Skip to content

Ethics

How ContentRX handles your work

Three commitments hold the rest of the product together. They're short on purpose. The deep policy lives at /privacy and /security. This page is the position those policies sit under.

Commitment 1

Privacy

Your text is reviewed, returned, and gone. The hash is what ContentRX keeps.

Send a check to ContentRX. The engine evaluates it. The verdict comes back. The plaintext doesn't persist. ContentRX retains a sha256 hash, the verdict, the severity, the content type, and the surface that called. That's the entire list. ContentRX cannot reconstruct your writing from what's kept.

A pre-screen on every public route refuses obvious credentials and PII. Credit card numbers. SSNs. Stripe, OpenAI, Anthropic, and GitHub keys. AWS access keys. None reach the engine, Anthropic, or the error logs. Sentry events have request bodies and auth headers stripped before send.

The full policy, including the subprocessor list, lives at /privacy.

Commitment 2

Security

Standard SaaS hygiene, audit-ready posture.

TLS in transit. Credentials hashed at rest. Audit logs on admin-tier surfaces. The trust boundary is the web app, the engine, and the subprocessors listed on /privacy. Everything outside is the public internet.

SOC 2 Type II is in progress. Until then, /security publishes what ContentRX does today and answers specific posture questions in writing. Found a vulnerability? The same page has the coordinated-disclosure path.

Commitment 3

Customer, not product

ContentRX makes money by charging for a tool. Not by selling, repackaging, or modeling the work you check.

ContentRX makes money from subscriptions. Free exists so you can try the product. Paid tiers exist because the engine costs real money to run and calibration takes real time. There's no second shoe to drop.

  • ContentRX does not sell your checks. Not hashed. Not anonymised. Not to data brokers, advertisers, or anyone else. There is no third-party broker contract. There will not be one.
  • ContentRX does not repackage your check history into a profile of you, your team, or your industry. Your dashboard shows your activity to you. No aggregate intent-signal product gets sold on top.
  • ContentRX does not train a model on your content. Yours, ours, Anthropic's, anyone's. A customer check joins the calibration log only when you share it via Flag for Review. One path. One consent modal per check. Available to every paying customer. Revoke any time from the dashboard. The checks you have shared live at /dashboard/shared.
  • ContentRX does not run an engagement-metrics or behavioural-modelling layer on how you use the product. ContentRX tracks monthly check counts (because billing) and crash reports (because bugs). Nothing else.

If any of this ever changes, ContentRX publishes a superseding ADR before any new collection starts. Existing customers are notified by email. The version of this commitment that's live is always the one at /ethics. If there's no superseding ADR linked from this page, the rules above are the rules.

Last updated 2026-05-11. Source: GitHub.