Privacy Policy
Applies to eidetic.works, the Eidetic Pro subscription, the Eidetic CLI/daemon (eideticd), and all related services operated under the "Eidetic Works" brand.
1. Who we are
Eidetic Works ("we", "us", "our") provides a local-first knowledge engram tool. This Privacy Policy explains how we collect, use, share, and protect your personal information.
For privacy questions, requests, or complaints: privacy@eidetic.works
2. Information we collect
2.1 Information you give us directly
- Email address — when you join our waitlist, subscribe to updates, or create a Pro account
- Name and billing address — when you purchase Eidetic Pro (handled by Stripe; we receive a redacted copy)
- Payment information — processed entirely by Stripe; we never see your card number
- Support correspondence — when you email hi@eidetic.works
2.2 Information we collect automatically
- IP address — hashed (SHA-256) and used for rate limiting only; not stored beyond 60 seconds
- Referrer URL — to understand which marketing channels work, retained for 90 days
- Browser type and version — basic web server logs, not used for profiling
- Usage heartbeat — when you run the Pro
eideticddaemon, we receive a periodic anonymous ping (device ID hash) so we know when an account becomes inactive. No content of your engrams is ever sent.
2.3 Information we explicitly do NOT collect
- Engram contents — your engrams are stored on your device. Pro tier backs them up to our R2 bucket, but they are client-side encrypted with a key held only by you. We see ciphertext only and cannot read them.
- Cookies for advertising — we don't run third-party ads and don't set advertising cookies.
- Cross-site tracking — we don't track you across other websites.
3. Why we collect it (lawful basis)
| Purpose | Lawful basis (GDPR) | Examples |
|---|---|---|
| Sending requested updates | Consent (explicit checkbox) | Waitlist emails, Pro early access |
| Providing the Pro service | Contract performance | Account creation, license delivery, engram sync |
| Tax + accounting compliance | Legal obligation (Indian Income Tax Act §44AA) | Retaining billing records 7 years |
| Preventing abuse | Legitimate interest — service security and integrity | Hashed IP rate limiting, bot filtering |
| Customer research | Legitimate interest — product improvement via research that does not adversely affect data subjects | Interview transcripts (Pro users opt-in only) |
Under DPDP 2023, we rely on consent under §6 for marketing communications, account creation, and call recording. We rely on legitimate uses under §7 only in the limited circumstances enumerated in that section. For operational purposes that do not fit §7 — such as abuse prevention, security logging, and transactional service delivery — we rely on the consent you give when you create an account or use the service, together with the legal obligations applicable to us.
4. How long we keep it
| Data | Retention |
|---|---|
| Email on waitlist | Until you unsubscribe or request deletion |
| Pro account email + license info | Account lifetime + 30 days post-cancellation (billing records separately retained 7 years per Indian Income Tax Act §44AA) |
| Billing records (Stripe-held) | 7 years (Indian tax law) |
| Engram backups (R2) | Account lifetime + 30 days post-cancellation |
| Usage heartbeat | 90 days rolling window |
| Customer support emails | 2 years |
| Customer interview audio | We delete locally within 30 days; OpenAI may retain server-side up to 30 days under their abuse-monitoring policy. Transcribed text retained 2 years. |
| Rate-limit IP hashes | 60 seconds |
| Email dedup hashes | 7 days |
After retention period expires or upon valid deletion request, data is purged from primary stores and secure-deleted from backups within 30 days.
5. Who we share it with (sub-processors)
We share personal information only with the specific sub-processors listed at /subprocessors.
In summary: Cloudflare (hosting/storage), Stripe (payments), Kit (email lists), Resend (transactional email), and OpenAI (Whisper API, only if you consent to call recording). All bound by Data Processing Agreements and Standard Contractual Clauses for cross-border transfers, executed directly between us and each sub-processor.
We do not sell your personal information. Not to anyone, ever.
5.1 California categories disclosure (CCPA §1798.100)
Over the prior 12 months we have collected the following categories of personal information from California consumers (as defined in Cal. Civ. Code §1798.140):
- Identifiers (email address, IP address [hashed], device identifier [hashed]) — sources: directly from you, your browser; disclosed to: Cloudflare, Stripe, Kit, Resend
- Commercial information (subscription status, transaction history) — sources: Stripe; disclosed to: Stripe
- Internet/network activity (referrer URL, browser metadata, usage heartbeat) — sources: your browser, our daemon; disclosed to: Cloudflare
- Audio data (interview recordings, only with explicit consent) — sources: directly from you; disclosed to: OpenAI Whisper
We do not collect "sensitive personal information" as defined in §1798.140(ae) — no SSN, driver's license, financial-account credentials, precise geolocation, biometric identifiers, health, or genetic data. We have not sold or shared personal information in the prior 12 months.
