Privacy Policy

Last Updated: June 20, 2026

§1. Data We Collect

When you create an account or interact with the Aletheia platform ("Service"), we collect the following categories of personal and operational data:

1.1 Account Information. We collect your email address, display name, and authentication credentials when you register. Authentication is managed via Supabase Auth, and passwords are hashed using bcrypt before storage. We never store plaintext passwords.

1.2 Investigation Data. When you conduct investigations, we store your queries (email addresses, usernames, domains, IP addresses, and other search parameters), generated intelligence reports, evidence artifacts, entity graphs, and analyst notes. This data is stored in your isolated tenant space and is accessible only to you.

1.3 Evidence & Artifacts. Files, screenshots, and documents you upload as evidence are stored with SHA-256 cryptographic hashes to ensure provenance and integrity. Metadata including upload timestamps and source URLs are retained alongside the evidence.

1.4 Payment Information. Payment processing is handled entirely by Gumroad as our Merchant of Record. We receive and store only transaction identifiers, subscription status, and license keys. We do not store credit card numbers, CVVs, or banking details on our infrastructure.

1.5 Usage Analytics. We collect anonymized usage data via Vercel Analytics, including page views, feature usage patterns, and performance metrics. This data does not contain personally identifiable information and cannot be linked back to individual users.

Human Readable

We collect your email and login info, the investigations you run, evidence you upload, and basic analytics about how you use the platform.

Payment details stay with Gumroad — we never see your card number. Analytics are anonymized.

§2. How We Use Your Data

We use the data we collect for the following purposes:

Service Delivery: To execute intelligence queries, generate reports, store investigation history, and provide the core functionality of the Aletheia platform.
Service Improvement: To improve AI-powered analysis, entity resolution accuracy, and intelligence correlation through aggregated, anonymized usage patterns. Individual investigation data is never used to train models.
Security & Integrity: To detect abuse, prevent unauthorized access, and maintain the security of our infrastructure and your data.
Communication: To send you service-related notifications, security alerts, and (with your consent) product updates.

We do not sell your data. Your investigation queries, intelligence reports, evidence, and personal information are never sold, rented, or traded to third-party data brokers, advertisers, marketing firms, or any other entity.

Human Readable

Your data is used to run the service, improve it (using anonymized patterns, not your actual investigations), and keep things secure.

We never sell your data. Period.

§3. OSINT Data Sources

Aletheia is an Open Source Intelligence (OSINT) platform. It is important that you understand the nature and boundaries of the data we access:

Aletheia queries publicly available data sources. We do not access private databases, bypass authentication mechanisms, or intercept communications. All intelligence is derived from open-source, publicly accessible information.

3.1 Public Sources. Our platform aggregates data from publicly available APIs, search engines, social media profiles (where publicly visible), domain registration records (WHOIS), DNS records, public breach notification databases, and other open-source data repositories.

3.2 No Unauthorized Access. Aletheia does not engage in computer intrusion, credential stuffing, session hijacking, network interception, or any form of unauthorized access to retrieve information. We operate exclusively within legal and ethical boundaries.

3.3 Third-Party Data Accuracy. Intelligence derived from public sources may be incomplete, outdated, or inaccurate. We present data as retrieved from source systems and do not independently verify all third-party data points.

Human Readable

Aletheia only queries publicly available information — search engines, public APIs, WHOIS records, etc.

We never hack, bypass logins, or intercept communications. Everything is from open sources, and we're transparent about that.

§4. Data Retention

4.1 Investigation Data. Your investigations, reports, and evidence are stored until you explicitly delete them. You may delete individual investigations or bulk-clear your investigation history at any time through the dashboard.

4.2 Account Data. Your account information is retained for the duration of your account. Upon account deletion, all personal data, investigation history, stored evidence, and associated metadata are permanently purged from our systems within 30 days.

4.3 Backups. Encrypted backups may retain deleted data for up to 90 days before automatic expiration. Backup data is encrypted at rest and is not accessible for operational queries.

4.4 Analytics Data. Anonymized analytics data is retained for up to 24 months for trend analysis and then automatically purged.

Human Readable

Your investigations stay until you delete them. Delete your account and everything is purged within 30 days (90 days for encrypted backups).

You're in control of your data lifecycle.

§6. CCPA Compliance

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out: You have the right to opt out of the "sale" of personal information. As stated above, we do not sell personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA rights, contact us at privacy@aletheia.io. We will verify your identity and respond within 45 days as required by law.

