Inquisition AI← Back to home

Privacy Policy

Last updated: May 28, 2026

Inquisition AI LLC, a Texas limited liability company ("we", "our", or "us"), is committed to protecting your privacy. This policy explains what data we collect, how we use it, the legal basis on which we process it, and the rights you have.

1. Information We Collect

Account information

When you register, we collect your email address and, optionally, your name. If you sign in with Google, we receive your name, email, and profile picture from Google OAuth.

Conversation data

We store your chat messages and conversation history so you can return to previous sessions. For Inversion (reverse causality) sessions, we also store the graph data and any outcome or root-cause notes you record.

Extracted facts

Inquisition AI uses AI to automatically extract durable facts from your conversations and Inversion sessions to provide continuity across future sessions. These "user facts" can include your role and profession, the equipment, systems, or processes you work on, stated preferences and working style, named entities (companies, products, locations) relevant to your ongoing work, and concrete measurable values you confirm (numbers, dates, identifiers, setpoints). You can view, edit, or delete any extracted fact at any time from the "AI Memory" menu in the sidebar. Facts not updated in 90 days are automatically pruned.

Uploaded files

Files you upload (images, PDFs for chat attachments; PDFs and Word documents for text extraction) are stored in Cloudflare R2object storage in the provider's default region. Each file is stored under a path scoped to your user ID with a randomized identifier. Note that file URLs are publicly accessible to anyone who has the URL — do not upload files containing sensitive personal information you would not want accessible by URL.

Error and operational data

We use Sentry to capture application error reports. Error reports may include the URL where the error occurred, stack traces, your IP address, and your email address — this PII is included only on error capture (not on every page view) for the purpose of diagnosing issues and providing user support. We do not record browser sessions or replay user interactions.

Rate-limiting and quota data

To enforce plan limits and prevent abuse, we store counters keyed to your user ID (or, if you are a team member, to your team owner's user ID for shared pool accounting) in Upstash Redis. These counters reset at the end of each billing period.

Payment data

Payment card details are collected and stored directly by Stripe; we never see or store your card number, CVV, or expiration date. We retain only your Stripe customer ID, your current plan, subscription status, and the period boundary dates that govern quota resets.

2. Legal Basis for Processing (EU/UK users)

If you are in the European Union or United Kingdom, our legal bases under GDPR are:

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for: account creation, conversation storage, AI responses, payment processing.
  • Legitimate interest (Art. 6(1)(f)) — error monitoring via Sentry, rate-limit enforcement, abuse prevention. You can object to processing on this basis (see Section 8).
  • Legal obligation (Art. 6(1)(c)) — billing records and tax-related retention.
  • Consent (Art. 6(1)(a)) — only where explicitly requested (currently no consent-based processing is active in our service).

3. How We Use Your Information

  • To provide and improve the Inquisition AI service
  • To maintain your conversation history and session continuity
  • To personalize AI responses based on facts from your prior sessions
  • To enforce rate limits and prevent abuse
  • To send transactional emails (password reset, email verification, team invitations, subscription notifications) via Resend
  • To monitor errors and provide user support via Sentry
  • To process payments and manage subscriptions via Stripe

We do not sell your data. We do not share your data with third parties for their own marketing purposes. We do not use your conversations to train AI models.

4. AI Processing and Third-Party Sub-Processors

Your messages and AI prompts are sent to Anthropic (Claude API) for AI response generation. Web search queries may be processed by Tavily(for general chat web search) or Perplexity Sonar (for Inversion web research). These providers have their own privacy policies governing their handling of your data. We do not share your account credentials, payment information, or unrelated conversation history with these providers — only the message content required to generate a response.

Our sub-processors:

  • Neon — PostgreSQL database hosting (US region)
  • Vercel — application hosting
  • Railway — application hosting
  • Cloudflare R2 — file storage
  • Upstash — Redis caching and rate-limit storage
  • Anthropic — AI model API
  • Tavily — web search API (chat features)
  • Perplexity — web research API (Inversion feature)
  • Stripe — payment processing
  • Resend — transactional email
  • Sentry — error monitoring
  • Google — OAuth sign-in (only if you choose Google sign-in)

5. International Data Transfers

Inquisition AI LLC is based in the State of Texas, United States. Most of our sub-processors store and process data in the United States. If you access the service from outside the United States — including from the European Union, United Kingdom, or other regions — your data will be transferred to, stored in, and processed in the United States.

