Privacy Policy
Effective Date: March 27, 2026
Last Updated: April 12, 2026
This Privacy Policy describes how Eudoxic (available at eudoxic.ai), operated by Eudoxic (“Eudoxic,” “we,” “us,” or “our”), collects, uses, stores, and protects your personal information.
We built Eudoxic to handle sensitive professional documents, and we take data privacy seriously. This policy is written in plain English so you can understand exactly what happens with your data.
1. Who We Are
Eudoxic is a document processing and analysis platform operated by Eudoxic. Our service is based in the United States.
Contact: support@eudoxic.ai
2. Information We Collect
2.1 Information You Provide
| Data | Purpose |
|---|---|
| Account information (email address, name, password) | To create and manage your account |
| Documents you upload (PDFs, images, Word files, text files) | To provide AI extraction and analysis |
| Workspace information (workspace names, descriptions) | To organize your documents |
| Chat messages (questions you ask about your documents) | To provide cross-document Q&A |
| Payment information (processed by Stripe, not stored by us) | To process subscription payments |
2.2 Information We Generate
| Data | Purpose |
|---|---|
| Extracted text from your documents | To enable search, chat, and export features |
| Structured extraction data (dates, amounts, parties, obligations) | To provide structured data output |
| Document chunks and vector embeddings | To power cross-document search and Q&A |
| AI-generated chat responses | To answer your questions about your documents |
2.3 Information Collected Automatically
| Data | Purpose |
|---|---|
| Usage data (pages visited, features used, timestamps) | Product analytics to improve Eudoxic |
| Device information (browser type, operating system) | To ensure compatibility and debug issues |
| IP address | Security, rate limiting, and fraud prevention |
3. How We Use Your Information
We use your information only to:
- Provide the Service: Process your documents, generate extractions, answer questions, and produce exports
- Maintain your account: Authentication, session management, and account preferences
- Send transactional emails: Account verification, password resets, and important service notifications
- Improve the Service: Analyze aggregate usage patterns to prioritize features and fix issues
- Ensure security: Detect and prevent fraud, abuse, and unauthorized access
We do NOT use your information to:
- Train AI models (neither ours nor our AI provider's)
- Sell, rent, or share your data with advertisers
- Profile you for marketing purposes
- Make automated decisions that produce legal effects or similarly significant effects on you (e.g., we do not use AI to deny account access or change your pricing based on document content)
4. AI Processing Disclosure
This section is important. Please read it carefully.
When you upload documents to Eudoxic, the text content of those documents is sent to Anthropic's Claude API for analysis. This is how we extract structured data and answer questions about your documents.
What you should know:
- Anthropic does not use your data to train their AI models. This is guaranteed by our commercial agreement with Anthropic.
- Anthropic may temporarily retain API inputs and outputs for up to 7 days for safety monitoring purposes (updated September 2025), after which the data is deleted. They do not use this data for training.
- Anthropic's Data Processing Addendum (DPA) is automatically incorporated into their Commercial Terms of Service. By using the Anthropic API, we are bound by their DPA, which includes GDPR and CCPA compliance commitments and Standard Contractual Clauses (SCCs).
- AI outputs may contain errors. We do not guarantee the accuracy of any AI-generated content. See our Terms of Service for details.
When you use the chat feature, your question and relevant excerpts from your documents (not the full documents) are sent to Anthropic's API to generate an answer.
We also use OpenAI's text-embedding-3-small model to generate search embeddings — mathematical representations of your document text that enable the chat search feature. Your document text is sent to OpenAI's API for this purpose only.
- OpenAI does not use API data to train their models. Data sent via the API is not used for training (per OpenAI's API data usage policy).
- No document content is permanently stored by OpenAI. Embeddings are computed and returned; the original text is not retained.
5. How We Store and Protect Your Data
5.1 Storage
| Data | Location | Encryption |
|---|---|---|
| Account data, extracted text, chat messages | Neon Postgres (US) | AES-256 at rest, TLS 1.2+ in transit |
| Original uploaded files | Vercel Blob / AWS S3 (US) | AES-256 at rest, TLS 1.2+ in transit |
| Vector embeddings | Neon Postgres (US) | AES-256 at rest, TLS 1.2+ in transit |
5.2 Access Controls
- No Eudoxic employee can view your documents through the application. We have no application-level admin panel, no document viewer, and no support tool that displays file contents. Infrastructure-level cloud provider access (Neon, Vercel) is governed by their SOC 2 Type II certifications. This is enforced by design, not just policy.
- Your files are stored in private cloud storage. There are no public URLs to your documents.
- Every database query is scoped to your user account. You can only access your own workspaces and documents.
- All file access requires authentication and ownership verification.
5.3 Security Measures
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- File uploads are validated for type and size
- Rate limiting is applied to prevent abuse
- Session management is handled by a secure authentication system
6. Third-Party Service Providers
We share your data with the following service providers, solely to operate Eudoxic:
| Provider | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Anthropic | AI document analysis and chat | Document text, chat queries | anthropic.com/privacy |
| Vercel | Hosting and file storage | All application data, uploaded files | vercel.com/legal/privacy-policy |
| Neon | Database | Account data, extracted text, embeddings | neon.tech/privacy-policy |
| Resend | Transactional email | Email address, verification tokens | resend.com/legal/privacy-policy |
| PostHog | Product analytics and session recording | Usage data, device information, IP address. Session recordings may capture UI interactions; we use DOM-level controls to block recording of document content and input values. | posthog.com/privacy |
| Stripe | Payment processing (when applicable) | Payment details (not stored by us) | stripe.com/privacy |
| Sentry | Error monitoring | Error messages, stack traces, browser/OS info, IP address | sentry.io/privacy |
| OpenAI | Text embeddings for document search and Q&A | Document text chunks | openai.com/privacy |
| Inngest | Background job processing (document extraction pipeline) | Document text during extraction processing | inngest.com/privacy |
| Google (OAuth) | Optional Google Sign-In authentication | Email address, name, Google profile ID (when you use Google Sign-In) | policies.google.com/privacy |
We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertisers.
7. Data Retention
7.1 Active Accounts
Your documents and data are retained for as long as your account is active and you have not deleted them. There is no automatic expiration.
7.2 When You Delete Documents
When you delete a document, we perform a hard delete:
- The original file is deleted from cloud storage immediately
- Extracted text, structured data, and vector embeddings are deleted from our database immediately
- Chat history that references the deleted document is preserved (your questions and answers remain, but source links become inactive)
There is no trash folder or recovery period. Deletion is permanent.
7.3 When You Delete Your Account
When you delete your account:
- All your workspaces, documents, extractions, chat history, and uploaded files are permanently deleted
- All authentication records are deleted
- Deletion from active systems is completed within 24 hours
Backups: Our database provider (Neon) retains point-in-time recovery snapshots for up to 6 hours. This means deleted data may persist in backups for up to 6 hours after deletion, after which it is permanently unrecoverable. We do not restore individual data from backups.
7.4 What We Retain After Account Deletion
- Anonymized, aggregated usage metrics (e.g., total documents processed, total queries run) with no personally identifiable information
- Payment records, if applicable, are retained by Stripe per their legal obligations — not by us
Nothing else.
8. Your Rights
Depending on where you live, you may have some or all of the following rights regarding your personal data:
8.1 For All Users
- Access and export your data.You can download your original files, extraction results, and chat history at any time through the application. We also provide a “Download All My Data” feature in account settings.
- Delete your data. You can delete individual documents, entire workspaces, or your full account at any time. Deletion is immediate and permanent.
- Correct your data. You can update your profile information (name, email) in account settings. You can re-upload documents if extraction results need correction.
8.2 For EU/EEA Residents (GDPR)
In addition to the above, you have the right to:
- Restrict processing: You can delete documents to stop them from being used in future queries. Contact us if you need to restrict processing in other ways.
- Object to processing: We do not use your data for profiling, marketing, or automated decision-making. If you object to our processing, contact us and we will address your concern.
- Data portability: Use our export feature to receive your data in a structured, machine-readable format (JSON, CSV).
- Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
Automated Decision-Making (GDPR Article 22). Eudoxic uses AI to extract structured data from your documents and generate answers to your questions. These outputs are informational tools for your review — they do not produce legal effects on you and do not constitute automated decisions about you as an individual. We do not use AI to make decisions about your account eligibility, pricing, or access to services based on your document content. If you have concerns about how AI outputs affect you, you have the right to request human review by contacting us at support@eudoxic.ai.
8.3 For California Residents (CCPA)
- Right to know: This Privacy Policy describes all categories of personal information we collect and how we use them.
- Right to delete: Use our self-service deletion features or contact us.
- Right to opt-out of sale: We do not sell your personal information. We have never sold personal information. We will never sell personal information.
- Non-discrimination: We will not treat you differently for exercising your CCPA rights.
Note:Eudoxic is below the CCPA's threshold for mandatory compliance (100,000 consumers/year). We extend these rights to all California residents regardless.
8.4 Exercising Your Rights
For most rights, you can use the self-service features in your Eudoxic account (export, delete, update profile). No manual request is needed.
If you need to make a request that cannot be handled through the application, email us at privacy@eudoxic.ai. We will respond within 30 days. We may need to verify your identity before processing your request.
9. Legal Basis for Processing (GDPR)
If you are in the EU/EEA, our legal bases for processing your personal data are:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (document processing, chat, export) | Contract performance — necessary to deliver the service you signed up for |
| Account management and authentication | Contract performance |
| Transactional emails (verification, password reset) | Contract performance |
| Cookie-based analytics (PostHog usage tracking, session recordings) | Consent (GDPR Art. 6(1)(a)) — you can change this at any time using the Cookie Preferences widget below |
| Security monitoring (rate limiting, fraud prevention) | Legitimate interest — protecting the Service and its users |
10. International Data Transfers
Eudoxic is based in the United States. All our infrastructure providers (Vercel, Neon, Anthropic) process data in the United States.
If you are located outside the United States (including the EU/EEA), your data will be transferred to and processed in the United States. These transfers are protected by:
- Standard Contractual Clauses (SCCs) incorporated in the Data Processing Addenda of Anthropic, OpenAI, Vercel, and Neon, which are automatically part of their respective commercial terms
- EU-US Data Privacy Framework where applicable (Vercel is certified)
11. Cookies and Tracking
We use a minimal set of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Keeps you logged in | Session / 30 days |
| PostHog analytics | Analytics (opt-in) | Usage and behavioral analytics, including session recordings of UI interactions | Per PostHog policy |
| Sentry error tracking | Performance | Error monitoring and crash reporting | Session |
- No advertising cookies. We do not serve ads and do not use advertising trackers.
- No third-party tracking cookies. We do not allow third parties to track you on our site.
You can manage your analytics cookie preferences using the Cookie Preferences widget below. The Service will function normally without analytics cookies.
12. Do Not Sell My Personal Information
Under the California Consumer Privacy Act (CCPA), California residents have the right to opt out of the sale of their personal information.
We do not sell your personal information. We have never sold personal information, and we have no plans to do so. This applies to all users, not just California residents.
We share data with the service providers listed in Section 6 solely to operate Eudoxic. This is not a “sale” under the CCPA.
Global Privacy Control (GPC) and Do Not Track (DNT). Eudoxic recognizes the Global Privacy Control (GPC) signal. If your browser transmits a GPC signal, we treat it as a request to opt out of the sharing of your personal information. We do not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for DNT has been adopted.
13. Children
Eudoxic is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at support@eudoxic.ai and we will delete it promptly.
14. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach
- Describe the nature of the breach, the data affected, and the steps we are taking
- Notify relevant supervisory authorities as required by law (e.g., the California Attorney General if more than 500 California residents are affected)
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Sending an email to the address associated with your account
- Posting a notice on the Service
Material changes will take effect 30 days after notification. Your continued use of Eudoxic after the effective date constitutes your acceptance of the updated policy.
Non-material changes (such as formatting or clarifications that do not affect your rights) may take effect immediately.
16. Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
Privacy inquiries: privacy@eudoxic.ai
General support: support@eudoxic.ai
Website: eudoxic.ai
For GDPR inquiries, you may also contact your local data protection supervisory authority.
This Privacy Policy was last updated on April 12, 2026.