Privacy policy

Four buckets.

• Account data. When you sign up, the authentication provider (Clerk) handles your email, password, and session. If you upgrade to a paid plan, the billing provider (Stripe) handles your card details. ContentRX never sees your password and never stores your card number.
• Content you submit for review. Every check passed to /api/check, /api/classify, or /api/suggest-fix is forwarded to the evaluation engine and to Anthropic. In ContentRX's own database, only a sha256 hash of the text persists. The plaintext is held in memory for the request lifecycle and then discarded. ContentRX retains metadata for that hash. The verdict, severity, content type, file path (if your tool supplied one), and the surface that made the request.
• Checks you explicitly share via Flag for Review. When you tap Flag for Review on a finding and confirm the consent modal, the plaintext of that check is stored for calibration alongside a per-row consent record. Each shared check is visible to you at /dashboard/shared. Email privacy@contentrx.io to revoke a shared check at any time.
• Usage and operational telemetry. ContentRX counts your checks per month for billing. ContentRX tracks API token usage for cost accounting. Sentry captures error reports. Plausible collects anonymous page-view metrics. Upstash Redis stores rate-limit counters.

ContentRX does not collect your IP address beyond what is needed for short-window rate limiting, and uses no advertising identifiers or third-party tracking pixels.

California's privacy law uses a specific vocabulary for the categories of personal information a business collects. Here is how the four buckets above translate.

• Identifiers. Account email, hashed user id, Clerk session id, and the IP address held only for the duration of the rate-limit window.
• Commercial information. This includes subscription plan, billing history, and monthly check counts.
• Internet or other electronic network activity. API requests, Sentry error reports, Plausible page-view counts.
• Inferences. None. ContentRX does not derive demographic, behavioural, or predictive attributes from customer activity. See /ethics Commitment 3 for the engineering layer behind that.

ContentRX does not collect sensitive personal information as CPRA defines the term. That category covers precise geolocation, race or ethnicity, religion, biometric identifiers, health data, sexual orientation, union membership, and immigration status. None of it touches the Service. ContentRX collects all personal information directly from the consumer. Nothing is purchased from data brokers or scraped from third-party sources.

Account and billing data keep your account working and send you the receipts you would expect.

Content checks run the evaluation and return verdicts. When you have explicitly shared a check via Flag for Review, it also informs the calibration log so the engine gets better. The hash stored for unshared checks supports dashboard history lookups without keeping the plaintext.

Telemetry fixes bugs (Sentry), bills correctly (token counts), enforces rate limits (Redis), and tracks which public pages people read (Plausible). None of these subprocessors receive content checks.

ContentRX does not sell your data and does not train any model on customer content. The Flag-for-Review consent flow is the only path by which a customer check influences the calibration log.

Subscription is the entire revenue model. ContentRX does not make money any other way. The bullets below are the lines ContentRX will not cross to make up the difference.

• ContentRX does not sell your checks. Hashed, anonymised, or otherwise. No data-broker contract, no advertiser arrangement.
• ContentRX does not repackage your check history into a profile of you, your team, or your industry that gets marketed against you.
• ContentRX does not use your content to train any model (its own, Anthropic's, anyone's). Checks you share via Flag for Review feed a hand-curated calibration log. Nothing else does.
• ContentRX does not share your checks with any third party beyond the subprocessors named below.
• ContentRX does not run engagement-modelling telemetry on how you use the product. The only usage data tracked is check counts (because billing) and crash reports (because bugs).

The engineering layer behind that. Every public route that takes a check runs a pre-screen. The pre-screen refuses obvious credentials and PII before they can reach Anthropic, the error logs, or anyone's eyes. The patterns include credit card numbers, SSNs, and keys for AWS, Stripe, OpenAI, Anthropic, and GitHub. Sentry events have request bodies and auth headers stripped before send. The long-form version of this commitment lives at /ethics (Commitment 3).

California privacy law defines sale as exchanging personal information for monetary or other valuable consideration, and share as disclosing personal information for cross-context behavioural advertising. The other state laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, and the rest as they come online) use definitions that are close enough to treat as equivalent.

ContentRX does not sell personal information under any of those definitions. ContentRX does not share personal information for cross-context behavioural advertising under any of those definitions. ContentRX has not done either in the past, and the subscription business model means it would have nothing to gain by starting.

The subprocessors in the table above each see a slice of customer data so they can do the specific job ContentRX is paying them to do. Those are service-provider relationships governed by contract. They are not sales, and they are not shares.

Running ContentRX requires partners. Each one sees only the data it needs for the job ContentRX is paying it to do.

ContentRX updates this list within 30 days of any change. If a new subprocessor would meaningfully change what data is shared, ContentRX posts about it in advance.

Application data lives in US-region Supabase Postgres. Anthropic processes content in its own infrastructure under its standard API policy. Vercel runs functions in regions close to your users.

If you have a regulatory requirement for EU-region data residency or specific retention guarantees from any of the subprocessors named above, email privacy@contentrx.io before signing up. ContentRX will be straight with you about whether the requirement can be met today.