For users in the European Union and United Kingdom, we rely on the European Commission's Standard Contractual Clauses (and the UK's International Data Transfer Addendum where applicable) with each of our US-based sub-processors as the legal mechanism for cross-border data transfers.

6. Data Storage, Security, and Retention

Data is stored in a PostgreSQL database hosted on Neon (US region) and files in Cloudflare R2. Passwords are hashed using bcrypt and are never stored in plain text. All data in transit is encrypted via TLS. We follow standard industry security practices including parameterized database queries, secure session cookies (HttpOnly, Secure, SameSite=Lax), HTTP Strict Transport Security, rate limiting, and a strict Content Security Policy.

Retention periods

  • Account data, conversations, facts, Inversion sessions: retained while your account is active. On account deletion, removed from our active database immediately and from automatic database backups (Neon point-in-time history) within the retention window of our database plan (currently 7 days).
  • Uploaded files: retained in Cloudflare R2 until you delete them or delete your account. We do not currently auto-prune files.
  • Rate-limit counters in Redis: TTL of minutes to one billing period.
  • Trashed Inversion sessions: 30 days, then hard-deleted by a scheduled cron job.
  • Guest accounts: pruned 7 days after creation.
  • Password-reset and email-verification tokens: 1 hour and 24 hours respectively; expired tokens swept weekly.
  • Billing records (Stripe): retained by Stripe per their policy; we retain Stripe customer IDs as long as your account exists.

7. Team Feature

If you create a team (Elite tier) or accept a team invitation, certain data is shared within the team:

  • Team owners can see team members' email addresses and names.
  • Aggregate usage counters (number of sessions consumed, messages sent) are shared across the team pool — every member sees the same number.
  • Team members can share specific Inversion sessions with other team members or with the whole team for collaborative analysis.
  • When a team is dissolved (e.g., the owner downgrades), members are notified by email.

Joining a team is voluntary and based on an invitation you accept. You can leave a team at any time from the account team page.

8. Your Rights

For all users

  • Access the data we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your conversation history and Inversion sessions (contact us for an export)

For EU/UK users (additional GDPR rights)

  • Portability — receive your data in a structured, machine-readable format
  • Restrict processing of your data
  • Object to processing based on legitimate interest (error monitoring, abuse prevention)
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your local data protection supervisory authority

For California users (additional CCPA/CPRA rights)

  • Know what personal information we collect, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it
  • Delete personal information we have collected about you
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising
  • Non-discrimination for exercising any of these rights — we will not deny service, charge different prices, or provide a lesser experience because you exercised your rights

To exercise any of these rights, contact us at inquisitionsupport@gmail.com. We will respond within 30 days (45 days for EU/UK requests, extendable by an additional 60 days for complex requests with notice).

9. Cookies and Local Storage

The cookies and storage Inquisition AI uses are:

  • __Secure-authjs.session-token (HttpOnly, Secure, SameSite=Lax) — your login session. Strictly necessary. Expires when you sign out or after session expiry.
  • sidebar_state — remembers whether you have the sidebar expanded or collapsed. Preference cookie.
  • chat-model — remembers your selected chat model. Preference cookie.
  • localStorage — theme preference (light/dark/system), and your in-progress Inversion graph draft (cleared when you sign out or change accounts).

We do not use third-party advertising cookies, analytics cookies, or tracking pixels. We do not record browser sessions.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities within the timeframes required by applicable law (within 72 hours of becoming aware for GDPR; without unreasonable delay for CCPA).

11. Children

Inquisition AI is not intended for children under 13 (or 16 in the EU/UK, or the applicable age of digital consent in your jurisdiction). We do not knowingly collect data from children. If you believe a child has registered, please contact us so we can delete their account.

12. Changes to This Policy

We may update this policy as the service evolves. Significant changes will be communicated by updating the "Last updated" date above and, where the change materially affects your rights, by email. Continued use of Inquisition AI after changes constitutes acceptance of the updated policy.

13. Contact

Questions or to exercise a right under this policy, email us at inquisitionsupport@gmail.com.