Ask Poppy – Privacy Policy

Last updated: May 11, 2025

Introduction

This Privacy Policy explains what information Ask Poppy collects during our beta program, how we use and protect that information, and your rights regarding your data. Ask Poppy is an AI chat service aimed at teens (ages ~12–16) with parental consent. We take privacy seriously and want you (and your parents) to understand our data practices. Because Ask Poppy is in beta, some processes may change as we improve the service, but we will update this Policy if they do.

1. Data Collection

We collect a few different types of information from users of Ask Poppy:

Account Information: If you create an account (or log in) using our authentication service (Clerk), we collect the information needed to set up your account. This typically includes:

  • Email Address: We collect your email when you sign up or join our waitlist. This is used for account login, verification, and for sending important updates.
  • Profile Details: You may provide a username, and possibly your first and last name. We do not require a full name for using the Service, but if you choose to provide it, we will have that on record.
  • User ID: Clerk provides us with a unique user ID for your account which we store in our database to link your chats and preferences to you.

All account information is stored securely by our auth provider (Clerk) and in our database. We do not collect or see your password (Clerk handles passwords securely), and we don’t ask for sensitive personal details like home address or phone number for basic use of Ask Poppy.

Profile and Preferences: Within Ask Poppy, you have the option to set preferences or profile information, such as:

  • Your preferred language for the AI to converse in.
  • The voice you select for spoken responses (if you use the voice feature).
  • Educational information you provide to help tailor the experience, like your school year, learning preferences, or subjects of interest.

These preferences are optional and are meant to personalize your experience. If provided, they are stored in our database so that the AI can use them to better contextualize responses to you. (For example, knowing your preferred language or that you’re focusing on math helps the AI give more relevant answers.) This data is under your control and can be updated in your settings.

Usage Data: We automatically collect and generate data about how you interact with Ask Poppy. This includes:

  • Chat Content: The messages you send to Ask Poppy and the AI’s responses. We store your conversation history so that you (and the AI) can refer back to it. This history is tied to your user account or session. Warning: Please avoid including sensitive personal information in your messages, especially during beta, as those messages are stored and also sent to our AI provider (OpenAI) to generate responses.
  • Voice Data: If you use voice input, we receive an audio recording of your question. We send this audio to our transcription service to convert it to text. We do not keep the audio recording after it’s transcribed. Similarly, if the AI gives a voice answer, we generate audio on the fly but do not store that audio after it’s sent to you. (In short, voice recordings are processed in real time and then discarded.)
  • Actions and Features: We may log events like when you start a new conversation, what features you click (e.g., if you use a help button or switch languages), or if you encounter an error. This usage logging helps us understand what is popular or if something goes wrong.

Technical Information: Like most online services, we collect some technical details automatically to help us run the Service effectively. This includes:

  • Device and Browser Info: We learn about the browser or app version you’re using, your device type (e.g., mobile or desktop, OS version), and similar metadata. This helps us debug compatibility issues and optimize the experience for common devices.
  • IP Address: When you use Ask Poppy, our servers see your IP address (this is how the internet works). We use IP addresses primarily for security (e.g., to detect and prevent suspicious activity or abuse of the Service) and sometimes to infer a rough location (city or country level) to understand our user base distribution. We do not use IP for precise location tracking, but note that IP can indicate your general region.
  • Cookies and Identifiers: We use cookies or similar technologies to keep you logged in and to remember preferences. Cookies are also used by our analytics (see below) to distinguish between different visitors (in an anonymous way). You can control cookies through your browser settings, though disabling cookies might log you out or disable some features.

Analytics Data: We have third-party analytics tools integrated (PostHog and Google Analytics) that automatically collect information about your usage. This can include data such as page views, time spent on pages, button clicks, and other interaction information. This data is generally aggregated and does not include the actual text of your chats. It may include technical info (like your device or region derived from IP as mentioned) and an identifier to tell if the same user returns. However, see the Third-Party Services section below for important details on analytics and privacy.

2. How We Use Your Data

We use the collected data to provide, maintain, and improve Ask Poppy, and to communicate with you. Here’s a breakdown of key uses:

Providing the Service: First and foremost, we use your data to make Ask Poppy work for you. For example, the content of your questions is used to generate AI answers (we send your questions to the AI model and it returns a response). Your account info lets you log in and access your chat history. Without collecting and processing this data, the Service wouldn’t function.

