Privacy Policy
Last updated: 2026-06-04
1. Introduction
Socratic ONE, operated by [LEGAL ENTITY NAME] ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.
2. Information We Collect
2.1 Data We Collect
We collect the following categories of personal data:
- Account Data (collected at registration, lawful basis: contract performance): Email address, display name, WorkOS authentication identifier
- Subscription Data (collected at upgrade, lawful basis: contract performance): Subscription plan, billing status, Stripe customer ID (payment details are processed and stored solely by Stripe)
- Usage Data (collected automatically, lawful basis: legitimate interest): Discussion topics, AI model selections, message content, timestamps, query counts, feature usage patterns
- Technical Data (collected automatically, lawful basis: legitimate interest): Browser type, IP address (not stored long-term), session tokens
2.2 Handling of Your OpenRouter API Key
- Your OpenRouter API key is obtained via OAuth PKCE and stored in your browser
- When you run a discussion, your key is relayed transiently to our backend in an in-memory request header so we can call the model on your behalf
- Your key is never persisted to our database, never written to our logs, and is held only for the duration of the request that uses it
- Platform-managed AI providers use server-side credentials that are not user-specific and are managed by Socratic ONE infrastructure
2.3 Discussion Data
- Research topics you submit
- AI responses generated during discussions (stored for all tiers)
- Uploaded files (images, documents) stored on Vercel Blob with permanent public URLs
2.4 Usage Data
- Topic and query counts for billing purposes
- Subscription status
3. How We Use Your Information
- To provide and maintain our service
- To process your AI research requests
- To manage your subscription and billing
- To send service-related communications
- To enforce usage limits based on your plan
4. Third-Party Services
4.1 AI Providers via OpenRouter
SOCRATIC.ONE integrates with OpenRouter, which aggregates access to AI models including Claude, Gemini, Llama, Mistral, and many others. Your research topics are sent to your selected AI provider through OpenRouter. Each provider has their own privacy policy. You maintain a direct relationship with OpenRouter through OAuth authentication. Your OpenRouter API key is relayed transiently through our backend in an in-memory request header to call the model on your behalf, and is never persisted to our database or written to our logs (see Section 2.2).
4.2 Authentication & Identity
We use WorkOS AuthKit for identity and authentication services. WorkOS manages your login credentials and OAuth integrations securely. Only your email address is shared with WorkOS for authentication purposes.
4.3 Payment Processing
We use Stripe for payment processing. Stripe collects and processes your payment information according to their privacy policy. We do not store your credit card details.
4.4 File Storage
Uploaded files are stored on Vercel Blob storage. Files are accessible via permanent public URLs. We do not currently support revoking access to uploaded files short of deletion.
4.5 Sub-Processors
We rely on the following sub-processors to provide the Service. Each processes only the data necessary for its function and is bound by its own privacy policy:
- OpenRouter - AI model access and routing
- SambaNova and Groq - Platform-managed AI inference
- WorkOS - Authentication and identity
- Stripe - Payment processing
- Resend - Transactional email delivery
- Vercel - Hosting, file storage, and privacy-friendly analytics
- Railway - Backend hosting
5. Data Security
- All data is transmitted over HTTPS with TLS encryption
- Your OpenRouter API key is stored in your browser and relayed transiently in an in-memory request header when needed to call a model on your behalf -- it is never persisted to our database or written to our logs
- Authentication is managed by WorkOS AuthKit (OAuth PKCE) -- no passwords are stored on our servers
- Discussion data is encrypted in transit and stored securely
- Database access is restricted and monitored
6. Your Data Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of your personal data (Settings > Export Data)
- Correction: Update inaccurate data via your profile settings
- Deletion: Request deletion of your account and associated data (Settings > Delete Account)
- Portability: Export your data in a machine-readable format
- Objection: Object to processing based on legitimate interest
- Restriction: Request restriction of processing in certain circumstances
To exercise these rights, contact us at privacy@socratic.one. We will respond within 30 days.
6.5 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request access to and deletion of that information, and to not be discriminated against for exercising your privacy rights. You may exercise these rights using the contact details in Section 13.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not sold personal information in the preceding 12 months.
7. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy. Account data is retained while your account is active. Discussion data is retained until you delete individual discussions or your account. Usage tracking data is retained for up to 12 months for analytics purposes. Upon account deletion, all personal data is removed within 30 days, except where retention is required by law.
8. International Data Transfers
Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and service provider agreements to ensure adequate protection of your data during international transfers.
9. AI Model Training
We do not use your personal data, conversations, or research content to train AI models. Third-party AI providers process your queries to generate responses; their data handling is governed by their respective privacy policies.
10. Cookies & Analytics
We use essential cookies for authentication and session management. We also use Vercel Analytics and Vercel Speed Insights — privacy-friendly, aggregate analytics that do not use cross-site tracking cookies and are designed not to identify individual users. These analytics load only after you accept analytics cookies; they are consent-gated and remain off until you opt in.
11. Children's Privacy
Our service is not intended for users under 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use our service. Users between 13 and 18 should use the service only with parental or guardian consent. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.
12. Changes to This Policy
We may update this policy periodically. We will notify you of significant changes via email or service notification.
13. Contact Us
For privacy questions or to exercise your rights, contact us at: privacy@socratic.one