Skip to main content
OracleLegal
Oracle

Legal

Privacy Policy

Last updated 2026-05-12

We collect the minimum we need to run the chat, store it on third-party services we trust, and give you a one-click way to delete everything.

What we collect

  • Account info

    your email address and provider profile name (when available), used to identify your session. We don't collect a password; sign-in goes through Supabase Auth.

  • Conversations & bookmarks

    the questions you ask, the answers we generate, and the passages you save. These are tied to your account so you can return to them later.

  • Rate-limit counters

    a running count of requests per day, scoped to your account, used to enforce the daily limit shown in Settings.

  • Server logs

    standard application logs that include IP addresses, user-agent strings, and request paths, kept for up to 30 days for debugging and abuse defense.

We use Vercel Web Analytics for aggregate, cookie-free usage measurement (page views, referrers, country at the city level — never tied to your account or signed in identity). We also use Sentry on-error session replay to capture short, fully-masked clips of the page when an exception occurs, which helps us diagnose bugs without exposing your content. Both analytics and session replay are opt-in: they are disabled by default and only run after you accept the consent banner. We do not embed third-party advertising or cross-site tracking, and we don't sell data to anyone.

Where your data lives

  • Supabase

    stores your account, conversations, bookmarks, and rate-limit counters. Hosted in the US.

  • Qdrant Cloud

    stores the corpus index that retrieval runs against. Your questions are sent to Qdrant at query time so it can find relevant passages, but the corpus itself is not personal data.

  • Groq

    runs the language models that generate answers and rewrite queries. Your questions and the retrieved passages are sent to Groq inside the prompt. Groq's standard data policy applies to that traffic; we do not enable any optional model-training data sharing.

Each of these vendors has its own privacy policy and security posture. Linking out to each: Supabase, Qdrant, Groq.

Cookies and tracking

We use cookies only for the session token that keeps you signed in. No advertising or third-party tracking cookies. We do not embed analytics that follow you across the web. When you first visit, a consent banner asks whether you agree to non-essential telemetry (Vercel Analytics and Sentry on-error session replay). Both are disabled by default; they run only if you accept. Your choice is stored locally in your browser and does not require an account.

Your rights

Regardless of where you live, you have these rights:

  • Access

    ask us what data we hold about you, and we will tell you.

  • Deletion

    delete every piece of data tied to your account with one click from Settings → Danger zone → Delete account. This cascades through conversations, messages, bookmarks, rate-limit counters, and finally your auth record itself. It is irreversible.

  • Portability

    export your conversations as JSON or markdown from the conversation header menu.

  • Correction

    sign-in name comes from your auth provider profile; update it there and it will propagate on next sign-in.

EU and UK residents also have the right to lodge a complaint with their supervisory authority. We are not required to appoint an EU representative under GDPR Art. 27 at our current scale, but if that changes this page will be updated.

Retention

We keep your data as long as your account exists. If you delete your account, the cascade runs immediately and the data is gone from our application database within seconds. Upstream backups (Supabase's point-in-time recovery, where applicable) may retain a copy for up to 7 days before the backup itself rotates.

Children

The service is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a minor has signed up, contact us and we will delete the account.

Changes to this policy

When the policy changes meaningfully, the “Last updated” date at the top of this page will change and the first-signin acknowledgment modal will reappear so you can review and re-accept.

Contact

For privacy questions or to exercise the rights listed above, email contact@bioenergeticoracle.com. Most rights requests are also self-serve from Settings.