Improving the Service (Service Operation & Enhancement): We continuously work to make Ask Poppy better. Data helps us do that in several ways:

  • We might review anonymous or aggregated conversational data to see where the AI might be falling short. For instance, if many users ask a type of question that Poppy struggles with, we want to know so we can improve our model or add training data. If we ever look at specific chat logs for debugging or improvement, we remove or ignore identifiers so we focus only on the conversation patterns and not on who said what.
  • We use analytics (usage data) to identify bugs or pain points. For example, if a lot of users get an error after clicking a certain button, that tells us something is wrong with that feature. If a particular feature is hardly used, it might indicate it’s not useful or not discoverable.
  • During beta, developers may occasionally monitor interactions more closely to spot problems. This could mean examining logs of interactions (which include your questions and the AI’s answers) to understand any errors or inappropriate responses. We do this solely to improve the service and not to profile or judge users.
  • Voice processing data (transcripts) is used to improve voice recognition. If the transcription service frequently mis-recognizes certain words, we may adjust settings or try a different service. However, as noted, we do not save raw audio files after transcription.
  • AI Model Training: In the future, we might use some of the chat data to further train or fine-tune our AI. If we do so, we would anonymize the data first (remove personal identifiers or any obvious personal content) so that the training does not use your personal details. Any fine-tuning would be aimed at making the AI more useful (for example, better at explaining homework problems based on actual questions we’ve seen). If you prefer we not use your conversation data even anonymized for this purpose, you can contact us to opt out.

Communication: We may use your contact information to communicate with you:

  • Account & Transactional Emails: Clerk (our auth provider) or we might send you emails to verify your email address, reset your password, or confirm account actions. These are necessary for managing your account.
  • Beta Updates: We may send occasional announcements about the beta program to your email. For example, we might share news about new features, changes to the Service, or tips on using Ask Poppy. We aim to keep these infrequent and relevant. You can opt out if you don’t find them useful (each such email will include an unsubscribe link or you can contact support).
  • Feedback Requests: We might reach out for feedback since you’re a beta user. This could be via email or within the app (like a survey asking how well Poppy is working for you). Responding is optional, but your input is valuable to us.
  • We do not send marketing emails for third-party products, and we won’t sell your contact info to advertisers. Any communication is intended to support your experience with Ask Poppy or inform you of important information about our service.

Legal Compliance and Protection: We may need to use or disclose your information for legal reasons:

  • Compliance with Laws: If we receive a lawful subpoena, court order, or other legal demand for data, we may be required to disclose user data to comply with the law. We will review such demands carefully and only comply if legally obligated.
  • Enforcing Our Terms: We will use data to investigate and address violations of our Terms of Service. For example, if someone is abusing the platform, we will examine their usage data to confirm the behavior and may share relevant data with law enforcement if it involves illegal activities.
  • Protecting Rights and Safety: We may disclose data if necessary to protect the rights, property, or safety of Ask Poppy, our users, or others. For instance, if you post content that threatens someone’s safety, we might need to notify appropriate parties or authorities.

In summary, your data is used primarily to run and improve Ask Poppy, to communicate with you about the Service, and to comply with the law when required. We do not use your personal data for unrelated advertising purposes, nor do we sell your personal information. We also don’t have any human “social media” tracking or advertising cookies beyond the analytics noted.

3. How We Protect and Store Your Data (Data Security & Storage)

Protecting your information is important to us. We implement a variety of security measures and choose reputable service providers to safeguard data. However, please remember that no method of transmission or storage is 100% secure. We outline our practices below:

Security Measures: We take reasonable steps to secure your personal data:

  • Encryption: All communications between your browser/app and Ask Poppy are encrypted in transit using HTTPS. This means that outsiders intercepting traffic cannot easily read your messages or personal details. Our databases and backups are also encrypted at rest, so that the raw data is protected on disk.
  • Access Controls: Only authorized personnel (the small Ask Poppy development team and our service providers) have access to the systems that store personal data. Within our team, access to personal data is limited on a need-to-know basis (for example, a developer might access an error log with a user ID to debug an issue, but we don’t have people casually reading through chat histories).
  • Authentication Security: Clerk, our auth provider, manages passwords and login info securely. Passwords are hashed, and we rely on Clerk’s secure infrastructure for authentication. We also support options like OAuth or magic links which can enhance security (by not using passwords at all).
  • Vulnerability Management: We regularly update our software dependencies and apply security patches to address new vulnerabilities. The beta nature of our service means we’re actively testing, but we also monitor for any security issues.
  • Testing & Audits: As a small beta, we haven’t yet undergone formal security audits, but we do test our systems. We welcome security feedback from the community. If you discover a vulnerability, please let us know responsibly.
  • No Guarantee: While we strive to protect data, we want to be transparent that no system is completely infallible. Especially in a beta, unexpected issues could occur. We will inform users of any significant data breaches or risks if they ever occur, and we’ll do our utmost to prevent them.

