Privacy Policy
Effective Date: June 30, 2026
1. Introduction
Content Base ("we," "us," or "our") operates a Retrieval-Augmented Generation (RAG) platform that allows users to store, search, and retrieve their personal content. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
Data Controller:
Content Base
Email: [email protected]
By using Content Base, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies, please do not use our service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — Used for account identification, login, and communications
- Password — Stored in hashed form (never in plain text) using industry-standard encryption
- Account creation date — For record-keeping purposes
2.2 Content You Provide
When you use our service, you may upload:
- Text content — Articles, notes, transcripts, and other text you ingest
- Metadata — Titles, authors, source URLs, publication dates, and source types
- Vector embeddings — Mathematical representations of your content for semantic search
- Third-party integrations — When you connect services like Google Drive, we access files you explicitly select for import
2.3 Usage Data
We automatically collect:
- Chunk usage — Number of content chunks stored in your account
- API key usage — When your API keys were last used
- Login timestamps — When you access your account
2.4 Technical Data
We collect technical information including:
- IP addresses — Used for rate limiting and security purposes
- Session cookies — Essential cookies for authentication
- Browser/device information — User agent strings for compatibility
2.5 Payment Information
Payment processing is handled by our third-party providers, Lemon Squeezy and Stripe. We store:
- Customer ID — Lemon Squeezy's identifier for your account
- Subscription ID — Your subscription reference
- Subscription status — Active, cancelled, past due, etc.
We do not store your credit card numbers, CVV, or full payment details. These are handled entirely by Lemon Squeezy and Stripe.
3. How We Use Your Information
We use the information we collect to:
- Provide our service — Store your content, generate embeddings, and enable semantic search
- Manage your account — Handle authentication, subscription status, and quota enforcement
- Process payments — Work with Lemon Squeezy and Stripe to process your subscription
- Communicate with you — Send service-related emails (password reset, subscription updates)
- Ensure security — Prevent abuse through rate limiting and detect unauthorized access
- Improve our service — Analyze usage patterns to enhance features
- Comply with legal obligations — Respond to legal requests and enforce our terms
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the service (storage, search) | Contract performance |
| Account authentication | Contract performance |
| Payment processing | Contract performance |
| Security & rate limiting | Legitimate interest |
| Service improvement | Legitimate interest |
| Legal compliance | Legal obligation |
5. Data Sharing and Third-Party Services
We share your data with the following third-party service providers who help us operate Content Base:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Auth & Database | Account data, profile | United States |
| Qdrant | Vector Database | Content, embeddings | EU/US |
| OpenAI | Embeddings | Text content | United States |
| Anthropic (Claude) | AI writing assistant ("Write Like Me") | Writing samples, chat messages, content excerpts | United States |
| Lemon Squeezy | Payments | Email, billing | United States |
| Stripe | Payments | Email, billing | United States |
| Railway | Hosting | Request logs | United States |
| Drive Integration | OAuth tokens (encrypted), file content you select | United States |
We do NOT sell your personal data. We only share data with service providers as necessary to operate our service, and they are contractually bound to protect your data.
Our AI providers do not train on your content. The AI services we use — OpenAI (to generate search embeddings) and Anthropic (to power "Write Like Me") — do not use the data we send them to train their models. See OpenAI's API data-usage policy and Anthropic's model-training statement.
5.1 Third-Party Integrations
Google Drive
When you connect Google Drive to Content Base:
- Data accessed: We request read-only access to view and download files you explicitly select
- How we use it: We extract text content from files you choose to import into your personal knowledge base
- Data stored: Your OAuth refresh token is encrypted and stored securely. We do not store your Google password.
- No automatic access: We only access files you manually select for import
Disconnecting Integrations
You can disconnect Google Drive at any time through your Sources page. This will:
- Delete our stored OAuth tokens
- Revoke our ability to access your Drive
- Previously imported content remains in your Content Base (you can delete it separately)
You can also revoke access from your Google Account permissions page.
5.2 AI Writing Assistant (Claude)
Our "Write Like Me" feature uses Claude, an AI model provided by Anthropic, to help you draft content in your own voice. When you use it, the following is sent to Anthropic's API to generate your draft:
- Writing samples — The private samples you add to a project, used as style references
- Chat messages — The prompts and conversation history in your writing session
- Content excerpts — Relevant passages retrieved from your content base to ground the draft
Your content is never used to train Anthropic's models. By default, Anthropic does not use inputs or outputs sent through its API to train its models — your data is processed only to generate your draft. See Anthropic's statement on model training and their Privacy Policy.
If you add your own Claude API key to keep writing beyond your monthly included usage, we store it encrypted (AES-256-GCM) and never share it. You can remove it at any time from your writing settings.
6. International Data Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA to the United States, we rely on:
- Standard Contractual Clauses (SCCs) — EU-approved contract terms
- Data Processing Agreements — With each service provider
- EU-US Data Privacy Framework — Where applicable
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Content & embeddings | Until you delete the content or account |
| API keys | Until revoked or account deleted |
| Server logs | 30 days |
| Payment records | 7 years (legal requirement) |
8. Your Rights
8.1 Rights for All Users
- Access your data — View and export your content and account information
- Delete your data — Remove specific content or delete your entire account
- Update your data — Correct inaccurate information
- Manage API keys — Create, view, and revoke your API keys
8.2 Additional Rights for EEA Residents (GDPR)
- Data portability — Receive your data in a structured, machine-readable format
- Restrict processing — Limit how we process your data
- Object to processing — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent
- Lodge a complaint — With your local data protection authority
8.3 Additional Rights for California Residents (CCPA)
- Right to know — What personal information we collect
- Right to delete — Request deletion of your personal information
- Right to opt-out — We do NOT sell personal information
- Non-discrimination — We won't discriminate for exercising rights
8.4 Exercising Your Rights
You can exercise most rights directly through your account settings. For other requests, email us at [email protected].
We will respond within 30 days (or as required by applicable law).
9. Cookies and Tracking
We use only essential cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth token | Authentication session | Session / 7 days |
We do not use third-party tracking cookies, advertising cookies, or analytics that identify individuals.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit — All data transmitted via HTTPS/TLS
- Password hashing — Passwords stored using bcrypt/Argon2
- API key hashing — API keys stored as SHA-256 hashes
- Multi-tenant isolation — Your data is strictly separated from others
- Rate limiting — Protection against brute force attacks
- Row-level security — Database-level access controls
While we implement industry-standard security measures, no method of transmission over the Internet is 100% secure.
11. Children's Privacy
Content Base is not intended for users under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children.
If you believe we have collected information from a child, please contact us and we will delete such information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Effective Date" at the top
- For material changes, we will notify you via email
- Continued use of the service constitutes acceptance
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Content Base
Email: [email protected]
For EEA residents, you may also lodge a complaint with your local data protection authority.
California Privacy Notice (CCPA)
This section applies to California residents and supplements the information above.
Categories of Personal Information Collected
- Identifiers — Email address, user ID, IP address
- Commercial information — Subscription and payment history
- Internet activity — Usage data, login history, API key usage
- Professional information — Content you choose to upload
Sale of Personal Information
We do NOT sell your personal information to third parties.
Shine the Light (California Civil Code § 1798.83)
We do not disclose personal information to third parties for their direct marketing purposes.