Privacy Policy | CTOsphere

CTOsphere ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CTOsphere platform and services (collectively, the "Service"). This policy applies to all users worldwide, including those protected under the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the UK Data Protection Act 2018 / UK GDPR, and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide

Account Information: Email address, name, and organization details when you register
Project Data: Documentation, technical decisions, architecture information, and other content you create or upload
Conversation Data: Your interactions with the AI assistant, including prompts and queries
Communications: Messages you send to us for support or feedback

1.2 Information Collected Automatically

Usage Data: Features used, pages visited, interaction patterns, and session duration
Technical Data: Browser type and version, operating system, IP address, device identifiers, and referring URLs
Cookies and Similar Technologies: Essential cookies for authentication and session management, and optional analytics cookies (see Section 9)

1.3 Information We Do Not Collect

We do not knowingly collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation. We do not knowingly collect information from children under 16 years of age.

2. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b) GDPR)
Legitimate Interests: Processing for service improvement, security, and fraud prevention, where our interests do not override your rights (Article 6(1)(f) GDPR)
Consent: Where you have given explicit consent for specific processing activities, such as optional analytics (Article 6(1)(a) GDPR). You may withdraw consent at any time
Legal Obligation: Processing necessary to comply with applicable laws (Article 6(1)(c) GDPR)

3. How We Use Your Information

We use collected information to:

Provide, operate, and maintain the CTOsphere Service
Process your AI assistant interactions and deliver responses
Personalize your experience and provide relevant recommendations
Communicate with you about service updates, security alerts, and changes
Analyze usage patterns to improve features and user experience
Detect, prevent, and address security issues and abuse
Comply with legal obligations

4. AI Processing and Third-Party AI Providers

CTOsphere uses artificial intelligence to provide technical guidance and recommendations. This section explains how your data is processed by AI systems:

4.1 Third-Party AI Providers

When you interact with the AI assistant, your prompts, queries, and relevant project context may be transmitted via API to the following third-party AI providers for processing:

Anthropic (Claude models) — subject to Anthropic's Privacy Policy
OpenAI (GPT models) — subject to OpenAI's Privacy Policy

4.2 What Data Is Sent to AI Providers

Your conversation messages and prompts
Project context you have provided (e.g., documentation, decisions, architecture details) that is relevant to your query
System-level instructions necessary for the AI to function appropriately

4.3 What Data Is Not Sent to AI Providers

Your email address, password, or authentication credentials
Payment or billing information
Data from other users or organizations

4.4 AI Provider Data Use

We access these AI providers through their commercial APIs with data processing agreements in place. Under these agreements:

API inputs and outputs are not used by Anthropic or OpenAI to train or improve their models
Data sent via API is subject to each provider's data retention and security policies
We do not use consumer-facing versions of these AI services where training on user data may occur

4.5 Automated Decision-Making

The AI assistant provides recommendations and analysis to support your decision-making. No fully automated decisions with legal or similarly significant effects are made about you based on AI processing. You retain full control over whether to act on any AI recommendations.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We do not share your personal data for cross-context behavioral advertising. We may disclose data in the following limited circumstances:

AI Providers: As described in Section 4, to process your AI assistant interactions
Infrastructure Providers: Cloud hosting (e.g., Vercel, Supabase) and essential service providers who process data on our behalf under data processing agreements
Analytics: Aggregated, anonymized usage data for service improvement (no personally identifiable information)
Legal Requirements: When required by law, subpoena, court order, or to protect our legal rights, safety, or property
Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our servers and third-party providers are located. For transfers from the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with adequate safeguards
Adequacy decisions where applicable

7. Data Security

We implement industry-standard technical and organizational security measures including: encryption in transit (TLS/HTTPS) and at rest, secure authentication via Supabase Auth, role-based access controls, regular security assessments, and secure API communication with third-party providers. Despite these measures, no method of electronic transmission or storage is 100% secure. If we become aware of a data breach that affects your rights, we will notify you and relevant authorities as required by applicable law.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Account Data: Retained while your account is active, and deleted within 30 days of account deletion request
Project and Conversation Data: Retained while your account is active; deleted upon account deletion
Usage and Analytics Data: Retained in anonymized/aggregated form for up to 24 months
Legal Compliance Data: Retained as required by applicable law

9. Cookies and Tracking Technologies

We use the following categories of cookies:

Strictly Necessary: Authentication tokens and session management cookies required for the Service to function. These cannot be disabled
Analytics (Optional): Cookies to understand usage patterns and improve the Service. These are only set with your consent

We do not use advertising or tracking cookies. You can manage your cookie preferences through the cookie consent banner or your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

10. Your Privacy Rights

10.1 Rights for All Users

Regardless of your location, you have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Delete your account and associated data
Export your data in a portable format
Opt out of non-essential communications

10.2 Additional Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

Restrict Processing: Request that we limit how we use your data in certain circumstances
Object to Processing: Object to processing based on legitimate interests
Withdraw Consent: Withdraw previously given consent at any time, without affecting the lawfulness of prior processing
Lodge a Complaint: File a complaint with your local Data Protection Authority
Object to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

10.3 Additional Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we share it
Delete: Request deletion of your personal information, subject to certain exceptions
Correct: Request correction of inaccurate personal information
Non-Discrimination: Not receive discriminatory treatment for exercising your CCPA rights
Opt-Out of Sale/Sharing: We do not sell or share (for cross-context behavioral advertising) your personal information, so no opt-out is necessary
Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CCPA/CPRA

CCPA Disclosures: In the preceding 12 months, we have collected the categories of personal information described in Section 1. We have not sold personal information. We have disclosed personal information to third-party service providers as described in Sections 4 and 5 for business purposes.

10.4 Additional Rights Under US State Laws (Virginia, Colorado, Connecticut, and others)

If you are a resident of Virginia, Colorado, Connecticut, or another US state with comprehensive privacy legislation, you may have additional rights including:

Access, correct, and delete your personal data
Obtain a copy of your data in a portable format
Opt out of targeted advertising, sale of personal data, and profiling (none of which we engage in)
Appeal a denial of your privacy request

11. Exercising Your Rights

To exercise any of the rights described above, contact us at [email protected]. We will respond to verified requests within:

GDPR requests: 30 days (extendable by 60 days for complex requests, with notice)
CCPA/CPRA requests: 45 days (extendable by an additional 45 days, with notice)
Other US state law requests: Within the timeframes required by applicable law

We may need to verify your identity before processing your request. You will not be charged a fee for exercising your rights, except where requests are manifestly unfounded or excessive.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete it. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new "Last updated" date and, where required by law, by providing direct notice via email. Your continued use of the Service after such changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Data Protection Officer / Contact

For privacy-related questions, concerns, or to exercise your rights, contact us at:

Email: [email protected]

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.