Data Storage Locations and Providers: Your data is stored with trusted third-party services we use, each chosen for reliability and security. Here’s where different types of data reside:

  • Chat and User Data – Xata (Database): We store chat conversations, messages, and user profile/preferences in Xata, a cloud database platform. Our Xata database is hosted in eu-central (Europe), meaning your chat history and user data are stored on servers located in the EU. Xata handles the low-level security of the database (physical security, replication, etc.), and we manage the data within it (ensuring we only store what we need).
  • Authentication Data – Clerk: When you sign up or log in, that process is handled by Clerk. Clerk stores your authentication credentials and basic account info on their systems. Clerk is responsible for protecting your login info and has security measures in place (they are a specialized auth provider). We as developers do not see your raw password or sensitive auth tokens. Account settings such as changing password or deleting account happens through Clerk's interface available through the settings in Ask Poppy.
  • Analytics Data – PostHog and Google:
    • PostHog: Our instance is configured to use an EU server. PostHog stores analytics events and associated user identifiers in EU data centers. During the beta period, we don't use features like hashing or random IDs in PostHog, this is so we can track and ensure that we can improve the user-experience.
    • Google Analytics: Data collected via Google Analytics may be stored on Google’s servers, which could be outside your country (often in the US or other regions). We have set up IP anonymization for Google Analytics, meaning Google truncates/anonymizes the last octet of your IP address before storage, to help protect your privacy. However, Google Analytics still uses unique tracking cookies to distinguish users.
  • Voice Data – ElevenLabs (and temporarily in transit): When you use voice features, your audio is sent to ElevenLabs’ servers (we believe their infrastructure is primarily in the US). The audio is processed to text or from text to voice. We do not store that audio in our database. A transcript of what you said (in text form) is kept with your conversation, just like if you had typed it. The audio reply generated for you is streamed to your device and not saved by us. It’s possible ElevenLabs retains some transient copies or logs for a short period, but our integration does not separately save them.
  • Temporary Data & Caching – Cloudflare: Because we use Cloudflare for hosting and caching, some data might be briefly stored in Cloudflare’s systems as it passes through. For example, your voice-recordings and text content may be cached on Cloudflare servers for faster delivery. Cloudflare may also temporarily cache API responses or pages for performance. This is usually very short-term storage and is primarily for speeding up the service. Cloudflare also keeps logs (for example, of IP addresses that accessed the service, for a limited time) as part of its security and analytics. These caches and logs are generally purged on a regular schedule by Cloudflare.

All our service providers claim to implement strong security practices. We carefully choose providers that are well-regarded in terms of security.

If you have specific questions about where or how your data is stored, feel free to contact us (see Contact section at the end). We aim to be transparent about our data infrastructure.

4. Beta Testing and Privacy

During this beta phase, we want to emphasize a few things about how testing might impact your privacy or our data handling:

  • Increased Monitoring for Improvement: Because the service is new and in development, our team may review user interactions more frequently than we would in a mature product. This helps us quickly find bugs or areas where the AI is not performing well. For example, we might look at random snippets of anonymized conversation logs to see how well the AI answers certain questions. We do this with the goal of improving the system, not to profile or judge users. We also take care to anonymize data or focus on AI behavior rather than on who the user is.
  • Experimental Features: Beta means some features are experimental. We might introduce a new feature that changes what data is collected or how it’s used, and then remove it if it doesn’t work out. We will update this Privacy Policy if any major changes occur in data practices, but minor experimental changes might come and go. (For instance, we might test a new analytics tool on a subset of users — if so, we’d still treat the data with care as per this Policy.)
  • Frequent Updates: We are updating the app often in beta. If any update materially changes how we handle data, we’ll communicate that. Minor tweaks (like adjusting a retention period or enabling a new security feature) may not be individually announced but will be reflected in an updated “Last updated” date on this Policy.
  • Feedback Loop: You may receive surveys or prompts for feedback about privacy and the service during beta. Your input is valuable. If you tell us, for example, that you’re uncomfortable with a certain data practice, we will seriously consider that as we refine our policies and features before a full launch. Beta is a time for us to learn what works both technically and in terms of user trust.
  • No Impact on Commitment to Privacy: Just because this is beta doesn’t mean we take privacy lightly. We treat user data with care and in accordance with privacy laws (like GDPR) as applicable. If anything, we might be even more cautious, since we know we’re still ironing out the kinks. We want our early users (and their parents) to feel confident in using Ask Poppy.

