← Back to Home

Ask Poppy – Privacy Policy

Privacy Policy

This Privacy Policy explains what information Ask Poppy collects, how we use it, who we share it with, and your rights. Ask Poppy is designed for users aged 13 and over. If you are under 13, you may not use the service.

1. Who We Are

  • Controller: Poppy Labs AS ("Ask Poppy") is the data controller.
  • Registered address: Oslo, Norway.
  • Contact: [email protected].

2. What We Collect

  • Account: email and basic profile via Clerk (our authentication provider).
  • Usage: messages you send, AI responses, feature interactions, feedback, timestamps.
  • Voice/Audio: optional audio you upload or record (for speech recognition) and text we convert to audio (text‑to‑speech).
  • Technical: IP address, device/browser info, and event logs required for security and service delivery.
  • Analytics: product analytics events including session replays (PostHog cloud) and Google Analytics page metrics for debugging and service improvement. Session replays mask text and inputs to avoid collecting sensitive content.

We do not intentionally collect sensitive data. Please avoid sharing sensitive information in chats or audio.

  • Service delivery (contract): create/manage your account, authenticate with Clerk, provide chat, save history, deliver voice features, send essential service emails.
  • Security and reliability (legitimate interests): prevent abuse, ensure availability, debug issues, measure performance.
  • Product improvement (legitimate interests): PostHog EU analytics including session replays to identify bugs, improve user experience, and ensure service reliability. Session replays exclude sensitive form inputs. We do not use data for advertising or behavioral profiling of minors.

3A. Model Training and Product Improvement (Legitimate Interests)

  • What we use: We may use chat text, system messages, and limited metadata (timestamps, language) to improve response quality, safety, and reliability.
  • Minimization: Before use, we apply automated filters to remove obvious identifiers (emails, phone numbers, addresses, IDs) and sensitive categories where possible. We treat training inputs as pseudonymized—complete anonymization cannot be guaranteed.
  • Vendors: OpenAI API does not use our API data for their training by default. We do not allow our providers to use your data to train their models for their own purposes unless explicitly disclosed.
  • Minors and schools: We apply stricter filtering and exclude minors’ or education accounts’ chats from training.
  • Your choices: You can object to model training at any time (GDPR Art. 21). See “Object to training” below.
  • Optional communications (consent/legitimate interests): product updates or newsletters (only if you opt in where required).

3B. Regional Defaults (EEA/UK vs. US/others)

  • EEA/UK: We ask for your consent before enabling analytics and session replays. You can change your choice anytime in Settings.
  • Outside the EEA/UK (e.g., United States): We enable first‑party product analytics and session replays by default under our legitimate interests to improve the service. We do not sell or share your data for cross‑context behavioral advertising. We honor Global Privacy Control (GPC) and Do‑Not‑Track (DNT): if your browser sends GPC/DNT, we disable analytics by default. You can opt out any time in Settings.

4. Third‑Party Providers We Use

  • Authentication: Clerk (USA/EU). Clerk participates in the EU‑U.S. Data Privacy Framework and offers SCCs.
  • Hosting/edge/CDN: Cloudflare (global). Cloudflare participates in the EU‑U.S. Data Privacy Framework and offers SCCs.
  • AI text: OpenAI API. OpenAI states API data is not used to train models by default; learn more at https://platform.openai.com/docs/guides/your-data.
  • Voice (TTS/STT): ElevenLabs (U.S.). See Section 5 for details about training and transfers.
  • Email: Resend (transactional emails such as verification/waitlist).
  • Analytics: PostHog cloud (EU region) for product analytics and session replays, and Google Analytics (gtag.js). We do not use analytics for advertising. Essential analytics cookies may be set under legitimate interests; we honor GPC/DNT and provide in‑product opt‑out controls.

We do not sell personal data.