Human Readable

California residents: you can know what we collect, request deletion, and opt out of data sales (though we don't sell data anyway).

No discrimination for exercising your rights.

§7. Cookies & Tracking

Aletheia uses a minimal set of cookies and tracking technologies:

Session Cookies: Essential cookies that maintain your authenticated session. These are strictly necessary for the platform to function and cannot be disabled.
Authentication Tokens: Secure, httpOnly tokens managed by Supabase Auth to maintain your login state across sessions.
Analytics (Vercel Analytics): Privacy-focused, anonymized web analytics that do not use cookies for tracking. Vercel Analytics collects aggregate performance and usage data without personally identifiable information.

We do not use advertising cookies, social media tracking pixels, or any third-party behavioral tracking technologies.

Human Readable

We only use essential cookies (login sessions) and privacy-focused Vercel Analytics. No ad trackers, no social media pixels, no behavioral tracking.

§8. Third-Party Services

Aletheia relies on the following third-party services to deliver the platform. Each operates under its own privacy policy:

Supabase — Authentication, database, and real-time infrastructure. Data is stored in SOC 2 Type II compliant data centers. Row Level Security (RLS) ensures strict tenant isolation.
Google Gemini (AI) — Powers AI-driven intelligence analysis, entity extraction, and report generation. Investigation queries are processed via the Gemini API but are not used to train Google's models under our API terms of service.
Gumroad — Payment processing and license management as our Merchant of Record. Gumroad handles all payment card data in compliance with PCI DSS.
Vercel — Application hosting, edge functions, and analytics. Deployed on Vercel's edge network with automatic TLS encryption.

Human Readable

Our stack: Supabase (database), Google Gemini (AI), Gumroad (payments), and Vercel (hosting). Each has enterprise-grade security.

Your investigation queries sent to Gemini are not used to train Google's AI models.

§9. Data Security

We implement industry-standard security measures to protect your data:

Encryption at Rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
Encryption in Transit: All communications between your browser and our servers are encrypted using TLS 1.3.
Evidence Provenance: SHA-256 cryptographic hashing is applied to all stored evidence and artifacts, ensuring chain-of-custody integrity and tamper detection.
Data Isolation: Supabase Row Level Security (RLS) policies enforce strict tenant isolation, ensuring users can only access their own investigation data.
Access Controls: Administrative access to production systems is restricted, audited, and requires multi-factor authentication.

While no system can guarantee absolute security, we are committed to promptly addressing any security vulnerabilities. To report a security issue, contact privacy@aletheia.io.

Human Readable

AES-256 encryption at rest, TLS 1.3 in transit, SHA-256 evidence hashing, and Row Level Security for data isolation.

Your investigation data is locked down tight.

§10. Contact & Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email or a prominent notice within the platform at least 30 days before the changes take effect.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Aletheia Intelligence
Privacy Inquiries
Email: privacy@aletheia.io

Human Readable

We'll give you 30 days notice before any material changes to this policy.

Questions? Email privacy@aletheia.io — we take your privacy seriously.

§1. Data We Collect

When you create an account or interact with the Aletheia platform ("Service"), we collect the following categories of personal and operational data:

Human Readable

We collect your email and login info, the investigations you run, evidence you upload, and basic analytics about how you use the platform.

Payment details stay with Gumroad — we never see your card number. Analytics are anonymized.

§2. How We Use Your Data

We use the data we collect for the following purposes:

Service Delivery: To execute intelligence queries, generate reports, store investigation history, and provide the core functionality of the Aletheia platform.
Service Improvement: To improve AI-powered analysis, entity resolution accuracy, and intelligence correlation through aggregated, anonymized usage patterns. Individual investigation data is never used to train models.
Security & Integrity: To detect abuse, prevent unauthorized access, and maintain the security of our infrastructure and your data.
Communication: To send you service-related notifications, security alerts, and (with your consent) product updates.

Human Readable

Your data is used to run the service, improve it (using anonymized patterns, not your actual investigations), and keep things secure.

We never sell your data. Period.

§3. OSINT Data Sources

Aletheia is an Open Source Intelligence (OSINT) platform. It is important that you understand the nature and boundaries of the data we access:

Human Readable

Aletheia only queries publicly available information — search engines, public APIs, WHOIS records, etc.

We never hack, bypass logins, or intercept communications. Everything is from open sources, and we're transparent about that.

