Privacy Policy

Effective: April 13, 2026 · Last updated: April 13, 2026

Aletheia Sovereign Systems("we," "us," or "our") operates Aletheia Core at https://aletheia-core.com. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website and services.

1. Information We Collect

Account Information: When you register, we collect your name (optional), email address, and a password. Passwords are hashed with bcrypt (12 rounds) and never stored in plaintext.

OAuth Data: If you sign in via GitHub or Google, we receive your name, email, and profile image from those providers. We store OAuth tokens as required for authentication.

API Usage Data: When you use our API, we log the action requested, origin, threat score, decision (PROCEED/DENIED), a SHA-256 hash of the payload (not the payload itself), source IP address, and a cryptographic receipt.

Billing Information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store only your Stripe customer ID, subscription ID, and plan status. We do not store credit card numbers, bank account details, or other payment credentials.

Technical Data: IP addresses are collected for rate limiting and abuse prevention. We do not use cookies for tracking. Authentication is handled via HTTP-only, secure, same-site session tokens.

2. How We Use Your Information

• Provide, maintain, and improve the Aletheia Core service
• Authenticate your identity and manage your account
• Process payments and manage subscriptions via Stripe
• Enforce rate limits and prevent abuse
• Generate audit logs and cryptographic receipts for security decisions
• Respond to your inquiries and provide support
• Comply with legal obligations

3. Information We Share

We do not sell, rent, or trade your personal information. We share data only with:

• Stripe— payment processing (Stripe's privacy policy applies to payment data)
• Supabase — database hosting (data stored in your region)
• Vercel — application hosting and edge delivery
• GitHub / Google — OAuth authentication (only if you choose to sign in with these providers)

We may disclose information if required by law, regulation, legal process, or governmental request.

4. Data Retention

• Account data: Retained until you delete your account. Upon deletion, we initiate a 30-day grace period, after which all personal data is permanently removed.
• Audit logs: Retained for 90 days, then automatically purged.
• Stripe data: Retained per Stripe's data retention policy for regulatory compliance.

5. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected. Use the "Export my data" feature in your account settings or contact us.
• Right to Delete: Request deletion of your personal information. Use the "Delete my account" feature in your account settings or contact us.
• Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email us at info@aletheia-core.com or use the self-service tools in your account settings.

6. CalOPPA Disclosure

In compliance with the California Online Privacy Protection Act:

• This privacy policy is accessible from our homepage via a "Privacy" link.
• We collect: email addresses, names, hashed passwords, IP addresses, API usage metadata, and Stripe billing identifiers.
• We share data with the service providers listed in Section 3.
• Do Not Track: We honor Do Not Track browser signals. We do not track users across third-party websites. We do not use analytics cookies, advertising pixels, or session replay tools.

7. Children's Privacy

Aletheia Core is not directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have inadvertently collected such data, we will delete it promptly.

8. Security

We implement industry-standard security measures including: bcrypt password hashing, Ed25519-signed policy manifests, Ed25519-signed audit receipts for current decisions, HTTPS enforcement, Content Security Policy headers, rate limiting, and CSRF protection. For details, see our Security & Trust page.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date. Material changes will be communicated via email to the address associated with your account.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: info@aletheia-core.com

Aletheia Sovereign Systems
California, United States