Privacy Policy

• Account information: your email address and any profile information you provide, managed via Clerk.
• Fact-check content: the text snippets you choose to fact-check, the URL and page title of the source page, and any context you submit alongside.
• Verdict history: the verdicts produced for your checks, the cited sources, timestamps, and (where snapshotting is enabled) cached copies of cited source pages for citation permanence.
• Usage and technical data: aggregate request volume, error reports, feature interactions, IP address (for rate limiting and security), browser type, and approximate geolocation derived from IP.
• Payment data: processed by Paddle (our Merchant of Record). We do not see or store your card details; we receive only an internal identifier from Paddle linking your subscription to your account.

• We do not read pages you visit unless you explicitly submit a selection from them.
• We do not record keystrokes, mouse movements, or DOM contents of pages you visit.
• We do not sell personal data to third parties.
• Per our data processing agreements with our LLM providers, your fact-checked text is not used to train their foundation models.

We process personal data on the following GDPR legal bases:

• Performance of a contract (Art. 6(1)(b)): to provide the Service, run the verification pipeline on your submissions, maintain your account and history, and process subscription payments.
• Legitimate interests (Art. 6(1)(f)): to secure the Service against abuse, detect fraud, and analyse aggregate usage to improve the product. We balance these interests against your rights.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and law-enforcement requirements.
• Consent (Art. 6(1)(a)): for any optional processing we ask you to opt in to (such as product announcement emails).

We use the following third-party providers to operate the Service. Each is bound by a data processing agreement under GDPR Art. 28.

• Clerk Inc. (United States) — authentication and account identity.
• Paddle.com Market Ltd (United Kingdom) — payment processing, tax calculation and remittance, as Merchant of Record.
• Google LLC (European Union / United States) — hosting via Google Cloud Run in europe-west1 (Belgium).
• Cloudflare Inc. (United States) — DNS for gotcha.wiki.
• Neon Inc. (eu-central-1) — managed Postgres database hosting your account and history.
• Upstash Inc. (Ireland / eu-west-1) — Redis cache and rate limiting.
• OpenRouter & Anthropic PBC — large language models used for reasoning about your fact-checks.
• Groq Inc. — large language model used for claim extraction from your submissions.
• Public retrieval APIs (Wikipedia, news APIs, search providers) — to fetch evidence for verdicts. Only the claim text and search query are sent; no account identifiers.

Some of our sub-processors are located outside the European Economic Area, including in the United States. Where we transfer personal data outside the EEA, we rely on:

• EU Commission Standard Contractual Clauses (SCCs) under Decision 2021/914;
• Adequacy decisions where applicable (such as for transfers to providers certified under the EU-US Data Privacy Framework);
• Supplementary technical measures, including encryption in transit and at rest.

• Account data: retained for the lifetime of your account.
• Fact-check history: retained while your account is active. You can delete individual checks at any time from the dashboard.
• Cached source snapshots: retained for as long as the linked check exists, up to 12 months for inactive accounts.
• Billing records: retained for 10 years under Italian tax law obligations.
• Logs (security and debugging): 30 days rolling, then deleted.

When you delete your account, we delete your account data and fact-check history within 30 days, except for records we are legally required to retain (billing) which are kept only for the legally required period.

If you are in the EEA, you have the right to:

• access the personal data we hold about you;
• rectify inaccurate data;
• request erasure of your data (“right to be forgotten”);
• restrict or object to processing;
• receive your data in a portable, machine-readable format;
• withdraw any consent you previously gave;
• lodge a complaint with a supervisory authority. In Italy, this is the Garante per la protezione dei dati personali.

To exercise any of these rights, email support@gotcha.wiki. We respond within 30 days.

The web application uses strictly necessary cookies for authentication (Clerk session) and CSRF protection. We do not use third-party tracking cookies, analytics pixels, or advertising trackers.

The browser extension uses chrome.storage.local to store your session token and a short-lived cache of recent verdicts on your device. This data stays on your device and is not transmitted except in API requests to us.

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We use industry-standard measures to protect personal data, including TLS encryption in transit, encryption at rest for our database and object storage, scoped access tokens for sub-processors, and least-privilege access controls for our team. No system is perfectly secure; if we discover a personal data breach, we will notify affected users and the Garante within 72 hours as required by GDPR Art. 33.

We may update this Policy from time to time. Material changes will be announced via email or in the Service at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the current version.

KIAN ARAEEAZAR
Caserta (CE), Italy
VAT / P.IVA: 13041790018
Privacy contact: support@gotcha.wiki