Privacy Policy

Last Updated: February 9, 2026

Welcome to VERDIKT ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience using our application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web service.

1. Information We Collect

1.1 Information You Provide

Account Information: Your email address, date of birth (month and year, collected for age verification), and password when you create an account.
Dilemma Content: The decisions, questions, and context you submit to the Verdikt for analysis (up to 5,000 characters per dilemma), including any context parameters you set (budget, risk, and timeline preferences).
Interaction Data: Your selections of advisor recommendations, ratings of decisions, objections or interjections during debates, and any follow-up questions you ask during sessions.
Feedback: Ratings (1–5 stars) and feedback you provide about advisor recommendations after 7 days, which are used to calculate advisor trust scores.
Voice Input: If you use the voice input feature, your speech is processed on-device using your device’s built-in speech recognition. No audio recordings are transmitted to VERDIKT servers or any third party. Only the resulting text transcription is submitted as dilemma content.
Custom Agent Data: If you are a PRO subscriber and create custom AI advisor personas, the name, role, personality description, and configuration of those agents are stored.

1.2 Automatically Collected Information

Usage Data: Session history, feature usage patterns, dilemma categories submitted, session duration, number of debate rounds completed, and advisor selection patterns.
Device Information: Device type and model, operating system and version, screen resolution, language settings, timezone, and general device identifiers.
Log Data: IP address, browser type and version, access times, pages viewed, crash reports, and error logs.
Network Information: General network type (Wi-Fi, cellular) used to optimize service delivery.

1.3 Information from Third Parties

We use trusted third-party services for authentication, data storage, and AI processing. These providers may collect additional data as described in their respective privacy policies. See Section 4 ("AI Processing and Transparency") for detailed information about how your data is processed by AI providers.

2. How We Use Your Information

We use the information we collect to:

Provide the Service: Generate AI-powered debates and recommendations for your dilemmas.
Personalize Your Experience: Calculate trust scores for advisors based on your feedback.
Manage Your Account: Maintain your account, verify your identity, verify your age eligibility, and manage your subscription.
Communicate With You: Send service-related notifications and respond to your inquiries.
Improve the Service: Understand usage patterns to improve features and develop new ones, using aggregated and anonymized data only.
Enforce Limits: Apply session limits for Free tier users and prevent abuse.
Ensure Safety: Detect and prevent fraud, abuse, and violations of our Terms of Service.
Comply With Law: Meet legal obligations and protect our rights.

2.1 Legal Basis for Processing (EEA Users)

If you are located in the European Economic Area, we process your personal data on the following legal bases:

Contractual Necessity (Article 6(1)(b) GDPR): Processing your dilemmas, generating AI advisor responses, managing your account, and providing subscription services. This processing is necessary to deliver the Service you have requested.
Legitimate Interest (Article 6(1)(f) GDPR): Improving the Service through aggregated usage analytics, enforcing session limits, preventing abuse, and ensuring service security. We have assessed that these interests do not override your fundamental rights and freedoms.
Consent (Article 6(1)(a) GDPR): Sending non-essential communications and processing optional features such as voice input. You may withdraw consent at any time through your account settings or by contacting us, without affecting the lawfulness of processing based on consent before its withdrawal.
Legal Obligation (Article 6(1)(c) GDPR): Retaining certain data as required by tax, accounting, or other applicable laws, and responding to lawful government requests.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

Infrastructure Providers: We use Google Firebase for authentication, data storage (Firestore), and cloud function hosting. Firebase processes data in the United States. For details, see Firebase Privacy and Security documentation.
AI Providers: Your dilemmas are processed by AI services to generate advisor responses. See Section 4 ("AI Processing and Transparency") for full details on what data is shared and how it is handled.
Payment Processors: If you subscribe to PRO, your payment is processed through the Apple App Store, Google Play Store, or RevenueCat (our subscription management provider). We do not directly handle your payment card information. RevenueCat receives your subscription status and anonymous user identifier but does not receive your dilemma content.

3.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety. Where permitted by law, we will notify you before making such a disclosure.

3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. In such an event, the acquiring entity will be required to honor this Privacy Policy for a minimum of 12 months following the transfer, or will obtain your fresh consent before applying a different privacy policy. We will notify you by email (if provided) and/or by prominent notice in the app before your information is transferred and becomes subject to a different privacy policy.

