Privacy Policy

Effective date: March 10, 2026

1. Scope

This Privacy Policy explains how BrutalVerdict ("we", "us", "our") collects, uses, stores, and protects information when you use BrutalVerdict — our chat analysis product — including the website, waitlist, account, billing, and analysis features.

2. Overview — What We Store and What We Don't

BrutalVerdict is designed around a principle of local-first analysis with minimal server data. Your uploaded chat file is parsed and analyzed entirely inside your browser using a Web Worker. We never upload, transmit, or store the raw chat file or individual messages on our servers.

Our servers only receive and store lightweight operational metadata required for authentication, billing, and entitlement management — never the content of your conversations.

3. Data Stored on Our Servers (Convex Database)

The following information is stored on our backend database. Each category lists what is stored, why, and when it is created.

User Account

  • What: Authentication provider ID (Clerk user ID), plan tier (free / pro / lifetime), plan expiry date, unlock token balance, account creation and update timestamps.
  • Why: To manage your subscription, determine which features you can access, and track token balance.
  • When: Created when you first sign in. Updated when you purchase a plan or use tokens.

Chat Fingerprints

  • What: A SHA-256 hash of your chat file (not the file itself), chat source format (e.g. WhatsApp, Messenger), participant display names, total message count, date of last message, file size, and analysis timestamps.
  • Why: To identify repeat analyses of the same chat for entitlement purposes — so you don't have to re-purchase access if you revisit the same conversation.
  • When: Created the first time you analyze a chat while signed in. Updated on re-analysis.
  • Note: The hash is one-way — we cannot reconstruct the original chat content from it. Participant names are stored to support entitlement display; they are the names as they appear in the chat export.

Chat Unlocks

  • What: Your user ID, the chat hash you unlocked, unlock reason (purchase / grant / token / migration), payment reference (if applicable), and unlock timestamp.
  • Why: To verify that you have paid for or been granted access to premium insights for a specific chat.
  • When: Created when you unlock a chat via payment, token, admin grant, or migration.

Transactions

  • What: Transaction type (chat unlock, pro subscription, lifetime subscription), amount, currency (INR), payment status, Razorpay payment ID, Razorpay order ID, and timestamp.
  • Why: Financial record-keeping, payment reconciliation, dispute resolution, fraud prevention, and legal accounting obligations.
  • When: Created when a payment is initiated or completed.
  • Note: We do not store card numbers, bank account details, or any complete payment instrument data. All payment processing is handled by Razorpay.

Waitlist

  • What: Email address, sign-up date, referral source, and notification status.
  • Why: To notify you when access becomes available.
  • When: Created when you join the waitlist.

AI Insight Logs

  • What: Your user ID, chat hash, insight type (single / compare), AI model used, success/failure status, error type (if any), processing duration, and timestamp.
  • Why: To monitor AI feature usage, debug failures, and track costs.
  • When: Created each time AI-generated insights are requested.
  • Note: Only aggregate statistical data (reply times, message counts, engagement scores) is sent to the AI provider — never raw messages or conversation content.

Ratings & Feedback

  • What: Your user ID, star rating (1–5), optional free-text feedback, and timestamp.
  • Why: To understand user satisfaction and improve the product.
  • When: Created when you submit a rating.

System Configuration

  • What: Admin-configured feature settings (e.g. card gating tiers). Does not contain user personal data.
  • Why: To allow product configuration without code deployments.

4. Data Stored in Your Browser (Client-Side Only)

The following data is stored entirely on your device and is never sent to our servers:

  • Full analysis results (IndexedDB): The complete output of your chat analysis — including parsed messages, grouped conversations, and computed statistics — is stored in your browser's IndexedDB. This allows you to revisit results without re-uploading.
  • Embedding vector cache (IndexedDB): Pre-computed text embeddings used for phrase matching, cached locally for performance.
  • Recent chat history (IndexedDB): A list of your recent analyses for quick re-opening from the dashboard.
  • ML model weights (Cache API): The ONNX model files used for local embedding computation (~23 MB), cached by the browser for faster subsequent loads.
  • UI preferences (localStorage): Analysis count, last run time, install prompt state, and onboarding state.

You can clear all locally stored data at any time by clearing your browser's site data for this domain.

5. Data We Never Collect or Store

For clarity, the following data is never transmitted to or stored on our servers:

  • Your raw chat export file
  • Individual message text or content
  • Media files, photos, or attachments from chats
  • Full payment card numbers or bank account details (Razorpay handles this)
  • Device location or GPS data
  • Contacts or address books

6. Third-Party Services

We use the following third-party services, each with their own privacy policies:

  • Clerk — Authentication and session management. Stores your sign-in credentials and identity tokens.
  • Convex — Backend database and serverless functions. Stores the operational metadata described in Section 3.
  • Razorpay — Payment processing (INR). Handles card/UPI/bank details; we only receive payment and order IDs.
  • Groq (LLM API) — AI-generated insights. Receives only aggregate statistics (not raw messages) for generating natural-language analysis summaries.
  • HuggingFace — Provides the ML model files that are downloaded to your browser for local text embedding computation. No chat data is sent to HuggingFace.

7. How We Use Information

We use information to deliver product functionality, verify purchases and access entitlements, detect abuse and fraud, maintain platform performance, provide customer support, communicate service updates, and improve product quality and safety.

8. Legal Bases and Compliance

Where required by law, we process information under recognized legal bases such as contractual necessity, legitimate interests, consent, and legal obligations. We implement privacy by design and data minimization as product defaults.

9. Cookies and Similar Technologies

We use essential cookies and local storage for authentication (Clerk session tokens), feature state, and service operation. We do not use third-party advertising or tracking cookies. You can control browser settings, though disabling some storage features may reduce functionality.

10. Data Retention

We retain information only as long as necessary for product delivery, entitlement verification, dispute handling, security, legal compliance, and record-keeping. Transaction records are retained as required by applicable financial regulations. Retention periods vary by data category and may be extended when required by law.

11. Security Measures

We apply reasonable technical and organizational safeguards, including access controls, transport encryption (HTTPS), admin role verification, and operational monitoring. No internet transmission or storage system can be guaranteed 100% secure, but we continuously improve controls to reduce risk.

12. International Data Transfers

Your information may be processed in jurisdictions other than your own where our providers operate. Where required, we implement appropriate safeguards for cross-border transfers in accordance with applicable law.

13. Children's Privacy

BrutalVerdict is not intended for children under the age required by local law to independently use digital services. If we learn we collected personal information from a child without valid authorization where required, we will take steps to delete it.

14. Your Rights and Choices

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, object to processing, or request data portability. You may also have rights related to marketing communications and consent withdrawal. We will evaluate and respond to lawful requests within applicable timelines.

To delete all locally stored data, clear your browser's site data. For server-side data deletion requests, contact us at [email protected].

15. Policy Updates

We may update this Privacy Policy as the product, legal landscape, or infrastructure evolves. Material changes will be reflected by updating the effective date and publishing the revised policy on this page.

16. Contact

For privacy requests, legal notices, or data questions, contact us at [email protected].