5. ElevenLabs – Important Disclosures

  • Role and transfers: When you use voice features, your voice/audio and/or text will be sent to ElevenLabs in the U.S. ElevenLabs generally acts as an independent controller. This is an international transfer safeguarded by Standard Contractual Clauses and/or the EU‑U.S. Data Privacy Framework.
  • Training use: We have disabled data use for model training in our ElevenLabs account settings. ElevenLabs may retain temporary logs for service delivery only.
  • Legal basis: We rely on contract (to provide speech features you request) and legitimate interests (service integrity). If a use is not strictly necessary, we will seek consent or provide an opt‑out.
  • Retention: ElevenLabs may retain logs/audio per their policy. See ElevenLabs’ documentation for specific durations; we minimize what we send and do not store raw audio longer than needed on our side.

6. OpenAI – Your Data

  • We send prompts and necessary context to OpenAI to generate AI responses. OpenAI’s API services do not use your data for training by default. See OpenAI’s data use page: https://platform.openai.com/docs/guides/your-data.
  • We minimize inputs (only what is required for your request) and avoid sending sensitive data.

7. International Transfers

  • Some providers are based in the U.S. or process data outside the EEA. Where transfers occur, we rely on the EU‑U.S. Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses. For EU‑hosted analytics, we use PostHog’s EU cloud to keep telemetry in the EEA where possible.

8. Retention

  • Account data: kept while your account is active; deleted or anonymized upon request or after account deletion.
  • Conversations: kept to provide your history; you can request deletion of your history.
  • Logs and analytics: retained only as long as necessary for security, anti‑abuse, and product improvement. Third‑party providers may have their own retention periods as described in their policies. For transparency: Cloudflare typically retains security logs for up to ~30 days; Clerk retains account data while your account is active and for a limited period after deletion; PostHog EU retains events for 30 days before deletion; Google Analytics data retention follows the setting chosen in our GA property.

9. Cookies and Similar Technologies

  • Essential cookies: used for authentication/session and security; these do not require consent.
  • Analytics cookies: PostHog and Google Analytics cookies may be set under legitimate interests for service improvement and debugging. We mask replays to avoid sensitive inputs. You can opt out via Settings and we honor GPC and DNT.

10. Users Aged 13–17

  • Minimum age: You must be at least 13 to use the service. If we learn someone under 13 is using the service, and they do not check the parental permission checkbox during onboarding, we will suspend the account and delete personal data as required.
  • Legal basis: We rely on contract and/or legitimate interests for core features, avoiding parental‑consent complexities across countries. For any non‑essential processing that requires consent, we will ask for it and, where required by local law, request parental approval. In some EU countries, the digital age of consent is higher (up to 16); where required, you need to seek parental consent for non‑essential processing.
  • No targeted ads: We do not conduct behavioral advertising on minors. We minimize data collection and default to privacy‑respecting settings.
  • Parents/guardians: If you believe a child has provided us personal data without appropriate consent, contact [email protected] and we will act promptly.

11. Your Rights (EEA/UK and similar regimes)

  • Access and Portability: Export your data in JSON format at /api/gdpr/export (requires login). Includes conversations, settings, and usage stats - the complete data we have stored of you in our database.
  • Correction: Update your settings and profile information directly in the app.
  • Deletion: Delete individual conversations in the app, or delete your entire account (this action cannot be undone).
  • Object to training: You may object to our use of your conversations for model training (GDPR Art. 21). You can: (a) toggle off “Model Learning” in Settings, or (b) email [email protected] with subject “Object to training”. We will stop adding new data and remove your data from training data.
  • Restriction and Objection: Contact [email protected] to restrict processing or object to legitimate interests processing.
  • Complaint: Lodge complaints with Datatilsynet (Norwegian Data Protection Authority) or your local supervisory authority.

12. Security

  • Encryption in transit, access controls, least‑privilege, and reputable vendors. We use 2FA on accounts and monitor for abuse. No method is 100% secure, but we work to protect your data.

13. Changes to This Policy

  • We may update this policy from time to time. We will post changes here and update the “Last updated” date. For material changes, we will notify you in‑app or by email when appropriate.

14. Contact