Privacy Policy
Effective date: 2026-06-15 Last updated: 2026-06-15
This Privacy Policy explains how Cobalt Stream Technologies LLC, a Missouri limited liability company that operates Essence.Report ("we", "us"), collects, uses, discloses, and protects personal data when you use our Service at https://essence.report.
Questions: privacy@essence.report.
1. Scope and our roles
This Policy covers two distinct relationships:
1.1 We are the controller of personal data we collect about you as a user — your account, billing, and usage data. This Policy governs that data.
1.2 We are the processor of personal data contained in Customer Content you submit (prompts, uploaded files, Vault entries) that relates to third parties. For that data you are the controller and we act only on your documented instructions. Our Data Processing Addendum (incorporated into the Terms of Service by reference) governs that processing; this Policy does not.
2. Personal data we collect
2.1 Account data
Email address, name, and profile image (via our authentication provider); authentication metadata (sign-in IP, user agent, timestamps); two-factor settings, if enabled.
2.2 Billing data
Customer ID and subscription metadata held by our payment processor. We do not store full payment-card numbers. Billing history is retained for tax purposes (typically 7 years).
2.3 Customer Content
Prompts and refinement inputs; text extracted from files you upload (raw binaries are discarded after extraction); Vault entries; and the Reports generated for you.
2.4 Usage telemetry
Quota counters, job correlation IDs and status transitions, aggregate cost data (token counts, for billing and capacity), and error logs (with automated PII redaction — see § 8).
2.5 Cookies
Strictly-necessary session and CSRF cookies; functional preferences stored locally in your browser (theme, drafts, Report index); and optional, privacy-respecting product analytics. We do not use advertising cookies or cross-site tracking. See § 13 and our Cookie Policy.
3. How we use personal data, and our legal bases
| Purpose | Legal basis (GDPR / UK GDPR) | Data used |
|---|---|---|
| Provide the Service (generate, store, deliver Reports) | Contract performance | Account, Customer Content |
| Enforce quota and prevent abuse | Legitimate interest | Account, telemetry |
| Process payments | Contract performance | Billing, account |
| Customer support | Contract / legitimate interest | Account, Customer Content you share with support |
| Security (fraud and intrusion detection) | Legitimate interest, legal obligation | Authentication, telemetry |
| Comply with legal obligations (tax, lawful requests) | Legal obligation | Account, billing |
| Improve reliability via error logs | Legitimate interest | Telemetry (redacted) |
| Transactional emails (receipts, security alerts) | Contract performance | Account |
| Product updates (with opt-out) | Legitimate interest | Account |
| Marketing emails (only if you opt in) | Consent | Account |
We do not use Customer Content or generated Reports to train any AI model (see § 11).
4. How we disclose personal data
We disclose personal data only to the categories of sub-processors below, strictly to operate the Service. We name our general infrastructure providers; the providers that deliver our core differentiating capability (AI synthesis and source retrieval) are described by category to protect commercially sensitive information.
| Category | Purpose | Region | Safeguard |
|---|---|---|---|
| Authentication provider (Clerk) | Sign-in, account security | US | DPA, SCCs |
| Payment processor (Stripe) | Billing | US / global | PCI-DSS, DPA, SCCs |
| Cloud hosting (Vultr) | Backend hosting | Japan (Tokyo) | Adequacy decision (Japan), DPA |
| Frontend hosting (Vercel) | Site delivery | US / global | DPA, SCCs |
| Cache / rate-limit store (Upstash) | Session and quota data | Configurable | DPA, SCCs |
| Error monitoring (Sentry) | Reliability (PII-redacted) | US | DPA, SCCs |
| Product analytics (PostHog, optional) | Anonymised usage statistics | EU or US | DPA, SCCs |
| First-party AI model providers | Generate AI responses via large language model APIs | US and other | DPA / SCCs; contractually prohibited from training on your content |
| Web search & retrieval provider | Retrieve publicly available sources at query time | — | DPA |
A current, specific list of our sub-processors is available on request to privacy@essence.report.
No sale; not a data broker. We do not sell personal data, and we do not share it for cross-context behavioural advertising. We are not a data broker. We may disclose personal data only: to these sub-processors; in a merger or asset sale (with notice where required); or when required by law, court order, or to protect rights and safety. Where lawful, we will notify you before disclosing in response to a legal request.
5. International transfers
5.1 We are established in the United States. Personal data may be processed in the US, the EU, and Asia-Pacific (our backend is hosted in Japan, which benefits from an EU adequacy decision).