In short, the beta nature of Ask Poppy means we’re actively refining the service and watching how it’s used to make it better. We might look at data a bit more during this phase, but always with the aim of improving the product and protecting our users. Beta testing does not mean you have less privacy; it just means we’re still polishing our approach, and we’ll be transparent with you as we do.

5. Third-Party Services and Data Sharing

Ask Poppy relies on several third-party service providers (processors) to operate effectively. We have listed the main ones below, along with the type of data they handle and why we use them. We only share the data that is necessary for each service to perform its function, but it’s important for you to know who they are:

  • Xata (Database Provider, EU): We store most user data (accounts, chats, preferences) in Xata’s cloud database. Xata acts as our data host. They potentially have access to the data stored on their servers, but only for maintenance or as needed to fulfill their hosting role. We chose Xata in part because of their European hosting, which helps keep data under EU data protection standards.
  • Clerk (Authentication Service, EU/US): Clerk manages user authentication (sign-ups, logins, session management). When you create an account or log in, the information (like your email and encrypted password or OAuth tokens) goes through Clerk. Clerk thus has your login credentials and basic account details on their systems. Clerk may also process things like your IP address during login for security (to detect suspicious logins, etc.). Authentication data or traffic might flow through their US infrastructure depending on their architecture. Clerk does not access your chat content; they only handle identity and access.
  • OpenAI (AI Engine, US): OpenAI’s GPT-based service generates the AI responses to your questions. This means whenever you send a message to Ask Poppy, the content of that message and relevant context (like some recent messages from your conversation) are sent to OpenAI’s servers. OpenAI in turn processes that data and returns an AI-generated answer, which we then pass back to you. In this process, OpenAI is temporarily receiving your conversation data, which could potentially include personal information if you included any in your messages. OpenAI has committed that data submitted to their API is not used to train their general models without customer permission, and they retain API data only for a limited time (typically 30 days) to monitor for abuse and misuse. We have a Data Processing Addendum (DPA) with OpenAI to ensure compliance with privacy requirements. Nonetheless, be aware that your chat content does travel to an external AI service.
  • ElevenLabs (Voice Processing, US): If you use voice features, ElevenLabs is the service that converts speech-to-text and text-to-speech for Ask Poppy. When you click the microphone and talk to Poppy, the recorded audio is sent to ElevenLabs’ API for transcription. Similarly, when the AI sends back a text answer and we need to speak it out loud, that text is sent to ElevenLabs to synthesize a voice clip. ElevenLabs therefore may receive audio of your voice and the text of your conversations when you use these features. According to ElevenLabs, they do not store audio long-term by default, but they might keep data for a short time to ensure quality or if needed for their analysis. We do not send any user identity info along with the audio (ElevenLabs doesn’t know who you are, only gets an audio stream). Still, your voice could be considered personal data. We use ElevenLabs because of its high-quality speech tech, but if you’re uncomfortable with your voice data leaving to a third party, you may choose not to use the voice input feature.
  • PostHog (Analytics, EU): PostHog helps us collect analytics about how Ask Poppy is used. We run PostHog in a way that the data is stored in the EU. PostHog receives event data like “user clicked X button” or “page loaded”. We assign a random unique ID to track events for a given user session. If you are logged in, PostHog might receive an anonymous identifier associated with your account (for example, an internal user ID or a hashed value of it) so we can see aggregated usage per user. We do not feed raw personal info like your name or email into PostHog’s event stream for analytics, and we’ve configured PostHog to automatically hash any email or identifier if it ever were to be captured. The analytics data helps us a lot, but it’s in a form where it’s generally not easy to tie back to you as an individual without additional info.
  • Google Analytics (Analytics, US): We use Google Analytics to get insights on website traffic and usage. Google Analytics operates by placing a cookie in your browser to identify you (anonymously) across sessions. It collects data such as what pages of Ask Poppy you visit, how long you spend, what kind of device and browser you have, and general geographic location based on IP (which we have Google anonymize). Google Analytics aggregates this data to show us trends (e.g., how many users visited this week, how users navigate through the site). We have not intentionally connected Google Analytics data with your personal account data — for instance, Google Analytics might know a user as “User 12345” but doesn’t know the name or email of User 12345. However, Google Analytics does receive your IP address (albeit truncated) and device information automatically. Google, as a large processor, might use the data for its own purposes as described in Google’s Privacy Policy. We mainly use it to complement PostHog and ensure we understand user engagement. If you have set your browser to send a Do-Not-Track signal, we honor that in our Google Analytics setup (so GA won’t run).
  • Cloudflare (Hosting & CDN, US & Global): Cloudflare is essentially the platform on which our application runs and through which content is delivered to you. As such, Cloudflare is an intermediary for all data transferred between you and Ask Poppy. Cloudflare might log basic request data (IP addresses, timestamps, URLs accessed) in its system for a short period for performance monitoring and security. If you upload a file or image (if that becomes a feature), that file might be cached on Cloudflare’s edge servers to optimize delivery. Cloudflare also provides security features like firewall and DDoS protection, which means if an IP address (possibly even yours) triggers certain security rules, Cloudflare might flag or block it. In essence, Cloudflare sees the data packets but is not intended to use your data beyond providing the infrastructure service. They have their own strict privacy and security protocols since they handle traffic for many sites.

