (global).
• Vercel — hosting for the marketing site and dashboard (global edge).
• Sentry — error tracking with PII redaction (US).
• PostHog — product analytics (currently inactive — no analytics events are captured until the integration is enabled in production).
• Resend — transactional email delivery (US).
• Beehiiv — newsletter delivery for the Cost-of-Inference weekly column and opt-in subscriber audiences (US). Only people who explicitly subscribe at /news or via the in-product widget are mirrored.
• GitHub — source-code hosting and CI/CD automation that handles deploy secrets. No customer data stored.
• Nevermined — agent-to-agent payment facilitator (x402 + AP2 protocols), opt-in per tenant, default OFF (EU / US sandbox + prod). Only receives token-ID hashes and settlement metadata.
• Skyfire (KYAPay) — agent-to-agent payment facilitator + identity tokens, opt-in per tenant, default OFF (US). Only receives token-ID hashes, settlement metadata, and identity-claim hashes.

We update this list when we add or change sub-processors. Enterprise Customers with a signed DPA receive 30 days' advance notice of material changes and may object. See the full sub-processor inventory for regions, data categories, and links to each provider’s DPA.

Depending on where you reside, you may have the following rights under GDPR, UK GDPR, CCPA/CPRA, or other applicable data-protection law:

• Access: a copy of the personal data we hold about you;
• Rectification: correct data that is inaccurate or incomplete;
• Erasure ("right to be forgotten"): delete your data, subject to legal retention obligations;
• Portability: export your data in a structured, machine-readable format;
• Restriction and objection: limit or object to certain processing;
• Withdraw consent: where processing is based on consent, withdraw it at any time;
• No-sale: opt out of any "sale" of personal information — we do not sell personal data, so this is a no-op for us, but the right exists.

To exercise any of these, email team@gotcontext.ai. We verify identity before acting on deletion or export requests and respond within 30 days (or 45 days for CCPA requests that need extension, with notice).

All data in transit is encrypted with TLS 1.2+. Database storage at rest is encrypted with AES-256. API keys are hashed with HMAC-SHA256 before storage — we cannot recover the plaintext of a key once it's been created.

We run audit logging on administrative actions, review access quarterly, and maintain a coordinated vulnerability-disclosure program. Report a security issue to team@gotcontext.ai. See the Security page for architectural detail.

gotcontext is operated from the United States with sub-processors in the US and EU. When we transfer personal data across borders we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreements, or equivalent safeguards where applicable. Enterprise Customers may request an EU-only data-residency configuration as part of a custom agreement.

We use a small number of cookies, all essential or strictly functional:

• Session cookies (Clerk) — required to sign you into the dashboard.
• Preference cookies — store theme (dark/light), locale, and announcement-banner dismissals. Client-side only.
• Analytics cookies (PostHog) — privacy-friendly product analytics, IP-truncated, no cross-site profiling, no behavioral advertising.

We do not use third-party advertising or retargeting cookies. You can disable non-essential cookies in your browser without breaking sign-in.

The Service is not directed to children under 13 (or 16 in jurisdictions that require a higher age of digital consent). We do not knowingly collect data from children. If you believe a child has provided us personal information, contact team@gotcontext.ai and we will delete the data.

Customers on Team, Business, and Enterprise Dedicated plans can execute a Data Processing Addendum (DPA) that incorporates the EU Standard Contractual Clauses and UK IDTA where applicable. Request the current DPA from team@gotcontext.ai.

We may update this Privacy Policy to reflect product changes, new sub-processors, or legal developments. Material changes are announced by email to account holders at least 30 days before they take effect. The "last updated" date at the top of this page tracks the most recent revision.

Privacy questions, data-subject requests, complaints, and DPA requests: team@gotcontext.ai. For legal notices: team@gotcontext.ai. EU Customers may also lodge a complaint with their local supervisory authority.