the documents you need to sign before the architecture enters your room. all three are drafted, formatted, and downloadable. counsel review is recommended before execution.
device captures keystroke timing locally during the structured prompt. five behavioral aggregates (speed, edit ratio, pauses, rewrites, time to first key) are computed device-side. only the aggregates are posted to api.noctaracorp.com/api/compress. server writes to Supabase (US-East). row-level security enforced per user_id. stripe webhook updates subscription status. stripe never receives behavioral data.
in transit: TLS 1.2 or higher, terminated at vercel + supabase. at rest: supabase postgres encryption (managed AES-256). identity grant tokens: HMAC SHA-256 signed, scoped to the requesting application, revocable from the user dashboard.
active customer data is retained for the duration of the subscription plus thirty days. customer-initiated deletion is immediate at the API level: user row is anonymized and PII tables (compressions, marks, identity_grants, sessions) are hard-deleted within the same request. apple app store guideline 5.1.1(v) compliant.
a US provisional. seven claims, one independent, six dependent. non-provisional filing deadline 2027-04-24. counsel: rapacke law group. full claim summary: /enterprise.
the third parties that process customer or participant data on our behalf. we provide thirty days written notice before adding a new sub-processor.
| role | vendor | region |
|---|---|---|
| database | Supabase | US-East |
| hosting | Vercel | US-East |
| authentication | Clerk | US-East |
| payments | Stripe | US |
| transactional email | Resend | US |
| compression engine | Anthropic | US |
| file storage | Supabase Storage | US-East |
we do not sell your data. not to advertisers. not to insurers. not to data brokers. not to governments. not to the highest bidder dressed as a partner. we run only standard, aggregate measurement (the Meta pixel and Google Analytics) to tell whether our own ads and pages work; we never point it at your private writing or your reading, and we never sell what it collects. we do not train models on private participant text without explicit consent. these are not features. these are refusals written into the architecture.
the consumer-facing privacy policy is at /privacy. it describes what we collect, what we never collect, and how to take it all back.
in the event of a confirmed security incident affecting customer or participant data, we notify the customer primary contact within seventy-two (72) hours of confirmation, in writing, with a summary of scope, affected data, mitigation, and timeline. the full incident response procedure is in the security posture document above.
commercial or security questions during evaluation: calkire@noctaracorp.com.
privacy or data-rights requests: her@noctaracorp.com.