§4. Data Retention

4.3 Backups. Encrypted backups may retain deleted data for up to 90 days before automatic expiration. Backup data is encrypted at rest and is not accessible for operational queries.

4.4 Analytics Data. Anonymized analytics data is retained for up to 24 months for trend analysis and then automatically purged.

Human Readable

Your investigations stay until you delete them. Delete your account and everything is purged within 30 days (90 days for encrypted backups).

You're in control of your data lifecycle.

§6. CCPA Compliance

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out: You have the right to opt out of the "sale" of personal information. As stated above, we do not sell personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA rights, contact us at privacy@aletheia.io. We will verify your identity and respond within 45 days as required by law.

Human Readable

California residents: you can know what we collect, request deletion, and opt out of data sales (though we don't sell data anyway).

No discrimination for exercising your rights.

§7. Cookies & Tracking

Aletheia uses a minimal set of cookies and tracking technologies:

Session Cookies: Essential cookies that maintain your authenticated session. These are strictly necessary for the platform to function and cannot be disabled.
Authentication Tokens: Secure, httpOnly tokens managed by Supabase Auth to maintain your login state across sessions.
Analytics (Vercel Analytics): Privacy-focused, anonymized web analytics that do not use cookies for tracking. Vercel Analytics collects aggregate performance and usage data without personally identifiable information.

We do not use advertising cookies, social media tracking pixels, or any third-party behavioral tracking technologies.

Human Readable

We only use essential cookies (login sessions) and privacy-focused Vercel Analytics. No ad trackers, no social media pixels, no behavioral tracking.

§8. Third-Party Services

Aletheia relies on the following third-party services to deliver the platform. Each operates under its own privacy policy:

Supabase — Authentication, database, and real-time infrastructure. Data is stored in SOC 2 Type II compliant data centers. Row Level Security (RLS) ensures strict tenant isolation.
Google Gemini (AI) — Powers AI-driven intelligence analysis, entity extraction, and report generation. Investigation queries are processed via the Gemini API but are not used to train Google's models under our API terms of service.
Gumroad — Payment processing and license management as our Merchant of Record. Gumroad handles all payment card data in compliance with PCI DSS.
Vercel — Application hosting, edge functions, and analytics. Deployed on Vercel's edge network with automatic TLS encryption.

Human Readable

Our stack: Supabase (database), Google Gemini (AI), Gumroad (payments), and Vercel (hosting). Each has enterprise-grade security.

Your investigation queries sent to Gemini are not used to train Google's AI models.

§9. Data Security

We implement industry-standard security measures to protect your data:

Encryption at Rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
Encryption in Transit: All communications between your browser and our servers are encrypted using TLS 1.3.
Evidence Provenance: SHA-256 cryptographic hashing is applied to all stored evidence and artifacts, ensuring chain-of-custody integrity and tamper detection.
Data Isolation: Supabase Row Level Security (RLS) policies enforce strict tenant isolation, ensuring users can only access their own investigation data.
Access Controls: Administrative access to production systems is restricted, audited, and requires multi-factor authentication.

While no system can guarantee absolute security, we are committed to promptly addressing any security vulnerabilities. To report a security issue, contact privacy@aletheia.io.

Human Readable

AES-256 encryption at rest, TLS 1.3 in transit, SHA-256 evidence hashing, and Row Level Security for data isolation.

Your investigation data is locked down tight.

§10. Contact & Changes

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Aletheia Intelligence
Privacy Inquiries
Email: privacy@aletheia.io

Human Readable

We'll give you 30 days notice before any material changes to this policy.

Questions? Email privacy@aletheia.io — we take your privacy seriously.

Privacy Policy

§1. Data We Collect

Human Readable

§2. How We Use Your Data

Human Readable

§3. OSINT Data Sources

Human Readable

§4. Data Retention

Human Readable

§5. GDPR Compliance

Human Readable

§6. CCPA Compliance

Human Readable

§7. Cookies & Tracking

Human Readable

§8. Third-Party Services

Human Readable

§9. Data Security

Human Readable

§10. Contact & Changes

Human Readable

Privacy Policy

§1. Data We Collect

Human Readable

§2. How We Use Your Data

Human Readable

§3. OSINT Data Sources

Human Readable

§4. Data Retention

Human Readable

§5. GDPR Compliance

Human Readable

§6. CCPA Compliance

Human Readable

§7. Cookies & Tracking

Human Readable

§8. Third-Party Services

Human Readable

§9. Data Security

Human Readable

§10. Contact & Changes

Human Readable