We want to be fully transparent that your data is shared with these third parties only to the extent necessary for the Service to function. We do not sell your data to anyone, and we don’t share it with random advertisers or unrelated parties. All our third-party processors are bound by their own privacy policies and, in many cases, by agreements with us to handle data appropriately.

However, it’s important for you (and your parents, if you’re under 16) to understand that some of your information does leave our immediate control and goes to these external services. We carefully chose these providers because they are reputable and necessary for this project, but each adds some risk (as any data sharing does).

Data Minimization: Wherever possible, we try to minimize or anonymize the data we send to third parties. For instance, we don’t send unnecessary personal details to OpenAI or ElevenLabs — just the content needed (chat text or audio). We don’t feed raw personal info into analytics; we either avoid it or hash it. We enabled IP anonymization in Google Analytics. These steps reduce privacy risks.

Access and Use by Third Parties: Each third-party will use the data we send them only for the purposes of providing their service to us. They should not be using your data for their own independent purposes (except Google Analytics, which uses data to provide aggregate trends to us, and Google may use it to improve their services as per their policy). For example, OpenAI isn’t going to publish your conversation on the internet; it just processes it to return an answer. Clerk isn’t going to email you except as needed for login or as directed by us.

In summary, third-party services are essential to how Ask Poppy works, but they receive only limited slices of your data for specific purposes. We manage these relationships carefully and legally (with contracts where applicable). The Data Transfers section below also discusses how we handle data when it moves internationally to these providers. If you have questions about any particular service or what data they see, please contact us. We can provide more detailed explanations or updates on our configurations with these providers.

6. International Data Transfers

Ask Poppy is developed in Norway and uses infrastructure in the European Union as well as the United States. Your data may be transferred and processed outside of your home country. In particular:

  • Data stored in our Xata database and PostHog analytics is in the European Economic Area (EEA) (for example, in data centers located in the EU, such as Germany).
  • Some data (like chat content to OpenAI, or voice data to ElevenLabs) is sent to the United States, because those service providers are based in the US. Google Analytics data also typically goes to the US. Cloudflare, while US-based, has servers all over the world (including within the EU), so your data might route through the EU or elsewhere, but could be accessed in the US for support or logging.
  • Clerk (authentication) and any emails we send might route through US servers unless configured otherwise, although we aim to use EU regions.

Whenever we transfer personal data from the EU (or an equivalent jurisdiction with data export restrictions) to a country that does not have an adequacy agreement (like the US), we take steps to protect your privacy:

  • Standard Contractual Clauses (SCCs): We have adopted the European Commission’s Standard Contractual Clauses in our agreements with relevant service providers (such as OpenAI) to contractually ensure that they will protect EU personal data to EU standards even when it’s processed in the US. These are legal safeguards required under GDPR for such transfers.
  • Data Processing Agreements: We have DPAs in place with providers like OpenAI and PostHog, which include commitments on how data is handled. For example, OpenAI’s Data Processing Addendum (DPA) dictates how they handle any personal data and affirms things like the 30-day retention policy.
  • Privacy Shield (historical/Other frameworks): Some providers (like Cloudflare) were certified under frameworks like the EU-US Privacy Shield (now invalidated) and are awaiting new Trans-Atlantic Data Privacy Frameworks. In the meantime, they also rely on SCCs and have internal policies for GDPR compliance.
  • Our Diligence: We review the privacy practices of our US-based vendors. We choose companies that are large and established enough to have good security and a reputation to uphold (e.g., OpenAI, Google, Cloudflare) or smaller ones that specifically market themselves as privacy-conscious (e.g., ElevenLabs for creators, which has policies in place). This doesn’t guarantee safety, but it’s better than sending data to unknown entities abroad.

