Privacy notice

Altha is an alpha product currently operated by Paul Gazagnaire, an individual based in France, pending the registration of a French société par actions simplifiée (SAS) that will succeed to this notice. The operating entity acts as the data controller for the personal data described below.

For privacy questions, data subject requests, or DPA inquiries, write to privacy@altha.ai.

We collect the minimum set of personal data required to run the service. Categories:

• *Account identity (via Clerk): email address, name, profile picture, authentication factor metadata. We do not see or store your password.
• *Organization data (via Clerk): organization name, role assignments (admin, editor, viewer), invitation status.
• *Product content (Supabase): features, dependencies, PRDs, chat messages, attachments, comments, settings. This is the substance you create inside Altha.
• *Audit metadata (Supabase): timestamps, action types, entity IDs, user and organization IDs. No content is recorded.
• *Waitlist (Supabase): email addresses submitted on the landing page, source URL, timestamp.
• *Operational diagnostics (Sentry): error reports stripped of request bodies, cookies, and console breadcrumb data.
• *Server logs (Vercel): IP, user agent, request path, response status, timestamps. Retained per Vercel's standard policy.

Contract performance

Account creation, organization data, product content, transactional emails, account-level settings.

Legitimate interests

Rate limiting, abuse prevention, audit logging, error tracking. Balanced against your rights; we strip content from logs and limit retention.

Consent

AI processing is opt-in at the organization level. You can withdraw consent in settings; future AI features will refuse to run until consent is granted again.

Compliance with legal obligation

Limited cases such as responding to a valid legal request or retaining records required by tax or commercial law.

• *Providing the service: rendering your graph, storing your content, running audits.
• *Account security: rate limiting, signup defense, suspicious activity flags.
• *AI feature extraction and graph audits, with your organization-level consent.
• *Operational monitoring: error tracking, billing precursors (no payment data yet), capacity planning.
• *Transactional communications: waitlist confirmations, password reset emails, important service notices.
• *Compliance: audit trail retention, responding to verified data subject requests.

Altha relies on a small set of sub-processors to run the service. The full list, with regions and compliance status, lives on /security in the sub-processor table. As of this notice the list is: Supabase, Anthropic, Vercel, Clerk, Upstash, Sentry.

We do not sell personal data, we do not share it with advertising networks, and we do not run any analytics or tracking pixels on the marketing site or inside the product.

The primary store (Supabase) and the application functions (Vercel, pinned to fra1) are inside the European Union. Several sub-processors are headquartered in the United States: Anthropic, Clerk, Sentry, and Vercel as a corporate entity. When personal data of EU residents reaches a US sub-processor, the transfer is covered by one or more of:

• *The EU-U.S. Data Privacy Framework, where the provider is certified (for example, Vercel).
• *Standard Contractual Clauses (Module 2 or Module 3) under the European Commission's 2021 Implementing Decision.
• *Supplementary measures: TLS 1.2 or higher in transit, AES-256 at rest, scoped access tokens, no shared service accounts.

Account data

Kept until you or your admin deletes the account. Deletion is permanent and irreversible.

Product content

Kept until an organization admin deletes the organization through settings (POST /api/settings/delete-account). Deletion cascades to features, dependencies, attachments, conversations, messages.

Audit logs

Anonymized on account deletion (user IDs replaced with a fixed placeholder). Anonymized logs retained for up to 24 months for security analytics and abuse prevention, then purged.

Anthropic API logs

Up to 30 days at Anthropic, then deleted by them. Not used for model training.

Sentry errors

90 days by default at Sentry. No user-generated content is included.

Waitlist

Kept until you ask to be removed. Bounce or invalid records are pruned after 30 days.

Server logs (Vercel)

Per Vercel's standard log retention. No request bodies are stored by us.

As a data subject in the EEA, UK, or Switzerland you have the following rights. We honor them regardless of the legal basis under which the data is processed.

• *Access (Art. 15): you can export your organization's data as JSON from settings. The route is documented at Security → GDPR compliance.
• *Rectification (Art. 16): edit your data in settings, or write to privacy@altha.ai if a field is read-only.
• *Erasure (Art. 17): admins can permanently delete the organization and all its content from settings. We anonymize, rather than delete, the audit log.
• *Restriction (Art. 18): write to privacy@altha.ai with the specific records you want restricted.
• *Portability (Art. 20): the export from settings is structured JSON ready for re-import elsewhere.
• *Objection (Art. 21): write to privacy@altha.ai. Where we rely on legitimate interests, we will stop processing unless we can show overriding grounds.
• *Automated decision-making (Art. 22): Altha does not make solely automated decisions that produce legal or similarly significant effects.
• *Withdraw consent: revoke AI processing consent in settings at any time. Future AI features will refuse to run until consent is granted again.

We use the smallest set of cookies that lets the product work. No analytics, no advertising, no cross-site tracking.

• *Clerk session cookies: required for authentication. Set by Clerk on the app domain. HttpOnly, Secure, SameSite=Lax.
• *Cookie banner dismissal: a single localStorage key (altha:cookie-consent) recording that you closed the banner. Not a cookie strictly speaking; not used for tracking.
• *Theme preference: a single localStorage key for the dark/light toggle.

Altha is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to Altha, write to privacy@altha.ai and we will delete it.

The security controls that back this notice (encryption, access control, audit logging, input validation, infrastructure) are documented in full at /security. The page lists every sub-processor and every relevant certification.

We will give registered users at least 30 days advance notice of material changes by email. Non-material clarifications (typo fixes, wording polish) are published without notice. The "last updated" date at the top always reflects the most recent revision.

EU residents have the right to lodge a complaint with their local data protection authority. As Altha is pre-incorporation, no single lead authority is designated; once the operating SAS is registered in France, the CNIL will be the lead authority and we will update this section.