Privacy Policy

Last updated: May 2026

1. What We Collect

When you use ceadr, we process the following data:

Document content from sources you connect (Google Drive, Notion, Confluence, Slack, GitHub, or uploaded files). Full document bodies are processed in memory and not written to disk. We persist only the cited excerpt of any contradicting passage so the resolution view can cite its sources. Excerpts are encrypted at rest and scoped to your workspace.
OAuth tokens for connected services, stored encrypted and scoped to your session.
Session identifier (a random UUID in an HttpOnly cookie) to associate your tokens and audit results.
Audit results (scores, metadata, and report data) retained for up to 4 hours after scan completion.
Document metadata such as filenames, titles, word counts, and author names as provided by source connectors.

2. How We Use Your Data

Score documents for quality, completeness, and AI readiness
Detect contradictions across your knowledge base
Identify gaps against industry templates
Build knowledge ontologies (entity and relationship extraction)
Generate audit reports and executive summaries

3. Sub-processors

ceadr engages the following sub-processors to deliver the service. Each receives only the data it needs for its stated purpose. We give 30 days notice before adding a new sub-processor. To object, email privacy@ceadr.ai.

Sub-processor	Purpose	Region	Privacy
Anthropic	Claude API for scoring, contradiction detection, ontology, summaries. API inputs are not used to train models.	United States	policy
AssemblyAI	Audio transcription with speaker diarization and chapter summaries.	United States	policy
OpenAI	Optional fallback path for audio transcription via Whisper. The MCP deployment helper also references OpenAI as one of the supported agent endpoints.	United States	policy
Voyage AI	Embedding model for document chunks (semantic search and contradiction pairing).	United States	policy
Nango	OAuth brokerage and proxied API access to your connected SaaS providers (Google, Notion, Atlassian, Slack, GitHub, Jira).	United States	policy
Clerk	Authentication and session management. Stores user identifier, email, and session metadata.	United States	policy
Resend	Transactional email (workspace invites, agent notifications, writeback confirmations).	United States	policy
PostHog	Product analytics and pageview capture. Only loaded when the visitor opts in via the cookie banner.	United States	policy
Sentry	Error and performance reporting (browser + backend). Only loaded when the visitor opts in via the cookie banner.	United States	policy
Google (Calendar Appointments)	Booking links for the demo / discovery call flow on the marketing site. Calendar bookings are scheduled directly with Google.	United States, multi-region edge	policy
Vercel	Hosting for the ceadr.ai web application. Receives all frontend traffic and edge logs.	United States, multi-region edge	policy
Railway	Hosting for the ceadr API engine and worker processes.	United States	policy
Supabase	Managed Postgres for workspace metadata, audit log, and contradiction excerpts.	Configurable per project, defaults to United States	policy

When you connect external sources, your OAuth tokens are used to access data from Google, Notion, Atlassian, Slack, or GitHub on your behalf. We only read data unless you explicitly approve a writeback action.

Analytics (PostHog) and error reporting (Sentry) are loaded only when you opt in through the cookie banner. You can revisit your choice at any time: .

4. Data Retention

Document content: Full document bodies are processed in memory only and discarded after the audit completes. Cited excerpts of contradicting passages persist with the contradiction record so the resolution view can show provenance.
Audit results: Stored for up to 4 hours, then automatically deleted.
OAuth tokens: Stored encrypted for up to 24 hours, scoped to your session.
Session cookie: Expires after 24 hours.

5. Your Rights

To exercise your data subject rights under GDPR Articles 15 to 22 (access, rectification, erasure, portability, restriction, objection), email privacy@ceadr.ai. We respond within 30 days.

CCPA and UK DPA 2018 requests follow the same path.

6. Cookies

We use a single strictly necessary HttpOnly cookie (kc-session) to maintain your session. We do not use advertising or cross-site tracking cookies. We use product analytics (PostHog) and error reporting (Sentry) only when you opt in through the cookie banner (see section 3 to change or withdraw that choice).

7. Cross Border Transfers

Document content is processed by Anthropic's Claude AI, which operates in the United States. OAuth connections to Google, Notion, Atlassian, Slack, and GitHub may also involve data transfer to US based servers. These transfers are governed by the respective providers' data processing agreements.

8. Security

OAuth tokens encrypted at rest
Session cookies are HttpOnly and Secure
API key authentication on all endpoints
Rate limiting on sensitive operations
Only cited excerpts of contradicting passages are persisted. Full document bodies are not written to disk.

9. Contact

For privacy inquiries or to exercise your data rights, email privacy@ceadr.ai.