Privacy Policy

1. Introduction

SpyCore AI (“SpyCore”, “we”, “our”, or “us”) is committed to protecting the privacy of every person who interacts with our platform. This Privacy Policy explains what information we collect when you use SpyCore AI, how we use and share that information, and the choices and rights you have over it. By accessing or using SpyCore AI, you agree to the practices described below.

SpyCore AI is a conversational AI product that lets you chat with specialized models for everyday reasoning, coding, and research workflows. This policy applies to our web application, our mobile and desktop clients, our public APIs, and the marketing website at spycore.ca. It does not cover third-party products that integrate with SpyCore AI, which are governed by their own privacy policies.

We operate from Ontario, Canada, and comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws in the jurisdictions where we offer SpyCore AI. If you do not agree with any part of this policy, please discontinue use of the service.

2. Information We Collect

Account information. When you create a SpyCore account we collect your name, email address, a hashed password (or a unique identifier from your OAuth provider), your chosen subscription plan, and the preferences you configure such as theme, default model, and notification settings. If you subscribe to a paid plan, billing contact information is collected through our payments processor.

Conversation content. We store the messages, files, and attachments you send to SpyCore models, together with the model responses, so that your chat history is available across sessions and devices. Conversation content is encrypted at rest and in transit. You can delete individual conversations or wipe your entire history at any time from the account settings page, which triggers a permanent removal from our primary data stores within 30 days.

Usage telemetry. We collect information about how you interact with SpyCore AI — such as the models you invoke, approximate token counts, feature usage, timestamps, latency, error events, device type, operating system, browser version, and coarse IP-based location. This telemetry is used to keep the service reliable, monitor abuse, and measure product performance. We do not sell telemetry to third parties.

Cookies and local storage. We use strictly-necessary cookies to keep you signed in, preference cookies to remember UI choices, and aggregate analytics cookies (with your consent where required) to understand how the product is used. You can control or clear cookies through your browser settings. Disabling essential cookies may break authentication or other core features.

3. How We Use Your Information

We use the information we collect to operate, maintain, and improve SpyCore AI. Primary uses include routing your prompts to the correct model, generating responses, syncing your history across devices, providing customer support, enforcing our Terms of Service, preventing fraud and abuse, and complying with our legal obligations.

We also use aggregated and de-identified data to evaluate product quality, measure model performance, and inform engineering priorities. By default, we do not use your conversation content to train foundation models. If we ever introduce optional training-data contributions, participation will be strictly opt-in and controlled from your account settings.

With your explicit consent, we may send you product updates, release notes, and occasional marketing email. You can unsubscribe from any non-transactional message using the link in the email footer or by contacting us at the address below. Transactional messages about billing, security, or material policy changes will continue as required.

4. Data Retention

We retain account information for as long as your account remains active. Conversations are retained until you delete them or delete your account. Usage telemetry is retained in identifiable form for up to 12 months and then either deleted or aggregated into anonymous statistics. Billing records required for tax and accounting purposes are kept for seven years in accordance with Canadian and international regulations.

When you delete your SpyCore account, we purge your profile, conversation history, uploaded files, and API keys from our production systems within 30 days. Encrypted backups may retain residual copies for up to 90 additional days before they rotate out of storage. Aggregated statistics that cannot be linked back to you may be retained indefinitely.

5. Data Security

We follow industry best practices to protect your data. Information is transmitted over TLS 1.2 or higher, stored on encrypted disks, and segregated by tenant. Access to production systems is limited to a small number of engineers who are required to use hardware security keys and single-sign-on with multi-factor authentication. We log and review privileged access on an ongoing basis.

Despite our safeguards, no internet-based service is entirely secure. We encourage you to use a strong, unique password and to enable two-factor authentication on your SpyCore account. If we ever detect a security incident that materially affects your personal information, we will notify you without undue delay and in accordance with applicable breach-notification laws.

6. Your Rights (GDPR/PIPEDA)

Depending on where you live, you have the right to access, correct, port, or delete the personal information we hold about you. You may also request that we restrict or object to certain processing, withdraw consent you previously gave, or lodge a complaint with your local data-protection authority. We will not discriminate against you for exercising any of these rights.

Most requests can be fulfilled directly from the Settings → Privacy area of your account, including exporting your conversation history as JSON, editing your profile, or permanently deleting your account. For anything that cannot be handled in-product, email privacy@spycore.ca and we will respond within 30 days.

The legal bases we rely on to process your information under GDPR are performance of our contract with you, our legitimate interests in operating and improving the service, compliance with legal obligations, and, where relevant, your explicit consent. Under PIPEDA we process information only for purposes a reasonable person would consider appropriate in the circumstances.

7. Third-Party Services

SpyCore AI relies on carefully-vetted subprocessors to deliver the service. This includes model providers (such as Anthropic, OpenAI, and Google) who host the foundation models that power our specialized personas; cloud infrastructure providers (including Cloudflare and Hetzner) that host our application and databases; and observability vendors that help us detect and resolve incidents.

We use Stripe as our payments processor for subscriptions. SpyCore never stores your full credit-card number on its own servers; card data is tokenised and handled by Stripe under its own PCI-DSS-compliant infrastructure. Please review Stripe’s privacy policy for details on how payment information is handled.

We require each subprocessor to provide contractual guarantees of confidentiality and security at least as protective as this policy. A current list of subprocessors is available on request. We do not sell personal information to advertisers or data brokers, and we do not share conversation content with any party except as strictly required to deliver a model response you requested.

8. Contact Us

If you have questions about this Privacy Policy, would like to exercise any of your rights, or wish to raise a concern about how we handle your data, please contact our privacy team:

We may update this policy from time to time to reflect changes in our practices or the law. When we make material changes, we will notify you by email or through an in-app notice at least 14 days before the changes take effect.