Privacy Policy

1. Data We Collect

1.1 Account Information (via Clerk)

Authentication is handled entirely by Clerk, our identity provider.

Clerk processes:

• Email address
• Authentication credentials
• Multi-factor verification
• Profile metadata used by Clerk itself

We do not store your email, password, or identifying details inside our platform.

Inside TTE, you are represented only by:

• a pseudonymous workspace ID, and
• a pseudonymous user ID

These identifiers are pseudonymous. They cannot identify you directly and can only be linked to your Clerk account through Clerk's secure identity system. We cannot reidentify you without Clerk.

1.2 GEDCOM Files You Upload

When you upload a GEDCOM file:

• All living individuals are automatically detected and removed (any person with no death date and a birth date within the last 110 years is treated as living)
• All free-text notes (NOTE tags) are stripped — ThroughTheirEyes.ai does not use narrative notes, citations, or custom tags for persona generation
• Only historical structured data (names, dates, places, occupations, family relationships) is used to construct ancestor personas
• Cleaning occurs before the file is stored; no unprocessed GEDCOM content is ever written to disk
• The cleaned GEDCOM file is then encrypted at rest using rotating quarterly encryption keys in Cloudflare R2
• You may delete your GEDCOM files and generated personas at any time
• Deleted GEDCOM files may remain in encrypted backups for up to 30 days before complete removal

Living Person Removal: Our system automatically removes all individuals who appear to be living before any GEDCOM file is stored. This includes anyone with no recorded death date and a birth date within the last 110 years. This ensures we do not retain or process identifiable data about living family members.

We do not use GEDCOM data to train AI models.

We also apply additional eligibility safeguards during persona creation. Individuals who died within the last 50 years cannot be selected as personas. Ancestors who died 50-75 years ago remain selectable but are presented with a caution notice to help you make an informed and respectful choice.

User Responsibility: By uploading a GEDCOM file, you confirm that you have the legal right to share the genealogical data it contains. Because GEDCOM exports often include living relatives by default, our system removes living individuals and all free-text note fields to minimise retained personal data. You remain responsible for ensuring your uploaded data complies with relevant privacy laws in your jurisdiction.

1.3 Conversation Data

Your conversations with ancestor personas are:

• Encrypted in transit (HTTPS)
• Encrypted at rest using rotating keys
• Tied only to your pseudonymous workspace ID

We cannot view encrypted conversation content in transit or at rest. Automated safety systems operate on ephemeral, non-persistent representations of your messages and do not store or log the underlying content. This is designed to detect and prevent abuse or security threats, but does not store or log the content itself.

You may delete conversation history at any time.

Demo conversations are anonymous and are not linked to an account unless you explicitly submit them for the Hall of Remarkable Conversations.

1.4 Usage & Audit Logs (Pseudonymous)

For security and operations, we log:

• pseudonymous workspace ID
• pseudonymous user ID
• action type (e.g. "created persona")
• timestamp
• system performance events

These logs never include decrypted content or identifying information.

2. How Your Data Is Processed

2.1 Persona Generation

Your GEDCOM-derived ancestor is created using:

• cleaned genealogical data
• structured persona blueprints
• historical context you optionally provide

No living individuals are ever used in persona generation.

2.2 AI Model Processing

For genealogical conversations, we use direct API integrations with:

• OpenAI (no training on your data)
• Anthropic (no training on your data)

We do not use model-routing services (e.g., OpenRouter) for personalized genealogical conversations.

We explicitly enforce "no training / no retention" settings supported by each provider.

2.3 Experimental Memory System (Disabled for Demo)

Our backend platform includes an encrypted, per-user graph memory engine that can:

• store validated place names
• track relationships derived from conversation
• improve continuity across sessions

This feature is:

• disabled for the public demo
• opt-in only when launched
• encrypted at rest
• isolated per workspace

No memory data is shared across users and no unencrypted personal data is stored.