5.2 For personal data transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and, for the UK, the International Data Transfer Addendum), as set out in our DPA.
5.3 For data subject to the PIPL (Mainland China), additional safeguards apply on request.
6. Data retention
| Data | Retention |
|---|---|
| Generated Reports | 7 days, unless saved to your Vault |
| Customer Content (prompts, extracted file text) tied to a job | 7 days (purged with the job) |
| Vault entries | Until you delete them or close your account |
| Account profile | Until account deletion |
| Quota counters | 35 days rolling |
| Audit logs (security, cost) | Up to 12 months |
| Billing records | As required by tax law (typically 7 years) |
| Backups | Up to 30 days after primary deletion |
Account deletion: request at privacy@essence.report. We action within 30 days, subject to legal retention obligations.
7. Your rights
Submit any request to privacy@essence.report. We respond within the timeframe required by applicable law (45 days under the CCPA/CPRA; one month under the GDPR/UK GDPR, extendable where permitted).
7.1 Rights we offer all users
Access, correction, deletion, data portability (Vault and Reports in JSON/Markdown), and withdrawal of consent where processing relies on consent.
7.2 EEA / UK / Switzerland
You additionally have the rights to restrict processing, to object to processing based on legitimate interest, and to lodge a complaint with your local supervisory authority. Our legal bases are set out in § 3.
7.3 California (CCPA/CPRA)
Rights to know, access, delete, correct, opt out of "sale"/"sharing" (we do neither), and limit use of sensitive personal information, with no discrimination for exercising them.
7.4 Other jurisdictions
Residents of other US states and countries with comparable laws (e.g. Virginia, Colorado, Connecticut, Texas, and others) may have equivalent rights, including, where applicable, the right to appeal a refusal. We honour these under applicable law.
7.5 Verification
For account-holders, signing in is sufficient. Otherwise we may require additional verification, and proof of authority for authorised agents.
8. Security
TLS 1.3 in transit; AES-256 at rest for Customer Content; HMAC verification on inter-service callbacks; secrets in environment variables on a rotation schedule; least-privilege access; multi-factor authentication for administrative access; Web Application Firewall and edge rate-limiting; automated cost anomaly detection; periodic dependency scanning; and automatic PII redaction before error logs are transmitted.
No system is perfectly secure. Report suspected vulnerabilities to security@essence.report under responsible-disclosure principles.
9. Children
The Service is not directed at children under 16 (or the local age of digital consent, where higher). We do not knowingly collect their personal data. If you believe a child has provided us data, contact privacy@essence.report and we will delete it.
10. Automated decision-making
The Service generates research artifacts using AI. Its output is not an automated decision producing legal or similarly significant effects within the meaning of GDPR Article 22. Reports are research material; you remain solely responsible for any decision you make on their basis.
11. AI model providers and no-training commitment
When you submit a prompt, it is sent directly to first-party large language model provider APIs. Each provider processes API inputs under its own terms. We use these providers under terms that prohibit them from using API inputs or outputs to train their models, and we do not use your prompts or Reports to train any model.
12. Data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority within 72 hours of becoming aware, consistent with GDPR Articles 33–34 and analogous laws. Where we act as your processor, our breach-notice obligations to you are set out in the DPA.
13. Cookies
We use strictly-necessary cookies (authentication, security), functional storage (your preferences, in your browser), and optional anonymised analytics (which honour a Global Privacy Control / Do-Not-Track signal). We do not use third-party advertising cookies or fingerprinting. Details and controls are in our Cookie Policy.
14. Marketing communications
Transactional emails (receipts, security alerts, subscription notices) are required while you have an active account and cannot be opted out of. Product-update and marketing emails are optional — opt out via the unsubscribe link or in Settings → Profile.
15. EU, UK, and Swiss representatives
Because we are established in the United States and offer the Service to individuals in the EEA, the UK, and Switzerland, Article 27 of the EU GDPR and the UK GDPR (and Article 14 of the Swiss FADP) require us to designate representatives for data-protection matters in those regions. EEA, UK, and Swiss data subjects may contact us about this Policy and their rights at privacy@essence.report; the contact details of our designated representatives are made available on request and published here once appointed.
16. Changes to this Policy
We may update this Policy. Material changes will be notified by email to subscribers and posted at the top of this page at least 14 days before they take effect.
17. Contact
| Topic | |
|---|---|
| Privacy / data subject requests | privacy@essence.report |
| Security vulnerability reports | security@essence.report |
| Data protection enquiries | dpo@essence.report |
| General support | support@essence.report |