By using Ask Poppy, you understand that your information may be transferred to and stored/processed in other countries, including the United States. These countries might have different data protection laws than your home country. However, our handling of your data will always be governed by this Privacy Policy and by applicable data protection laws (we treat data from EU users under GDPR standards regardless of where it’s processed, for instance).

If you are located in a jurisdiction like the EU or UK, where consent might be needed for transfers or where you have specific rights regarding overseas transfers, know that we have done our best to put proper safeguards in place as described. If you have concerns about a particular transfer (for example, chat content going to OpenAI in the US), please contact us. In some cases, we might be able to offer an alternative or clarify how that data is protected.

7. Data Retention (How Long We Keep Your Data)

We do not want to keep personal data longer than necessary. Different types of data have different retention periods based on why we collected it and any legal obligations. Here are our general data retention practices:

  • Chat History: We retain your chat conversations for up to 90 days after account deletion, or until we purge our backups (whichever comes first). This means if you have a conversation with Poppy, it will remain accessible in your account until you delete your account or messages. We set this period to balance usefulness (you might want to refer back to something you asked last month) with privacy. After 90 days, we plan to delete or anonymize older conversation records. (Note: During beta, this deletion may not yet be automated) If you wish to delete a specific conversation or message sooner, you have an option in the interface, or you can request deletion via contacting us.
  • Account Data: Your account information (email, etc.) is kept as long as your account is active. If you delete your account or we close the beta and do not migrate accounts, we will remove your account info from our systems within a reasonable time. We may retain some minimal information after account deletion if necessary for legal reasons or record-keeping (for example, keeping a log that an account existed and was deleted at a certain date for audit purposes), but we will not keep your full profile or credentials active.
  • Voice Data: As mentioned, we do not store voice recordings after they are processed. Any audio input you provide is transient. Once transcribed to text and added to your chat history, the audio itself is discarded. Similarly, generated speech audio is not saved after it’s sent out. In short, voice data is immediately deleted (or never saved) post-processing.
  • Analytics Records:
    • In PostHog, identifiable analytics events are kept for a limited time (our current setting is approximately 30 days for user-level event data). After that, data may be aggregated or pruned. We also hash identifiers in PostHog, so even if events remain, they aren’t directly tied to your plain ID.
    • In Google Analytics, we have set a retention period for user-level and event-level data associated with cookies and user identifiers. Currently, it’s set to 14 months (which is one of Google’s standard options) after which Google automatically deletes the old data. We mostly look at aggregate trends over weeks or months, not individual user timelines over years.
  • Logs and Backups: Our system logs (for example, server logs containing IP addresses or error messages) are typically kept for a short period, usually less than 30 days, unless needed longer for security analysis. We do have backups of our database that are encrypted; these could theoretically contain data older than 90 days until those backups expire. We roll our backups such that anything older than 3-6 months is deleted. We will ensure that purged chat data is also purged from backups within a reasonable time frame.
  • Waitlist Emails: If you joined a waitlist (for example, to get beta access or future hardware news) and provided your email, that email is stored until it’s no longer needed (e.g., until we send the invite or the beta ends). If the waitlist is separate from the app account, you can request removal from the waitlist at any time. Otherwise, waitlist emails will be deleted once they have served their purpose (for instance, after sending out invites or updates).
  • Legal Holds: If we are required by law to keep certain data (for example, due to an ongoing investigation or litigation), we will retain that specific data as needed, even if it exceeds the normal retention period. We hope that doesn’t happen, but we mention it for completeness.

After the retention period is over, we will either delete the data or anonymize it (so it can no longer be associated with you). For example, we might remove personal identifiers from an old conversation and keep the anonymized content for research, or we might delete it entirely.

Keep in mind that even after we delete data from our active systems, it might remain for a short time in backups or caches until those are updated. We have processes to eventually purge data from all storage. When you delete your account or specific content, we will make sure it’s removed from production immediately and then from all backups within a reasonable schedule.

Your Control: You have the right to ask us to delete your data sooner (see the Rights section below). We will honor such requests to the extent possible. For example, if you want your entire chat history wiped now, you can ask and we can manually clear it rather than waiting 90 days. The same goes for account deletion requests. We are happy to remove data earlier if you no longer wish us to have it, provided we don’t have a legal reason to retain it.