3. How Long We Keep Data

4. Your Rights (GDPR / NZ Privacy Act)

You may request:

• access
• correction
• deletion
• export (portable copy)
• restriction of processing
• objection to processing

Requests: privacy@i4hum.com

We verify identity through Clerk.

You may also delete your account at any time through your Clerk account settings or by contacting us.

5. Sharing of Data

We never sell or rent personal data.

We share data only with essential subprocessors:

All subprocessors operate under GDPR-compliant agreements.

6. Data Security

We use:

• TLS 1.2+ encryption in transit
• AES-256 encryption at rest
• Quarterly key rotation
• Principle of least privilege (RBAC)
• Pseudonymized user identifiers
• Segregated workspaces
• Zero manual access to decrypted user content

7. Children's Data

The Service is not intended for users under 16.

We do not knowingly collect children's data.

8. International Transfers

Data may be processed in:

• New Zealand
• EU regions
• United States

Transfers rely on:

• Standard Contractual Clauses (SCCs)
• GDPR-compliant contractual protections
• Provider-level privacy guarantees

We never transfer data to jurisdictions lacking adequate protection.

9. Cookies & Tracking

ThroughTheirEyes.ai uses a minimal set of cookies to operate the Service securely and effectively. We also use privacy-preserving analytics (Google Analytics 4 with IP anonymisation fully enabled) to understand how visitors use our public website. Analytics data is aggregate only and cannot identify you.

We do not use advertising cookies, behavioural tracking cookies, or cross-site identifiers.
Google Analytics 4 runs in anonymised mode only.

9.1 Types of Cookies We Use

We use only the following categories:

(a) Strictly Necessary Cookies (Essential)

These cookies are required for the Service to function, including:

• Authentication & session cookies (Clerk) – allow you to sign in and stay signed in
• Security cookies – protect against fraud, abuse, and session hijacking
• Load balancing / routing cookies – ensure reliable service performance

These cookies do not store personal information inside the ThroughTheirEyes.ai platform; they store anonymous tokens handled by Clerk.

Because they are essential for the service you request, they do not require consent under GDPR/ePrivacy.

(b) Local Storage (Functional)

We use browser local storage for:

• temporary chat session tokens for the demo
• short-term client-side preferences
• "submit conversation" functionality

Local storage remains on your device and is never transmitted to us unless you explicitly choose to submit your demo conversation.

We do not use local storage for tracking, profiling, or analytics.

(c) Privacy-Preserving Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4) in its strictest privacy-preserving configuration to understand general traffic patterns on the public marketing website only.

• IP anonymisation is always enabled
• No advertising features, remarketing, demographics, or interests reporting
• No cross-site identifiers
• No fingerprinting or behavioural profiling
• No linking with Clerk accounts or authenticated users
• Analytics operates only on aggregated, non-identifiable events

GA4 does not run inside the logged-in application at app.throughtheireyes.ai.

9.2 Cookies We Do Not Use

We do not use:

• advertising or marketing cookies
• retargeting cookies
• social media tracking pixels
• cross-site tracking identifiers

9.3 Third-Party Cookie Providers

Only strictly necessary cookies from the following providers are used:

We ensure all third-party cookies fall under necessary/functional exemptions and do not engage in personal data tracking.

9.4 Cookie Consent

Because we only use strictly necessary cookies, a consent banner is not required under:

• GDPR Article 6(1)(b)
• ePrivacy Directive (Recital 25 exemptions)
• UK PECR
• NZ Privacy Act (no cookie consent requirement)
• CCPA/CPRA (cookies are not "sale" or "sharing" of data)

However, we disclose cookie use transparently here as part of our commitment to privacy.

9.5 Managing Cookies

You may manage or clear cookies through your browser settings.

If you block essential cookies, the Service may not function (e.g., you will be unable to sign in).

10. Changes to This Policy

Material changes will be communicated via email or in-app notifications.