Privacy Policy

Last updated: April 23, 2026 · version 1.0

We collect the minimum data needed to operate Ada. We do not sell your data. We do not use your conversations to train AI models. This policy explains exactly what we collect, why, and what you can do about it.

// contents

Who We Are (Data Controller)
Data We Collect
Legal Basis for Processing (GDPR)
How We Use Your Data
Data Sharing and Third-Party Processors
International Data Transfers
Data Retention
Cookies and Local Storage
Your Rights
Children's Privacy
Security
Changes to This Policy
Contact and Complaints

1. Who We Are (Data Controller)

Ada is operated by Kerne, based in Aalborg, Denmark. For the purposes of the General Data Protection Regulation (GDPR) and applicable Danish data protection law, we are the data controller for personal data processed through this service.

Contact: [email protected]

2. Data We Collect

We collect only what is necessary to provide and operate Ada.

// account data

Email address — used for authentication, account management, and service communications
Display name — set by you at signup, shown in the app interface
Authentication method — whether you signed up via email, GitHub OAuth, or Google OAuth
Account creation date and last sign-in

// profile data

Stack profile — programming languages, frameworks, databases, and experience level you provide during onboarding. Used to personalise Ada's responses.
Plan tier — Free, Solo, or Pro

// usage data

Message count — number of messages sent in the current billing period
Monthly spend — estimated API cost incurred by your usage in the current billing period, used to enforce your plan's ceiling

// conversation data

Conversation history — messages you send to Ada and responses received, stored per session. You control how much history Ada retains per session via the memory setting.
Session metadata — session title (auto-generated), creation timestamp

// payment data

If you subscribe to a paid plan, payment is processed by Stripe. We do not store payment card details. We receive and store a Stripe customer ID and subscription status for billing management.

// technical data

Standard server logs may include IP addresses and request metadata for security and abuse prevention. This data is not linked to your account profile and is not retained beyond 30 days.

// what we do not collect

We do not use third-party analytics or advertising trackers
We do not collect behavioral tracking data beyond what is described above
We do not build profiles for advertising or resale purposes

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data on the following legal bases under GDPR Article 6:

Data	Legal basis	Details
Account and profile data	Contract (Art. 6(1)(b))	Necessary to provide the service you signed up for
Conversation history	Contract (Art. 6(1)(b))	Required to deliver AI responses and session continuity
Usage and spend data	Contract (Art. 6(1)(b))	Required to enforce plan limits and billing
Payment data (via Stripe)	Contract (Art. 6(1)(b))	Required for subscription billing
Server logs	Legitimate interest (Art. 6(1)(f))	Security, abuse prevention, and service reliability
Service communications	Contract / Legitimate interest	Sending critical account notices, billing alerts, and policy updates

We do not process your data on the basis of consent except where explicitly indicated (e.g. optional marketing communications, if introduced in the future). You have the right to withdraw any consent given at any time.

4. How We Use Your Data

We use your data only for the following purposes:

Providing the service — authenticating you, storing and retrieving your conversations, enforcing plan limits, and generating AI responses via the Anthropic API
Personalising responses — your stack profile is injected into Ada's system prompt to tailor the depth and examples of her responses to your background
Billing and plan management — tracking spend against your plan ceiling, processing subscription payments via Stripe, and resetting limits each billing period
Service communications — sending account confirmation emails, billing receipts, usage alerts, and important policy changes
Security and abuse prevention — detecting and responding to unauthorised access, abuse, or violations of our Terms of Service
Service improvement — aggregate, anonymised usage patterns may inform feature decisions. Individual conversations are not used for this purpose.

We do not sell your data. We do not share your data with advertisers. We do not use your conversations to train AI models.

5. Data Sharing and Third-Party Processors

We share data only with the processors required to operate Ada. All processors are bound by data processing agreements and are required to handle your data in compliance with GDPR.

// Anthropic

Purpose: AI inference — your messages and conversation context are transmitted to Anthropic's API to generate responses.

Data shared: Message content and conversation history (limited by your memory setting), system prompt context including your stack profile.