4. AI Processing and Transparency

VERDIKT uses third-party AI models to power its advisor personas. This section explains what data is sent to AI providers, how it is processed, and what safeguards are in place.

4.1 AI Models Used

Primary Provider: Google Gemini (model: gemini-2.0-flash), provided by Google LLC. Gemini processes all advisor debates and recommendations.
Configured Fallback: Anthropic Claude (model: claude-3-5-haiku), provided by Anthropic PBC. Claude is configured as a fallback provider and may be used if the primary provider is unavailable.

4.2 Data Sent to AI Providers

When you submit a dilemma, the following information is sent to the AI provider:

Your dilemma text and any context parameters (budget, risk, timeline preferences)
The assigned advisor persona instructions (not linked to your identity)
Previous debate messages within the current session (for multi-round debates)
Objections or interjections you submit during a debate

We do not send your email address, account identifier, trust scores, or any other personally identifiable information to AI providers. Your dilemma content is sent without any user-identifying metadata.

4.3 AI Provider Data Retention

Under our API agreements with Google and Anthropic, data sent through the API is not used by these providers to train or improve their models. API inputs and outputs may be temporarily retained by these providers for abuse monitoring and safety purposes for a limited period (typically 30 days or less), after which they are deleted. We maintain Data Processing Agreements (DPAs) with our AI providers that govern data handling, security, and retention obligations.

4.4 Real-Time Data Grounding

For certain dilemma categories (such as shopping, investment, home, technology, and travel), VERDIKT may use Google Search grounding to incorporate real-time information (such as current prices, news, or market data) into advisor responses. When grounding is used, your dilemma context (but not your identity) may be used to formulate search queries. Search results metadata may be included in the AI response. Grounding is not used for relationship, career, or legal/ethical dilemma categories.

4.5 AI Output Limitations

AI-generated content may contain errors, inaccuracies, or biases. VERDIKT does not independently verify the factual accuracy of AI-generated advisor responses. Trust scores reflect user satisfaction ratings, not objective measures of advice quality. See our Terms of Service for important disclaimers about AI-generated content.

5. Data Security

We implement appropriate technical and organizational measures to protect your information:

Encryption: Your data is encrypted both in transit (TLS 1.2+) and at rest (AES-256).
Access Controls: Firestore security rules ensure that only you can access your meetings and personal data. Server-side authorization verifies ownership for every request.
Secure Authentication: User accounts are protected with industry-standard security protocols, including minimum 12-character passwords and email verification.
Secure Storage: API keys and sensitive credentials are stored in Firebase Secret Manager and are never exposed in application code or client-side environments.
Rate Limiting: Automated rate limiting and burst throttling protect against abuse and unauthorized access attempts.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

Meeting Metadata and Verdicts: Your meeting titles, verdicts, agent scores, and status information are stored for the lifetime of your account, unless you delete them.
Conversation History (Debate Transcripts): Full debate transcripts are retained for 7 days for Free tier users and 30 days for PRO tier users, after which they are automatically purged. Meeting metadata and verdicts are preserved.
Trust Scores: Advisor trust scores are maintained for the lifetime of your account.
Decision Ratings: Your 7-day follow-up ratings are retained for the lifetime of your account to maintain trust score accuracy.
Rate Limit Data: Session usage counters are retained for 7 days and then automatically reset.
Account Deletion: If you delete your account, we will delete all your personal information, including meetings, ratings, trust scores, custom agents, and account data, within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our Terms).
Inactive Accounts: Accounts with no activity for 180 days may be automatically deleted after providing 30 days' notice to the email address on file (if provided).

7. Cookies and Tracking Technologies

VERDIKT is primarily a mobile application. We use the following technologies to collect usage data:

Firebase Analytics: We use Firebase Analytics to understand how users interact with the app. Firebase Analytics collects app usage data, session information, and device properties. This data is aggregated and does not include your dilemma content. You can opt out of analytics collection through your device settings.
Crashlytics: We use crash reporting tools to identify and fix application errors. Crash reports include device information, app state, and stack traces but do not include your dilemma content or personal decisions.
Website Cookies: Our website (verdikt-app.com) uses only essential cookies necessary for site functionality. We do not use advertising cookies or third-party tracking pixels on our website.
Advertising Identifiers: VERDIKT does not collect or use mobile advertising identifiers (IDFA/GAID). We do not serve advertisements within the app.

