Legal

Privacy Policy

Effective: May 1, 2026 Version: 1.0 Operator: St8less.ai

Private Claude is operated by St8less.ai ("we," "us"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have. The headline: we do not retain your conversations. The data we hold about you is the minimum required to run the Service.

01The short version

Plain English

Conversations: we do not store, log, or train on them. They flow from your browser, through stateless serverless functions, directly to Anthropic's API using your own API key, and back. Conversation history lives in your browser. Close the tab and it's gone from anywhere we control.

Account info: we keep your email, sign-in record, subscription status, and billing identifiers because we have to in order to charge you and let you back in. Nothing else.

We do not sell your data. We do not run advertising on Private Claude. We do not share your data with anyone except the sub-processors listed in section 4.

02What we collect

Account information. When you sign up, we receive your email address from Google (via OAuth) and create a Supabase auth record. We do not see your Google password.

Subscription information. When you pay, Stripe sends us a customer ID and subscription ID, plus the active status of your subscription. Card numbers are handled exclusively by Stripe; we never see them.

API key. Your Anthropic API key is stored encrypted at rest and decrypted only to relay your messages to Anthropic. It is associated with your account.

Consent records. When you accept these Terms, our Privacy Policy, and our Data Processing Addendum, we record the version, your user ID, the IP address that submitted the consent, and the user agent string. This is for legal recordkeeping.

Operational logs. Vercel and our other infrastructure providers maintain short-lived request logs (timestamps, IPs, status codes). We do not write conversation contents to these logs.

What we do not collect. We do not collect: the contents of your prompts, the contents of Claude's responses, file uploads, or anything else you send through the chat interface. None of that touches our database.

03How we use it

To provide the Service: authenticate you, route your requests to Anthropic with your key, and return Claude's response.
To bill you: charge your subscription via Stripe and confirm your active status.
To support you: respond to questions you email us at support@privateclaude.ai.
To meet legal obligations: tax records, fraud prevention, and responding to lawful requests.
To improve the Service: using aggregate, non-personal infrastructure metrics (uptime, error rates). Never your conversations.

We do not use your data for advertising. We do not profile you. We do not sell, rent, or trade your information.

04Who we share it with

The companies below process your data on our behalf. Each is contractually bound to confidentiality and to use the data only to provide their service to us.

Anthropic, PBC (USA): your API key relays your prompts to Anthropic's models. Anthropic's API terms forbid using API traffic for model training. You accept Anthropic's own terms and DPA when you create your Anthropic account.
Vercel Inc. (USA / global edge): hosting, edge network, and serverless compute.
Supabase Inc. (USA / EU): authentication and account database.
Stripe Inc. (USA): payment processing. PCI DSS Level 1 certified.
Google LLC (USA): identity provider for OAuth sign-in.

We will disclose information if compelled by valid legal process. We will resist overbroad requests where reasonable. Because we do not retain conversation data, there is no conversation data to disclose.

05How long we keep it

Conversations: not retained. Held only for the duration of the request.
Account information: for the duration of your subscription, plus up to 30 days after cancellation for billing reconciliation.
Billing records: retained as long as required by tax and accounting law (typically 7 years in the United States).
Consent records: retained as long as your account exists, then for as long as required to demonstrate compliance.
Operational logs: rotated on the schedules set by our infrastructure providers (typically 30 to 90 days).

06How we protect it

HTTPS/TLS 1.2 or higher on all traffic, with HSTS preload.
Strict Content Security Policy and modern security headers.
Authentication via Supabase with row-level security on every account table.
API keys encrypted at rest.
Stripe handles all payment data; we never touch raw card information.
Principle of least privilege for administrative access. No production access from personal devices.

No system is invulnerable. We design Private Claude so that the most sensitive data, your conversations, never reaches our infrastructure in the first place. That is the strongest protection we can offer.

07Your rights

Depending on where you live, you may have rights under the GDPR, the UK GDPR, the California Consumer Privacy Act (as amended by the CPRA), or other privacy laws. These typically include:

Access: request a copy of the personal information we hold about you.
Correction: ask us to correct information that is inaccurate.
Deletion: ask us to delete information we hold about you. We will delete what we are legally able to delete.
Portability: request your data in a machine-readable format.
Restriction or objection: ask us to limit how we process your information.
Withdraw consent: for any processing based on consent.
Complain: to your local data protection authority. We would prefer you contact us first so we can fix it.

To exercise these rights, email support@privateclaude.ai. We respond within 30 days.

California residents: we do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We are a "service provider" with respect to data we process for our customers.

08International transfers

Where personal information is transferred outside the European Economic Area, Switzerland, or the United Kingdom to a country without an adequacy decision, we rely on the Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. See our Data Processing Addendum for the formal version.

09Cookies and similar technologies

We use the minimum set of storage required to run the Service:

Authentication cookies and tokens set by Supabase to keep you signed in.
Local storage in your browser to keep your conversation history on your device and to remember your acceptance of these terms.
Stripe may set cookies on its checkout pages for fraud prevention.

We do not run analytics that track you across other sites. We do not load advertising tags. We do not use third-party fingerprinting.

10Children

Private Claude is not intended for use by anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided information to us, email support@privateclaude.ai and we will delete it.

11Changes

If we change this Privacy Policy in a material way, we will update the version number and effective date at the top, post the updated policy here, and (where required) ask you to accept it again on next sign-in. Continued use after the effective date constitutes acceptance.

12Contact

Questions, requests, or complaints can be sent to support@privateclaude.ai. The operator of Private Claude is St8less.ai.