Privacy Policy
Effective Date: January 1, 2025
1. Introduction
Content Base ("we," "us," or "our") operates a Retrieval-Augmented Generation (RAG) platform that allows users to store, search, and retrieve their personal content. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
Data Controller:
Content Base
Email: [email protected]
By using Content Base, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies, please do not use our service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — Used for account identification, login, and communications
- Password — Stored in hashed form (never in plain text) using industry-standard encryption
- Account creation date — For record-keeping purposes
2.2 Content You Provide
When you use our service, you may upload:
- Text content — Articles, notes, transcripts, and other text you ingest
- Metadata — Titles, authors, source URLs, publication dates, and source types
- Vector embeddings — Mathematical representations of your content for semantic search
- Third-party integrations — When you connect services like Google Drive, we access files you explicitly select for import
2.3 Usage Data
We automatically collect:
- Chunk usage — Number of content chunks stored in your account
- API key usage — When your API keys were last used
- Login timestamps — When you access your account
2.4 Technical Data
We collect technical information including:
- IP addresses — Used for rate limiting and security purposes
- Session cookies — Essential cookies for authentication
- Browser/device information — User agent strings for compatibility
2.5 Payment Information
Payment processing is handled by our third-party provider, Lemon Squeezy. We store:
- Customer ID — Lemon Squeezy's identifier for your account
- Subscription ID — Your subscription reference
- Subscription status — Active, cancelled, past due, etc.
We do not store your credit card numbers, CVV, or full payment details. These are handled entirely by Lemon Squeezy.
3. How We Use Your Information
We use the information we collect to:
- Provide our service — Store your content, generate embeddings, and enable semantic search
- Manage your account — Handle authentication, subscription status, and quota enforcement
- Process payments — Work with Lemon Squeezy to process your subscription
- Communicate with you — Send service-related emails (password reset, subscription updates)
- Ensure security — Prevent abuse through rate limiting and detect unauthorized access
- Improve our service — Analyze usage patterns to enhance features
- Comply with legal obligations — Respond to legal requests and enforce our terms
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the service (storage, search) | Contract performance |
| Account authentication | Contract performance |
| Payment processing | Contract performance |
| Security & rate limiting | Legitimate interest |
| Service improvement | Legitimate interest |
| Legal compliance | Legal obligation |
5. Data Sharing and Third-Party Services
We share your data with the following third-party service providers who help us operate Content Base:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Auth & Database | Account data, profile | United States |
| Qdrant | Vector Database | Content, embeddings | EU/US |
| OpenAI | Embeddings | Text content | United States |
| Lemon Squeezy | Payments | Email, billing | United States |
| Railway | Hosting | Request logs | United States |
| Drive Integration | OAuth tokens (encrypted), file content you select | United States |
We do NOT sell your personal data. We only share data with service providers as necessary to operate our service, and they are contractually bound to protect your data.
5.1 Third-Party Integrations
Google Drive
When you connect Google Drive to Content Base:
- Data accessed: We request read-only access to view and download files you explicitly select
- How we use it: We extract text content from files you choose to import into your personal knowledge base
- Data stored: Your OAuth refresh token is encrypted and stored securely. We do not store your Google password.
- No automatic access: We only access files you manually select for import
Disconnecting Integrations
You can disconnect Google Drive at any time through your Sources page. This will:
- Delete our stored OAuth tokens
- Revoke our ability to access your Drive
- Previously imported content remains in your Content Base (you can delete it separately)
You can also revoke access from your Google Account permissions page.
6. International Data Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA to the United States, we rely on:
- Standard Contractual Clauses (SCCs) — EU-approved contract terms
- Data Processing Agreements — With each service provider
- EU-US Data Privacy Framework — Where applicable
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Content & embeddings | Until you delete the content or account |
| API keys | Until revoked or account deleted |
| Server logs | 30 days |
| Payment records | 7 years (legal requirement) |
8. Your Rights
8.1 Rights for All Users
- Access your data — View and export your content and account information
- Delete your data — Remove specific content or delete your entire account
- Update your data — Correct inaccurate information
- Manage API keys — Create, view, and revoke your API keys
8.2 Additional Rights for EEA Residents (GDPR)
- Data portability — Receive your data in a structured, machine-readable format
- Restrict processing — Limit how we process your data
- Object to processing — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent
- Lodge a complaint — With your local data protection authority
8.3 Additional Rights for California Residents (CCPA)
- Right to know — What personal information we collect
- Right to delete — Request deletion of your personal information
- Right to opt-out — We do NOT sell personal information
- Non-discrimination — We won't discriminate for exercising rights
8.4 Exercising Your Rights
You can exercise most rights directly through your account settings. For other requests, email us at [email protected].
We will respond within 30 days (or as required by applicable law).
9. Cookies and Tracking
We use only essential cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth token | Authentication session | Session / 7 days |
We do not use third-party tracking cookies, advertising cookies, or analytics that identify individuals.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit — All data transmitted via HTTPS/TLS
- Password hashing — Passwords stored using bcrypt/Argon2
- API key hashing — API keys stored as SHA-256 hashes
- Multi-tenant isolation — Your data is strictly separated from others
- Rate limiting — Protection against brute force attacks
- Row-level security — Database-level access controls
While we implement industry-standard security measures, no method of transmission over the Internet is 100% secure.
11. Children's Privacy
Content Base is not intended for users under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children.
If you believe we have collected information from a child, please contact us and we will delete such information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Effective Date" at the top
- For material changes, we will notify you via email
- Continued use of the service constitutes acceptance
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Content Base
Email: [email protected]
For EEA residents, you may also lodge a complaint with your local data protection authority.
California Privacy Notice (CCPA)
This section applies to California residents and supplements the information above.
Categories of Personal Information Collected
- Identifiers — Email address, user ID, IP address
- Commercial information — Subscription and payment history
- Internet activity — Usage data, login history, API key usage
- Professional information — Content you choose to upload
Sale of Personal Information
We do NOT sell your personal information to third parties.
Shine the Light (California Civil Code § 1798.83)
We do not disclose personal information to third parties for their direct marketing purposes.