2.1 User-Provided Information

Account Data: When you create an account, we collect authentication credentials (email address and securely hashed password), profile information (display name, optional profile picture), and organizational affiliations (for enterprise deployments). We employ bcrypt hashing with adaptive work factors for password storage, ensuring credentials remain computationally infeasible to reverse even in breach scenarios.

Interaction Data: Our systems process the content you provide through our platforms:

• Queries, prompts, and instructions submitted to Phractal
• Design specifications and creative briefs provided to Mozaic
• Documents and knowledge bases ingested into Snowflake instances
• Conversation histories, feedback signals, and preference indications
• Uploaded files, attachments, and multimedia content

2.2 Automatically Collected Technical Data

Usage Telemetry: We collect technical information necessary for service operation and improvement: API request patterns, response latencies, error rates, model selection decisions, conversation length distributions, and feature utilization metrics. This telemetry undergoes aggregation and anonymization before analysis.

Device and Network Information: Standard web metadata including IP addresses (truncated for privacy), browser user agents, referring URLs, and approximate geolocation (city-level, derived from IP). We employ IP address truncation (removing the final octet for IPv4, final 80 bits for IPv6) to limit re-identification potential while maintaining abuse prevention capabilities.

Cookies and Similar Technologies: We deploy essential cookies for session management and authentication, analytics cookies (with consent) for usage pattern analysis, and preference cookies to maintain user settings. Users may configure cookie preferences through browser settings or our consent management interface.

2.3 Derived and Inferred Information

Through analysis of interaction patterns, we may derive insights about user preferences, expertise domains, and usage contexts to personalize experiences and improve model routing decisions. These inferences remain within our systems and are not shared externally. Users may opt out of personalization while retaining core functionality.

3.1 Service Provision and Optimization

We process user data to deliver our core services: generating responses to queries in Phractal, synthesizing visual outputs in Mozaic, and retrieving relevant context in Snowflake. This processing involves forwarding queries to underlying AI models, maintaining conversation state, and optimizing response quality through model selection and prompt engineering.

Performance optimization utilizes aggregated usage patterns to improve latency, accuracy, and relevance. We analyze failure modes, edge cases, and distributional shifts to enhance model robustness while maintaining individual privacy through differential privacy techniques where applicable.

3.2 Model Training and Improvement

Default Policy: We do NOT use user conversations or content for training AI models without explicit opt-in consent. This represents a fundamental privacy commitment distinguishing our approach from platforms that default to broad training data usage.

Voluntary Contribution: Users may opt in to contribute anonymized interaction data for model improvement research. Such contributions undergo rigorous anonymization: removing personally identifiable information, redacting sensitive content through automated detection, and applying k-anonymity guarantees to prevent re-identification. Contributors retain the right to withdraw consent and request data deletion at any time.

3.3 Safety, Security, and Compliance

We process data to detect and prevent misuse, including detecting automated attacks, identifying policy violations (such as prohibited content generation requests), preventing fraud and abuse, ensuring compliance with legal obligations, and responding to valid legal process.

Security monitoring employs anomaly detection algorithms analyzing request patterns for suspicious activity while minimizing inspection of content itself. Suspected violations trigger human review following our incident response protocols.

3.4 Research and Development

Aggregated, anonymized usage statistics inform our research into AI safety, alignment, interpretability, and fairness. This research advances the broader field while maintaining individual privacy. We publish research findings openly while ensuring no individual users can be identified through statistical disclosure.

4.1 AI Model Providers

Our services route queries to third-party AI model providers (including OpenAI, Google, and others) to generate responses. We transmit user queries and necessary context to these providers under data processing agreements requiring confidentiality, limiting data retention, and prohibiting training on customer data without consent.

Where possible, we employ edge processing and local inference to minimize external data transmission. For sensitive deployments, we offer dedicated instance options with isolated model hosting ensuring data never leaves your infrastructure.

4.2 Infrastructure and Service Providers

We engage carefully vetted service providers for essential functions:

• Cloud Infrastructure: Amazon Web Services, Google Cloud Platform, and Microsoft Azure for compute, storage, and networking (all SOC 2 Type II certified)
• Database Services: Supabase for PostgreSQL hosting with encryption at rest and in transit
• Vector Storage: Specialized vector database providers for semantic search in Snowflake deployments
• Analytics: Privacy-preserving analytics platforms (with user consent) employing differential privacy
• Payment Processing: PCI DSS compliant payment processors (we never store credit card numbers)

All service providers operate under data processing agreements requiring compliance with GDPR, CCPA, and industry-standard security practices.

