Legal

Privacy Policy

Effective 5 June 2026 · Version 1.0

Quorum is a private decision intelligence tool. We take the confidentiality of your decisions seriously. This policy explains exactly what data we collect, why we collect it, how it is protected, and what rights you have over it.

1. Data we collect

We collect only what is necessary to provide the service:

Account data

Your email address, collected when you sign in via magic link.

Decision data

The decision text you submit and any register-mode answers you provide before Council analysis.

Analysis data

AI-generated responses from persona analysis, synthesis, and the Examiner diagnostic. These are stored so you can return to a session.

Behavioural data

Bias scores, calibration records, decision patterns, and independence metrics derived from your decisions over time. This data compounds to form your decision profile in the Mirror module.

Technical data

An anonymous device identifier (generated on your device, gated behind functional cookie consent), session identifiers, and server-side request logs including IP address and user agent.

Website enquiry data

If you request early access via our public website, your name, email, WhatsApp number, and the decision context you provide.

2. Legal basis for processing

Contract

Creating and delivering a Council session, linking sessions to your account, and providing subscribed features.

Legitimate interests

Maintaining anonymous session access, improving reliability and product quality, and detecting abuse.

Consent

Functional cookies (device ID, session history). You may withdraw consent at any time via the Privacy Center in Settings.

3. AI processing

When you submit a decision for Council analysis, your decision text is transmitted to an AI processing service to generate the analysis. The AI provider processes your data solely to generate the response and does not use your submissions to train its models.

Analysis generated by AI is for informational and reflective purposes only. It does not constitute legal, financial, medical, or investment advice. You retain full responsibility for the decisions you make.

4. Third-party processors

We share data with the following processors only to the extent necessary to operate the service. We do not sell your data to any third party.

Supabase

Database and authentication (PostgreSQL, magic link auth). Hosted in the United States. See supabase.com/privacy.

Railway

Application hosting and deployment. Hosted in the United States. See railway.app/legal/privacy.

AI processing service

Generates Council analysis from your decision text. Hosted in the United States.

Google Fonts

Loads typefaces used in the interface. No personal data is transmitted beyond standard browser request metadata. See policies.google.com/privacy.

5. Data retention

Authenticated sessions

Retained until you delete your account or request erasure.

Anonymous sessions

Retained for 90 days if not linked to an account. Linking a session to an account converts it to account-scoped retention.

Bias and behavioural profiles

Retained while your account is active. Deleted on account erasure.

Authentication tokens

Expire per the Supabase session defaults. You may invalidate all sessions via Settings → Security Center.

Server logs

Standard infrastructure logs retained for up to 30 days.

6. Data security

Decision text and analysis stored in the database is encrypted at rest using AES-256-GCM field-level encryption. All data in transit is protected by HTTPS/TLS. Authentication uses passwordless magic links — no passwords are stored. Row-level security is enforced in the database so each user's data is scoped to their account.

For a full account of our technical security measures, see the Security & Trust page.

7. Your rights

Under the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act 2023 (DPDP), you have the following rights:

Access

Request a copy of the personal data we hold about you.

Portability

Export your data in a structured, machine-readable format (Article 20 GDPR).

Correction

Request correction of inaccurate personal data.

Erasure

Request deletion of your account and all associated personal data ("right to be forgotten", Article 17 GDPR / DPDP Section 13).

Withdraw consent

Withdraw functional or analytics cookie consent at any time via Settings → Privacy Center. This does not affect the lawfulness of processing before withdrawal.

Restriction

Request that we restrict processing of your data in certain circumstances.

Complaint

Lodge a complaint with your supervisory authority (in India: the Data Protection Board; in the EU: your national data protection authority).

To exercise any of these rights, use the Privacy Center in app Settings. Data export and account deletion are available there.

8. Cookies and local storage

Quorum uses browser local storage (not traditional HTTP cookies) to persist preferences and session data on your device. For a full list of every key stored, its purpose, and how to manage it, see the Cookie Policy.

9. Children

Quorum is intended for professionals and individuals making significant personal or business decisions. We do not knowingly collect data from anyone under the age of 18.

10. Changes to this policy

We will post any material changes here and update the effective date. Continued use of Quorum after changes constitutes acceptance of the revised policy.

11. Contact

To exercise your data rights or raise a privacy concern, use the Privacy Center accessible from Settings in the app footer. We aim to respond to all data rights requests within 30 days.