Anthropic's position: Anthropic does not use API data to train models by default under their enterprise API terms. Your data is governed by Anthropic's Privacy Policy.

Location: United States (see Section 6 on international transfers).

// Supabase

Purpose: Authentication, database storage (accounts, conversations, profiles, usage data).

Location: EU region (AWS eu-west) where available. Supabase is GDPR-compliant and operates under a Data Processing Agreement.

// Stripe

Purpose: Payment processing for paid subscriptions.

Data shared: Email address and billing details. We do not store or access your payment card information — this is handled entirely by Stripe.

Location: United States and EU. Stripe is certified under EU-US Data Privacy Framework.

// Google / GitHub (OAuth only)

If you use Google or GitHub to sign in, those providers authenticate your identity and share a verified email address with us. We do not receive or store any other data from your Google or GitHub account. Their respective privacy policies govern the authentication step.

// no other sharing

We do not share your data with any other third parties except as required by law (e.g. a valid legal order from a court or authority). If required to disclose your data by law, we will notify you where legally permitted to do so.

6. International Data Transfers

Ada is operated from Denmark (EU). Some of our third-party processors (Anthropic, Stripe) are based in the United States. Where data is transferred outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
EU-US Data Privacy Framework certification (for Stripe)

You can request details of the specific transfer mechanisms in place by contacting us.

7. Data Retention

We retain your data for as long as your account is active, and delete it as follows after account closure:

Conversation history — deleted within 30 days of account closure, or immediately upon your request
Account and profile data — deleted within 30 days of account closure
Billing records — retained for 5 years as required by Danish accounting law
Server logs — deleted after 30 days

You can delete individual conversations at any time from within the app. You can request full account deletion by contacting us at [email protected].

8. Cookies and Local Storage

Ada does not use third-party tracking cookies or advertising cookies of any kind.

// local storage (browser)

We use browser local storage to persist the following across sessions:

User preferences (font size, memory setting, mode selection)
Session tokens issued by Supabase for authentication

This data never leaves your browser except as part of authenticated API requests to our server.

// session cookies

Supabase may set session cookies as part of the authentication flow. These are functional cookies required for the service to work. They expire when your session ends or when you log out.

Since we use only functional storage necessary to deliver the service, we do not display a cookie consent banner. If you have questions about this, contact us.

9. Your Rights

Under GDPR and Danish data protection law, you have the following rights regarding your personal data:

Right of access (Art. 15) — you can request a copy of all personal data we hold about you
Right to rectification (Art. 16) — you can correct inaccurate or incomplete data. Display name and stack profile can be edited directly in the app.
Right to erasure (Art. 17) — you can request deletion of your account and personal data ("right to be forgotten"), subject to legal retention requirements
Right to restriction (Art. 18) — you can request that we restrict processing of your data in certain circumstances
Right to data portability (Art. 20) — you can request your data in a structured, machine-readable format (JSON)
Right to object (Art. 21) — you can object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Danish data protection authority:

Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby, Denmark
datatilsynet.dk

10. Children's Privacy

Ada is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a person under 16 without appropriate consent, we will delete it promptly. If you believe a child has created an account without authorisation, contact us at [email protected].

11. Security

We take reasonable technical and organisational measures to protect your data, including:

All data in transit is encrypted via TLS/HTTPS
Authentication tokens are handled by Supabase with industry-standard security practices
Row-level security (RLS) policies in the database prevent cross-user data access
API keys and secrets are stored in environment variables, never in client-side code
Payment data is not stored on our servers — Stripe handles all card data

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to [email protected] before public disclosure.

In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active users by email at least 14 days before the changes take effect.

Your continued use of Ada after the effective date constitutes acceptance of the updated policy. If you do not accept the changes, you should stop using the service and may request deletion of your account.

13. Contact and Complaints

For any privacy-related questions, data requests, or complaints:

[email protected]
Kerne, Aalborg, Denmark

We aim to respond to all privacy requests within 30 days.

// ada · privacy policy · v1.0 · april 2026 · gdpr compliant