Our goal is to not hold onto personal data indefinitely. We keep it just long enough to operate the service and improve it with relevant data, and then we discard it. If you have questions about our retention or want a specific piece of your data deleted, please reach out.

8. Your Rights Regarding Your Data

Because we are based in Europe (Norway) and serve users who may be in the European Union, we adhere to privacy laws like the General Data Protection Regulation (GDPR). Even if you’re not in Europe, we believe in offering you control over your personal data. Here are your key rights:

  • Right to Access: You have the right to request a copy of the personal data we hold about you. For example, you can ask us, “What information do you have about me in your systems?” and we will provide it – typically this would be things like your account info and any chat history associated with your account.
  • Right to Rectification: If you believe any personal data we have is incorrect or incomplete, you have the right to ask us to correct it. This could be as simple as updating a misspelled name or correcting your email if it’s wrong. (You can often do some of this via your account settings as well.)
  • Right to Erasure: Commonly known as the “right to be forgotten.” You can request that we delete your personal data. For instance, you can ask us to delete your account and all associated data. We will comply with such requests unless we have a specific legal reason not to (like an ongoing legal obligation to keep the data). Keep in mind, deleting your data means we won’t be able to provide the Service to you under that account anymore.
  • Right to Data Portability: You have the right to request your data in a common format that you can take to another service. For example, you could ask for an export of your chat history or account information in a machine-readable format (like JSON or CSV). We will provide that to you so you could, in theory, import it elsewhere or just keep it for your records.
  • Right to Object: You may object to certain types of data processing, such as direct marketing (not applicable here since we don’t do that) or processing based on our legitimate interests. If you object, and the processing isn’t strictly necessary for the service or legally required, we will stop that processing. For example, if you object to us using your conversations (anonymously) to improve the AI, we will exclude your data from our improvement processes.
  • Right to Withdraw Consent: In cases where we rely on your consent to process data, you have the right to withdraw that consent at any time. For instance, if you consented to receive beta update emails, you can later decide you don’t want them. Withdrawing consent won’t affect any processing that has already happened, but it will stop future processing that relies on consent. (Note: Much of our data processing is actually based on contract – i.e., necessary for the service – or legitimate interest, rather than consent, but analytics might be one area we consider consent-based if required.)
  • Right to Explanation (Automated Decision-Making Transparency): Ask Poppy uses automated systems (AI) to make decisions (like formulating a response to your query). Under GDPR, you have the right to ask for an explanation of decisions made by automated systems that significantly affect you. While an AI chat reply might not significantly affect you in the legal sense, we embrace transparency. If you ever wanted to understand why the AI gave a certain answer, or what factors were considered, we will do our best to explain what we can about how it works. (Keep in mind the AI doesn’t follow a simple decision tree, but we can at least tell you what it was instructed/trained to do.)

To exercise any of these rights, you (or your parent/guardian, if applicable) can contact us at our support email [email protected]. We may ask you to verify your identity (to make sure we don’t give your data to someone else). We will respond to your request as soon as possible, and certainly within any timeframe required by law (for example, GDPR typically requires response within 30 days for most requests).

These rights are not absolute – for example, we might not delete data we are legally required to keep, or we might decline a request if it’s excessive or unfounded. But our default approach is to honor your requests and be helpful.

If you have concerns about your data that are not addressed by us, you also have the right to lodge a complaint with your local data protection authority (see Contact and Complaints section below). We would, however, appreciate the chance to address your concerns directly first, as we take privacy seriously and want to resolve any issues in a friendly manner if possible.

9. Cookies and Tracking Technologies

Ask Poppy uses cookies and similar technologies primarily for functionality and analytics. Here’s what you should know:

  • Essential Cookies (Authentication/Preferences): When you log in, Clerk uses cookies or local storage to keep you logged in across page visits. These are essential; without them, you’d have to re-authenticate for every new page or action. We also may use a cookie to remember your preferences (for example, your chosen language or that you’ve seen a tutorial already). These cookies are first-party (set by our domain) and are only used by the Service.
  • Analytics Cookies: Google Analytics sets cookies (_ga, _gid, etc.) to differentiate users. This helps us count unique visitors and see how users interact with the site. PostHog may also use cookies or local storage for similar purposes. These are generally pseudonymous (they don’t contain your name, just an ID for your browser/session).
  • Controlling Cookies: Most browsers let you control cookies through settings. You can usually block or delete cookies if you wish. However, if you block essential cookies (like those for login), Ask Poppy might not work correctly for you (e.g., you might be logged out constantly). If you block analytics cookies, that’s fine – it just means we won’t see your usage in our analytics.
  • Do Not Track (DNT): We respect Do Not Track signals from browsers. If your browser sends a DNT signal, we will disable Google Analytics tracking for your session. (Our PostHog setup may or may not honor DNT by default; we are reviewing this to ensure consistency.) We don’t use third-party advertising cookies that track you across other sites, so DNT mostly impacts our own analytics for service improvement.
  • Local Storage: Besides cookies, we might use browser local storage for things like caching data to make the app faster or remembering settings. This is similar to cookies but can hold more data and is generally not sent to the server with every request.