6. Where your data is stored
| Region | What's there | Why |
|---|---|---|
| India (Oracle Cloud Mumbai) | (planned — not yet active) | When nucleus-http migrates from Cloudflare Workers to OCI. No customer data currently in OCI. |
| US (Stripe, Kit, Resend, R2 primary) | Payments, email lists, transactional email, engram backups | Sub-processor headquarters; data flows under SCCs |
| Global anycast (Cloudflare edge) | Static landing, hashed deduplication keys, edge logs | CDN performance |
Cross-border transfers for EU/UK personal data are conducted under EU Standard Contractual Clauses 2021 incorporated by each sub-processor.
7. Your rights
Under EU/UK GDPR
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to erasure")
- Restrict processing
- Object to processing based on legitimate interest
- Port your data to another service
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local supervisory authority. UK users may contact the Information Commissioner's Office (ico.org.uk). EU users may contact the supervisory authority of their member state — list at edpb.europa.eu/about-edpb/board/members_en.
Under India DPDP 2023
- Access your personal data and information about its processing (§11)
- Correction, completion, updating, and erasure of your personal data (§12)
- Grievance redressal — file a grievance with our Grievance Officer (see §11.1); we respond within 30 days (§13)
- Nominate another individual to exercise your rights in the event of death or incapacity (§14)
Under California CCPA/CPRA
- Know what personal information we collect, use, and share
- Delete your personal information
- Correct inaccurate personal information
- Opt-out of sale (N/A — we don't sell)
- Limit use of sensitive personal information (N/A — we don't process sensitive personal information as defined in §1798.140(ae))
- Non-discrimination for exercising any right
7.1 Automated decision-making
We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects concerning you (GDPR Art 22). License validation is a deterministic key-check, not a profiling decision.
How to exercise
Email privacy@eidetic.works (or legal@eidetic.works — both reach our team) with your request. We will:
- Acknowledge receipt within 7 business days
- Verify your identity (typically by confirming control of the email associated with your account)
- Respond within 30 days (DPDP, GDPR) or 45 days (CCPA, extendable to 90 with notice)
- Charge no fee for routine requests
8. Security
- All connections to our services use TLS 1.2 or higher
- Engram backups are client-side encrypted before transmission to R2
- Pro account API keys are stored as SHA-256 hashes; the cleartext key never leaves your device after first issue
- We use least-privilege access controls; operator access is logged
- Sub-processors are SOC 2 Type II certified or equivalent
In the event of a personal data breach:
- DPDP §8(6): We will notify the Data Protection Board of India and affected Data Principals as required
- GDPR Art 33–34: We will notify the supervisory authority within 72 hours and affected data subjects without undue delay if high risk
- CCPA: We will notify the California AG and affected consumers per §1798.82
9. Children's privacy
Eidetic Works is not directed at children and is intended for users aged 18 and over.
- India (DPDP §9): We do not knowingly process the personal data of a child (under 18) or of a person with a disability who has a lawful guardian, without verifiable consent of the parent or lawful guardian. We do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.
- EU/UK (GDPR Art 8): Where consent is the lawful basis and the user is under the applicable age of digital consent in their member state (13–16), we require parental consent.
- US (COPPA): We do not knowingly collect personal information from children under 13.
If you believe a child has provided us personal data, email privacy@eidetic.works and we will delete it within 30 days and, where applicable, notify any sub-processor that received the data.
10. Changes to this policy
We will post a notice on eidetic.works and email Pro account holders for any material change. The "Last updated" date at the top of this policy reflects the most recent revision. Historical versions are kept in our public repo.
This policy is governed by the laws of India. Jurisdiction follows the same rules as our Terms of Service §12.
11. Contact
Privacy questions, rights requests, complaints: privacy@eidetic.works (or legal@eidetic.works — both reach our team)
General contact: hi@eidetic.works
Postal address for legal notices. Eidetic Works operates as an Indian micro-enterprise at pre-launch scale. We maintain a registered postal address for the receipt of formal legal notices under DPDP §5(2), GDPR Art 13(1)(a), and equivalent provisions. To request the current address, please email privacy@eidetic.works (for data-protection notices) or legal@eidetic.works (for all other notices). We will respond within 7 business days. By using this service, you agree that this email-mediated address-request mechanism satisfies any notice-address requirement applicable to pre-launch operations of this size; once we reach commercial scale (first 100 paid customers or first enterprise contract), we will publish a permanent address.
11.1 Grievance Officer (DPDP §8(9) and §13(3))
For grievances under the Digital Personal Data Protection Act 2023, you may contact our Grievance Officer:
- Name / Role: Privacy Officer, Eidetic Works
- Email: privacy@eidetic.works
- Response timeline: acknowledgment within 7 business days; resolution within 30 days of receipt, in line with DPDP §13.
If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India under DPDP §27.