While your account is active, the data described above sticks around for as long as it is useful to you and to ContentRX.

Checks you shared via Flag for Review stay in the calibration log until you revoke them. Your shared-checks list at /dashboard/shared is the canonical record of what ContentRX has on you from that consent flow. Each row has a Remove this check button that deletes the row and any record it produced in the calibration log.

When you delete your account entirely, every row attached to it goes too. ContentRX's baseline is the right and ability to be forgotten, not an anonymize-and-keep posture. The sequence:

• Any active subscription is cancelled.
• Every check you ran is deleted. Hashes, findings, overrides, dismissals, all of it.
• Every check you shared via Flag for Review is deleted.
• Team rules, team members, team invitations, and any agent-run history are deleted.
• Your account row, API key, Stripe customer link, and subscription record are deleted from ContentRX's database.
• Your Clerk login is deleted.

Run the delete flow from /dashboard/settings. Stripe itself retains receipts for tax and fraud reasons on its side. That retention is Stripe's, not ContentRX's.

• See what ContentRX has on you. The dashboard shows your check history, your shared checks, and your account record. For a single export of everything in one bundle, email privacy@contentrx.io with subject [EXPORT]. ContentRX responds within 30 days.
• Correct it. Most fields are editable from the dashboard. For anything that is not, email the address above.
• Delete your account. Run the in-product delete flow at /dashboard/settings. Every row attached to your account is deleted.
• Revoke a check you shared via Flag for Review. Open /dashboard/shared and tap Remove this check on the row. ContentRX deletes the row and any record it produced in the calibration log.
• Receive an export in a portable format. Email privacy@contentrx.io with subject [EXPORT-PORTABLE]. ContentRX delivers a JSON bundle of your account data within 30 days. The bundle is structured so another vendor can import it without manual cleanup.
• Object to specific processing. For any processing ContentRX does outside the strict performance of the Service (the most common example is the renewal-reminder email, which is required by California's automatic-renewal law and cannot be turned off, and product-update emails, which can), email the privacy address with subject [OBJECT] and the kind of processing you want stopped.
• Withdraw any consent you previously gave. Most relevantly, the Flag-for-Review consent is withdrawable per-check at /dashboard/shared. Other consent withdrawals (for example, opting out of future product-update emails) go through the privacy address. Withdrawing consent does not affect the lawfulness of any processing ContentRX did before the withdrawal.
• Lodge a complaint with a regulator. If ContentRX has not resolved a concern to your satisfaction, the relevant authority is your state attorney general in the United States, your data protection authority in the European Union or United Kingdom once those markets are open, or your provincial commissioner in Canada. ContentRX would obviously rather hear from you first and fix the underlying issue.

The only cookie ContentRX sets is the Clerk authentication session. Strictly necessary, expires when you sign out. Plausible is cookieless. ContentRX does not use third-party analytics, ad networks, or tracking pixels. If a regulator asks for a cookie banner, the honest answer is “not needed today.” If that changes, ContentRX will add one.

ContentRX is a B2B tool. ContentRX does not target it at, or knowingly accept accounts from, anyone under 16. If a parent or guardian believes their child has signed up, email privacy@contentrx.io and ContentRX will delete the account.

ContentRX is currently available to customers in the United States (including U.S. territories) and Canadian provinces other than Quebec. Visitors from the European Union, the European Economic Area, the United Kingdom, Quebec, and other regions see a waitlist page at /waitlist instead of the signup form.

Canadian customers (outside Quebec) are covered by PIPEDA. The privacy officer for PIPEDA inquiries is reachable at privacy@contentrx.io. If you observe a breach involving your personal information, ContentRX notifies you and the Office of the Privacy Commissioner of Canada per PIPEDA when the breach creates a real risk of significant harm.

Quebec is geo-blocked specifically because Quebec Law 25 adds requirements (French-language privacy notice, mandatory privacy impact assessments for certain automated decision-making, in-province privacy officer) that ContentRX has not yet built operational coverage for. When that coverage is in place, Quebec access will open and this section will be updated.

When ContentRX opens EU or UK access, an Article 27 representative will be appointed and named in this section before any signups from those regions are accepted. Until then, the rights enumerated above are extended voluntarily to every visitor regardless of jurisdiction, and the subprocessor table is the operating record of who sees what. ContentRX runs entirely on US-region infrastructure as of this effective date.

If you have a regulatory requirement that cannot be met under the current setup (EU-region data residency, named Article 27 rep, specific BAA-eligible subprocessors, French-language Quebec-compliant notice), email privacy@contentrx.io before signing up. ContentRX will be straight with you about whether the requirement can be met today or whether you should wait for the next expansion.

When the policy materially changes, the effective date at the top moves and existing customers get an email summary of what shifted. Trivial cleanups (typos, link updates) ship without a date change.

Email privacy@contentrx.io. The same address handles GDPR and CCPA requests, DPA inquiries, and subprocessor-list questions. For security-specific reports, the security disclosure policy is the right channel.