4.3 Legal Disclosure

We may disclose user information when required by law, subpoena, or court order. We commit to: reviewing all legal requests for validity and scope, notifying affected users where legally permissible, challenging overly broad requests, and publishing transparency reports detailing disclosure statistics.

4.4 No Sale of Personal Information

We do not sell, rent, or trade user personal information to third parties for monetary consideration or other valuable consideration. This prohibition extends to all forms of data monetization inconsistent with direct service provision.

5.1 Technical Safeguards

Our security architecture implements defense-in-depth principles across multiple layers:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest, end-to-end encryption for highly sensitive communications
• Access Control: Role-based access control (RBAC), principle of least privilege, multi-factor authentication for administrative access
• Network Security: Web application firewalls, DDoS mitigation, intrusion detection systems, network segmentation
• Application Security: Input validation, output encoding, SQL injection prevention, cross-site scripting protection, security headers
• Secret Management: Hardware security modules for cryptographic keys, secure secret rotation, encrypted credential storage

5.2 Organizational Controls

We maintain comprehensive security policies governing employee access to user data, requiring background checks for personnel with data access, providing regular security training, conducting annual security audits by external firms, maintaining SOC 2 Type II certification, and implementing incident response procedures with defined escalation paths.

5.3 Breach Notification

In the event of a security breach affecting personal information, we commit to notifying affected users within 72 hours of discovery, providing detailed information about the breach scope, offering remediation guidance and support, and submitting required regulatory notifications. Our incident response team maintains 24/7 availability for security events.

6.1 Access and Portability

Users may request copies of their personal information in machine-readable formats (JSON, CSV) through our data export interface. Exports include account information, conversation histories, generated content, and usage metadata. We fulfill export requests within 30 days of verification.

6.2 Deletion and Erasure

Users may delete their accounts and request erasure of associated personal information. Upon deletion: conversation data is permanently removed from active systems within 30 days, backups containing deleted data are purged within 90 days, anonymized aggregate statistics derived from your data are retained, and legal compliance data may be retained as required by applicable regulations.

For Snowflake deployments with custom knowledge bases, enterprise administrators control retention policies and may configure immediate deletion or retention schedules aligned with organizational requirements.

6.3 Correction and Amendment

Users may correct inaccurate personal information through account settings. We maintain audit trails of data modifications for security and compliance purposes.

6.4 Opt-Out Rights

Users may opt out of: analytics and usage tracking (while maintaining essential operational logging), marketing communications, research data contribution, and personalization features. Opt-out preferences are honored immediately and persist across sessions.

6.5 Exercising Rights

To exercise privacy rights, contact us at privacy@recursivelabs.com. We verify requestor identity through multi-factor authentication before processing requests. Responses are provided within legally required timeframes (typically 30-45 days depending on jurisdiction).

We retain personal information for the minimum duration necessary to fulfill stated purposes:

• Active Account Data: Retained while account remains active plus 90 days post-deletion
• Conversation Histories: Retained per user preference (configurable from 30 days to indefinite)
• Technical Logs: 90 days for operational logs, 1 year for security logs
• Financial Records: 7 years as required by tax and accounting regulations
• Legal Compliance: Duration required by applicable laws and regulations

Automated deletion processes purge expired data according to these retention schedules. Users may request earlier deletion subject to legal obligations.

As a global service, we may transfer personal information across international borders. For transfers from the European Economic Area to countries without adequacy decisions, we employ Standard Contractual Clauses approved by the European Commission and implement supplementary technical measures (encryption, pseudonymization, access controls) to ensure data protection equivalent to EU standards.

Users may request information about the countries where their data is processed and the safeguards applied to protect transferred data.

Our services are not directed to individuals under 18 years of age (or applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware of inadvertent collection of children's data, we immediately delete such information.

For educational deployments serving students, we work with institutions to ensure compliance with COPPA, FERPA, and equivalent student privacy regulations. Such deployments require institutional agreements defining data processing roles and implementing heightened protections.

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. Material changes will be communicated via: email notification to account holders 30 days before effective date, prominent notice on our website, and in-app notifications requiring acknowledgment.

Continued use of our services after policy updates constitutes acceptance of revised terms. Users who do not agree with updates may delete their accounts before the effective date.