8. Your Rights and Choices

8.1 Access and Correction

You can access and review your meeting history, trust scores, and account information within the app.

8.2 Data Export

You can export your data (including meetings, ratings, trust scores, and account information) in a structured, machine-readable JSON format using the "Download My Data" option in your account settings. This fulfills your right to data portability under applicable privacy laws.

8.3 Deletion

You can delete individual meetings within the app or delete your entire account through the account menu or by contacting us at privacy@council-app.com. Account deletion removes all associated data as described in Section 6.

8.4 Opt-Out

You can opt out of non-essential communications through your account settings.

8.5 Do Not Track

We do not currently respond to Do Not Track browser signals as there is no industry standard for compliance. However, we honor the Global Privacy Control (GPC) signal where required by law.

9. Children's Privacy

VERDIKT is not intended for users under 13 years of age. We require date of birth verification during account registration and actively block account creation for users under 13. We do not knowingly collect personal information from children under 13. Users between 13 and 17 years of age are presented with a parental consent notice during registration and must confirm they have parental or guardian permission to use the Service.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at privacy@council-app.com and we will promptly delete that information.

10. International Data Transfers

Your information is processed and stored in the United States, where our infrastructure providers (Google Firebase) and AI providers (Google, Anthropic) operate. If you are located outside the United States, including in the European Economic Area (EEA), United Kingdom, or Switzerland, your information will be transferred to the United States for processing.

We rely on the following safeguards for international data transfers:

Standard Contractual Clauses (SCCs): We have entered into Standard Contractual Clauses approved by the European Commission with our key service providers to ensure an adequate level of data protection for transfers of personal data from the EEA to the United States.
Data Processing Agreements: We maintain Data Processing Agreements with Google and Anthropic that include commitments regarding data security, confidentiality, and restrictions on data use.
Transfer Impact Assessments: We have conducted assessments of the legal framework in the destination countries and implemented supplementary measures where necessary to ensure the effective protection of transferred data.

You may request information about the specific safeguards applied to the transfer of your data by contacting us at privacy@council-app.com.

11. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Notify affected users without undue delay via email (if an email address is on file) and/or in-app notification, describing: the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take to address the breach.
Document all breaches internally, including their effects and remedial actions taken, in a breach register maintained for regulatory review.

12. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information to them.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy in the app, updating the "Last Updated" date, and sending you an email notification if you provided an email address. For material changes that reduce your rights or expand our use of your data, we will provide at least 30 days' advance notice. Your continued use of VERDIKT after changes become effective constitutes acceptance of the revised Privacy Policy. If you do not agree with the changes, you may delete your account before they take effect.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share about you.
Right to Delete: Request deletion of your personal information, subject to certain exceptions provided by law.
Right to Correct: Request correction of inaccurate personal information we maintain about you.
Right to Opt-Out: Opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising purposes.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Limit Use of Sensitive Information: We collect date of birth for age verification purposes only and do not use it for profiling or advertising.

To exercise these rights, contact us at privacy@council-app.com. We will verify your identity before processing your request and will respond within 45 days (which may be extended by an additional 45 days for complex requests).

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation:

Right of Access: Obtain confirmation of whether we process your data and access to that data, including a copy of the personal data undergoing processing.
Right to Rectification: Correct inaccurate personal data and complete incomplete data.
Right to Erasure: Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
Right to Restriction: Restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format (JSON). You can exercise this right using the "Download My Data" feature in your account settings.
Right to Object: Object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise these rights, contact us at privacy@council-app.com. We will respond within 30 days of receiving your request (which may be extended by an additional 60 days for complex requests, in which case we will inform you of the extension within the initial 30-day period).

16. Data Protection Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@council-app.com
Data Protection Requests: privacy@council-app.com
General Support: support@council-app.com

We will respond to your inquiry within 30 days. For GDPR-related requests, we are committed to responding within the timeframes specified in the regulation.

This Privacy Policy is effective as of the date stated above and applies to all users of VERDIKT.