Privacy Policy

Last updated: April 7, 2026

1. Introduction

Qracle ("we", "our", "us") operates the qracle.ai website and API service. This Privacy Policy explains how we collect, use, and protect your information when you use our multi-model AI council service.

2. Information We Collect

Account Information: When you create an account, we collect your email address and authentication credentials via our identity provider (Supabase/Google OAuth).

Usage Data: We collect information about how you interact with our service, including queries submitted, models selected, session metadata, and credit usage.

API Keys: API keys you generate are cryptographically hashed before storage. We never store or display raw API keys after initial creation.

Payment Information: Payment processing is handled by Stripe. We do not store credit card numbers or sensitive payment details on our servers.

3. How We Use Your Information

• To provide and maintain the Qracle service
• To process your queries through our multi-model AI council
• To manage your account, credits, and subscription
• To improve our AI routing and model selection (only with your opt-in consent)
• To communicate service updates and security notices

4. Data Sharing Opt-In

If you opt in to data sharing in Settings, we may use anonymized versions of your queries to improve our AI routing models. This is entirely optional and can be toggled at any time. Anonymized means we strip all personally identifiable information before any analysis.

5. Third-Party Services

Your queries are processed through third-party AI model providers via OpenRouter. Each query is sent to the models you select (or that our routing selects). These providers have their own privacy policies. We do not share your account information with model providers — only the query content necessary to generate responses.

We use the following third-party services:

• Supabase - Authentication and database
• OpenRouter - AI model routing
• Stripe - Payment processing
• Railway - Infrastructure hosting
• Sentry - Error monitoring (no query content is sent)

6. Data Retention

Council session data (your queries and AI responses) is retained for your access via the History feature. You may request deletion of your data at any time by contacting us.

7. Security

We implement industry-standard security measures including:

• HTTPS encryption for all communications
• HttpOnly, Secure, SameSite cookies for session management
• HMAC-SHA256 hashing for API keys
• CSRF protection via double-submit cookie pattern
• Rate limiting and circuit breakers

8. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for data sharing at any time
• Export your session history

9. Cookies

We use essential cookies for authentication and session management. These are required for the service to function. We do not use tracking or advertising cookies. See our cookie details:

• qc_session - Authentication session (HttpOnly, 15-minute expiry, auto-refreshed)
• qc_refresh - Token refresh (HttpOnly, 7-day expiry)
• qc_csrf - CSRF protection token
• qc_user_email - Display purposes only (not used for auth decisions)
• qc_is_subscribed - UI display only (not used for auth decisions)

10. Contact

For privacy-related inquiries, contact us at privacy@qracle.ai.

11. Changes

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email.