Privacy Policy

1. Introduction

ReasonMe ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered prompt expansion service (the "Service").

This policy applies to all users of our website, web application, API, and related services. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
• Data Controller: The entity that determines the purposes and means of Processing Personal Data (ReasonMe).
• Data Processor: An entity that Processes Personal Data on behalf of the Data Controller.
• Sub-processor: A third party engaged by a Data Processor to Process Personal Data.
• Data Subject: The individual to whom Personal Data relates (you).

3. Data Controller

ReasonMe acts as the Data Controller for Personal Data collected through our Service. For questions regarding data protection, contact our Data Protection Officer:

4. Information We Collect

4.1 Account Information

• Name and email address
• Password (encrypted)
• Profile information (company, role, preferences)
• Authentication tokens and session data

4.2 Payment Information

• Billing name and address
• Payment method details (processed securely via Stripe)
• Transaction history and invoices
• Subscription status and plan details

4.3 Content Data

• Prompts submitted for expansion
• Expanded outputs generated by our Service
• Templates created or customized
• Feedback and ratings provided

4.4 Usage & Analytics Data

• Feature usage and interaction patterns
• API calls and request logs
• Performance metrics and quality scores
• Error logs and diagnostic data

4.5 Technical Data

• IP address and approximate location
• Browser type, version, and settings
• Device type and operating system
• Referring URLs and navigation paths

4.6 Security Data

• Multi-factor authentication settings (TOTP secrets are encrypted)
• Phone numbers for SMS verification
• Backup codes (hashed)
• Security event logs

4.7 API Key Data

• API keys (hashed using SHA-256)
• Key names and scopes
• Usage statistics and last access times

4.8 Organization Data

• Organization name and settings
• Team member information and roles
• Shared templates and resources
• Organization-level billing information

5. AI Processing Disclosure

To provide our prompt expansion service, your prompts are sent to third-party AI providers for processing. We currently use:

• OpenAI: For GPT-4 and GPT-3.5-turbo processing. OpenAI Privacy Policy
• Anthropic: For Claude model processing. Anthropic Privacy Policy

We do not share your personal information (name, email, etc.) with AI providers—only the prompt content necessary for processing. Both providers have committed to not using customer data for training their models.

6. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your Personal Data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you have requested (account management, prompt expansion, billing).
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, service improvement, analytics).
• Legal Obligations: Processing required to comply with applicable laws (tax records, legal requests, regulatory requirements).
• Consent: Where required, we obtain your explicit consent (marketing communications, optional data collection).

7. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our Service
• Process your prompt expansions and deliver results
• Manage your account and subscription
• Process payments and prevent fraud
• Send transactional communications (receipts, security alerts)
• Provide customer support
• Analyze usage patterns to improve user experience
• Ensure security and prevent abuse
• Comply with legal obligations
• Send marketing communications (with consent)

8. Data Sharing & Sub-processors

We share your data with the following categories of third-party service providers:

We do not sell your personal information to third parties. We may share data with law enforcement when legally required.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with our sub-processors.
• Adequacy Decisions: Transfers to countries with adequate data protection recognized by relevant authorities.
• US Compliance: Adherence to CCPA, state privacy laws, and applicable federal regulations.

10. Data Retention

We retain your data for the following periods:

11. Data Security

We implement robust security measures to protect your data:

• Encryption at Rest: AES-256 encryption for all stored sensitive data.
• Encryption in Transit: TLS 1.3 for all data transmission.
• Access Controls: Role-based access control with principle of least privilege.
• Authentication: Secure password hashing (bcrypt), multi-factor authentication options.
• Monitoring: Real-time security monitoring and intrusion detection.
• Incident Response: Documented procedures for security incident handling and breach notification.

12. Your Rights (GDPR & Global)

Depending on your location, you may have the following rights regarding your Personal Data:

• Right to Access: Request a copy of your Personal Data we hold.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your Personal Data ("right to be forgotten").
• Right to Restrict Processing: Request limitation of how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with a supervisory authority.

To exercise these rights, contact us at contact@reasonme.ai. We will respond within 30 days.

13. Cookies & Tracking

We use cookies and similar technologies to enhance your experience:

You can control cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

14. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect Personal Data from children under 16. If you become aware that a child has provided us with Personal Data, please contact us at contact@reasonme.ai, and we will take steps to delete such information.

15. Data Processing Agreement

For enterprise customers requiring a Data Processing Agreement (DPA) for GDPR compliance or other regulatory requirements, please contact us:

Our standard DPA includes:

• Standard Contractual Clauses (SCCs)
• Technical and organizational security measures
• Sub-processor list and notification procedures
• Data subject rights assistance
• Audit rights

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date and version number
• Sending an email notification for significant changes
• Displaying a notice in the Service

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: