Privacy Policy

1. Information we collect

We only collect what we need to operate the service:

• Account details — your name, email address, optional avatar, country, and mailing address. You provide these directly when you sign up or update your settings.
• Complaint content — the text of the complaints you describe to our AI agent, the messages exchanged in chat, the generated letters, and any escalation letters.
• Authentication data — when you sign in with Google we receive your basic profile (name, email, profile picture) per Google's OAuth scopes you approved.
• Operational logs — minimal request/error logs needed to keep the service running. We do not maintain detailed analytics or behavioral tracking.

2. How we use your information

• To create and maintain your account.
• To draft, edit, and store the complaint and escalation letters you generate.
• To populate the sender block of those letters from your saved profile.
• To find the relevant regulator and recipient contact for your complaints (see §3).
• To enforce the Terms of Service and prevent abuse.

We do not sell your data. We do not use your complaints to train public AI models. We do not run advertising on Redress.

3. AI processing and third-party services

Generating letters and conducting the conversation requires sending the necessary excerpts of your complaint to third-party services. The minimum-necessary principle applies:

• Groq (Llama 3.3 70B) — receives the system prompt, your chat messages, and your saved sender info to draft and revise letters.
• Tavily — receives short search queries (e.g. country + sector + "regulator contact email") to find the right regulator and, where possible, the recipient company's public complaints email. Your personal info is not sent to Tavily.
• MongoDB Atlas — stores your account, complaints, messages, letters, and escalations.
• Vercel — hosts and serves the Redress web application.
• Google — used for OAuth sign-in if you choose to sign in with Google.

Each provider has its own privacy practices. We pass them only what is required for their specific function.

4. Data storage and retention

Your account, complaints, and letters are stored on MongoDB Atlas in encrypted form at rest. We keep them as long as your account exists. When you delete a complaint from your dashboard, the complaint and all its messages and letters are removed. When you delete your account from Settings → Danger Zone, all of your records are permanently removed from our database.

5. Your rights

You can, at any time:

• View and update your personal info from the Settings page.
• Delete individual complaints from your dashboard.
• Permanently delete your entire account from Settings → Danger Zone.
• Email us at the address below to request an export of your data.

6. Cookies and sessions

Redress uses a single secure HTTP-only session cookie issued by NextAuth so that you stay signed in between visits. We do not use third-party tracking cookies, ad pixels, or cross-site identifiers.

7. Security

We use HTTPS everywhere, hashed password storage (bcrypt), encrypted-at-rest database storage, and scoped API keys held in server-side environment variables. No system is perfectly secure; if you ever suspect your account has been compromised, change your password and contact us.

8. Children's privacy

Redress is not directed at children under 13 (or under 16 where applicable). If you believe a child has registered an account, contact us and we will remove the account.

9. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated via the app or email.

10. Contact

Questions, requests, or concerns about your data: email redress@samkiel.dev.