We aim to use only necessary cookies for core functionality and then analytics cookies to help us improve. We do not use cookies for behavioral advertising or to track you for unrelated commercial purposes.

10. Children’s Privacy and Parental Consent

Ask Poppy is aimed at teens, roughly ages 12-16. Protecting the privacy of young people is very important to us. Our approach to children’s data is as follows:

  • (NOT YET IMPLEMENTED)Parental Consent Required: For users under 16 (or any other applicable age of consent in your region, e.g., 13 in the US under COPPA), we require verifiable parental consent before they can create an account or use Ask Poppy. During the sign-up process, we will ask for a parent’s email address. We will then contact the parent to obtain consent and verify their identity. Only after consent is given will the child’s account be fully activated. (Note: The exact mechanism for consent will be detailed during sign-up; it might involve the parent creating an account first or confirming via an email link and providing some verification.)
  • (NOT YET IMPLEMENTED)What Information We Collect from Children (with consent): With parental consent, we collect the same types of information from children as from other users, as described in Section 1 (Data Collection). This includes account details, profile preferences (if set), chat content, and usage/technical data. We need this data to provide the service.
  • (NOT YET IMPLEMENTED)How We Use Children’s Information: We use children’s data for the same purposes as other users’ data: to operate and improve Ask Poppy, and to communicate (though communications to children will be very limited and appropriate, e.g., no marketing). We do not use children’s personal data for targeted advertising or profiling for commercial gain. Our goal is to provide a safe and educational AI tool.
  • (NOT YET IMPLEMENTED)Parental Rights: Parents/guardians who have given consent have the right to:
    • Review the personal information we have collected from their child.
    • Request that we delete their child’s personal information.
    • Refuse to permit further collection or use of their child’s information (i.e., revoke consent).
    Parents can exercise these rights by contacting us at [email protected]. We will respond to such requests promptly. (Note: Revoking consent or deleting data may mean the child can no longer use Ask Poppy.)
  • Data Sharing: We share children’s data with the same third parties as listed in Section 5 (e.g., OpenAI for AI responses, Xata for database). These are necessary for the service. We do not share children’s data with other third parties for marketing or unrelated purposes. Our contracts with providers (like OpenAI) include clauses to protect this data.
  • Safety: We encourage parents to talk to their children about online safety and what information they share online. While Ask Poppy is designed to be a helpful tool, it’s important that children understand not to share very sensitive personal details in chats (like full home addresses, phone numbers, or passwords for other services).

We are committed to complying with laws like the Children’s Online Privacy Protection Act (COPPA) in the US and similar regulations in other regions. We designed our consent process and data handling with these in mind. If you are a parent and have any questions or concerns about your child’s use of Ask Poppy or our privacy practices, please contact us. We want to work with parents to ensure a safe and positive experience.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, especially as Ask Poppy evolves out of beta. If we make significant changes (for example, if we start collecting new types of personal data or use it for very different purposes), we will notify you. This notification might be via email to your registered address, a notice within the Ask Poppy app, or by updating the “Last updated” date at the top of this Policy.

We encourage you to review this Policy periodically to stay informed about our data practices. Your continued use of Ask Poppy after any changes means you accept the new Policy. If you do not agree with the changes, you should stop using the Service and can request deletion of your account and data.

For minor changes that don’t materially affect your rights or how we handle data (like correcting a typo or clarifying a sentence), we might just update the Policy and change the date without a direct notification. However, for anything substantial, we will aim to provide clear notice.

12. Contact Us and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: [email protected]

We will do our best to address your concerns. If you are in the European Union or European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA). You can find a list of DPAs here.

For users in other regions, you may also have a right to complain to a local privacy regulator if you feel your rights have been infringed.

We are committed to protecting your privacy and handling your data responsibly. We hope this Policy has been clear and informative. Thank you for being a part of the Ask Poppy beta!