Privacy Policy

1. Introduction

Socratic ONE ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.

2. Information We Collect

2.1 Data We Collect

We collect the following categories of personal data:

• Account Data (collected at registration, lawful basis: contract performance): Email address, display name, WorkOS authentication identifier
• Subscription Data (collected at upgrade, lawful basis: contract performance): Subscription plan, billing status, Stripe customer ID (payment details are processed and stored solely by Stripe)
• Usage Data (collected automatically, lawful basis: legitimate interest): Discussion topics, AI model selections, message content, timestamps, query counts, feature usage patterns
• Technical Data (collected automatically, lawful basis: legitimate interest): Browser type, IP address (not stored long-term), session tokens

2.2 Zero User-Key Storage Architecture

• User-supplied API keys (OpenRouter) are handled entirely client-side via OAuth PKCE and never transmitted to our servers
• Platform-managed AI providers use server-side credentials that are not user-specific and are managed by Socratic ONE infrastructure
• All API interactions for user providers are made directly from your client; SOCRATIC.ONE acts as an orchestrator only
• We never store, access, log, or decrypt user-supplied API credentials

2.3 Discussion Data

• Research topics you submit
• AI responses generated during discussions (stored for all tiers)
• Uploaded files (images, documents) stored on Vercel Blob with permanent public URLs

2.4 Usage Data

• Topic and query counts for billing purposes
• Subscription status

3. How We Use Your Information

• To provide and maintain our service
• To process your AI research requests
• To manage your subscription and billing
• To send service-related communications
• To enforce usage limits based on your plan

4. Third-Party Services

4.1 AI Providers via OpenRouter

SOCRATIC.ONE integrates with OpenRouter, which aggregates access to AI models including Claude, Gemini, Llama, Mistral, and many others. Your research topics are sent to your selected AI provider through OpenRouter. Each provider has their own privacy policy. You maintain a direct relationship with OpenRouter through OAuth authentication -- SOCRATIC.ONE never handles your provider credentials.

4.2 Authentication & Identity

We use WorkOS AuthKit for identity and authentication services. WorkOS manages your login credentials and OAuth integrations securely. Only your email address is shared with WorkOS for authentication purposes.

4.3 Payment Processing

We use Stripe for payment processing. Stripe collects and processes your payment information according to their privacy policy. We do not store your credit card details.

4.4 File Storage

Uploaded files are stored on Vercel Blob storage. Files are accessible via permanent public URLs. We do not currently support revoking access to uploaded files short of deletion.

5. Data Security

• All data is transmitted over HTTPS with TLS encryption
• User API keys are never stored on our servers -- they remain in your browser via OAuth
• Authentication is managed by WorkOS AuthKit (OAuth PKCE) -- no passwords are stored on our servers
• Discussion data is encrypted in transit and stored securely
• Database access is restricted and monitored
• Zero user-key storage architecture means SOCRATIC.ONE never stores user-supplied provider credentials

6. Your Data Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data (Settings > Export Data)
• Correction: Update inaccurate data via your profile settings
• Deletion: Request deletion of your account and associated data (Settings > Delete Account)
• Portability: Export your data in a machine-readable format
• Objection: Object to processing based on legitimate interest
• Restriction: Request restriction of processing in certain circumstances

To exercise these rights, contact us at privacy@socratic.one. We will respond within 30 days.

7. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. Account data is retained while your account is active. Discussion data is retained until you delete individual discussions or your account. Usage tracking data is retained for up to 12 months for analytics purposes. Upon account deletion, all personal data is removed within 30 days, except where retention is required by law.

8. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and service provider agreements to ensure adequate protection of your data during international transfers.

9. AI Model Training

We do not use your personal data, conversations, or research content to train AI models. Third-party AI providers process your queries to generate responses; their data handling is governed by their respective privacy policies.

10. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party analytics that identify individual users.

11. Children's Privacy

Our service is not intended for users under 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use our service. Users between 13 and 18 should use the service only with parental or guardian consent. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes via email or service notification.

13. Contact Us

For privacy questions or to exercise your rights, contact us at: privacy@socratic.one