AskSocrat

Privacy Policy

In effect since

1. Controller

The data controller for personal information processed through AskSocrat is Ruslan Moskaliuk, sole proprietor (Empresário em Nome Individual), NIF 316371955, Av. Combatentes da Grande Guerra 100, 4Dt., 1495-035 Algés, Lisboa, Portugal. Our Data Protection contact is [email protected]. We have no statutory obligation to appoint a Data Protection Officer; this address reaches the operator directly.

2. What we collect

To run a dialogue

  • Anonymous session — a first-party cookie holding a Django session id (no personal information). Lifetime: 14 days.
  • The text of your messages, the model's replies, citations, and a timestamp — kept while you are paying or for 30 days after your last activity, whichever is longer.

To create an account

  • E-mail address — required.
  • Password hash — PBKDF2-SHA256, never the plaintext.
  • Display name — optional; what Socrates calls you.

To bill you

  • A Stripe Customer ID — Stripe stores your card; we store only their reference.
  • Country and VAT status — determined by Stripe Tax.
  • Invoice metadata — kept for 10 years for Portuguese tax law.

For service health

  • Server logs — IP, user-agent, route, status code, latency. Kept 30 days. We delete the IP after that horizon.
  • Aggregated usage counters — number of messages per day per tier, no personal info; kept indefinitely.

3. What we do not collect

We do not use:

  • third-party analytics (no Google, no Plausible, no Fathom, no Sentry user-context);
  • advertising trackers of any kind;
  • fingerprinting libraries;
  • session-replay tools;
  • marketing automation or e-mail tracking pixels.

4. Lawful basis (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — to deliver the Service you asked for: handle your messages, run your account, bill you.
  • Legal obligation (Art. 6(1)(c)) — to keep invoice records under Portuguese tax law.
  • Legitimate interest (Art. 6(1)(f)) — to keep abuse logs and detect attacks. You may object; write to [email protected].

We do not rely on consent for any of the above, because the strictly-necessary cookie is exempt under e-Privacy.

5. Sub-processors

VendorPurposeWhere
Stripe Payments Europe Ltd.Payments, invoices, taxIreland (EU)
Anthropic PBCLLM that generates repliesUSA, EU SCCs in place
Hetzner Online GmbHServer hostingGermany (EU)
Mailgun (Sinch Email)Transactional e-mailEU region

Anthropic processes the text of your message in real time to produce a reply. Per Anthropic's API terms, they do not train on it. We send the conversation history of your current session, your display name, and the AskSocrat system prompt — nothing else.

6. International transfers

Anthropic processing happens in the USA. Transfer is covered by Standard Contractual Clauses concluded between us and Anthropic. We rely on no other extra-EU sub-processors.

7. Your rights (GDPR)

You may, at no charge:

  • Access — ask for a copy of what we hold.
  • Rectify — fix anything wrong.
  • Erase — ask us to delete your account and conversations; we will, except for invoices we must keep.
  • Restrict or Object to specific processing.
  • Port — receive your messages and account metadata as a JSON file.
  • Complain — to your local supervisor (CNPD in Portugal) if you think we got it wrong.

Write to [email protected]; we reply within 30 days.

8. Retention

  • Account record — until you ask us to delete, or 24 months after the last sign-in (whichever is sooner).
  • Conversations — 30 days past last activity, or for the duration of an active subscription plus one billing cycle.
  • Server logs (with IP) — 30 days; aggregated counters indefinitely.
  • Invoices — 10 years (Portuguese tax law).

9. Security

Passwords are hashed with PBKDF2-SHA256. TLS is required for all traffic (HSTS preload). The database lives on EU soil, snapshotted daily off-host. Production access is restricted to the operator and uses SSH keys, not passwords. No system is safe; if we discover an incident affecting your data we will tell you within 72 hours.

10. Children

AskSocrat is not directed at children under 16. We do not knowingly process information from such a child. If you believe a child has used AskSocrat, write to [email protected] and we will delete the account.

11. Changes to this notice

Material changes will be posted on this page and announced to the e-mail on your account at least 14 days in advance. Minor wording fixes update the "in effect since" date silently.