Privacy Policy

Gevara ("we", "us", "our") is an AI-powered strategic consulting platform operated by Gevara, Inc. We are committed to protecting your personal information and your right to privacy. If you have any questions about this policy, please contact us at privacy@gevara.ai.

We collect information you provide directly to us when you: • Create an account (name, email address, password via Clerk authentication) • Subscribe to a paid plan (billing details processed by Stripe — we never store card numbers) • Use the platform (consulting session inputs, questions, report interactions) • Contact us (support messages, feedback) We also collect certain information automatically when you use Gevara: • Log data (IP address, browser type, pages visited, time spent) • Device information (screen size, operating system) • Usage analytics (features used, session frequency) via PostHog • Cookies and similar tracking technologies

We use the information we collect to: • Provide, maintain, and improve the Gevara platform • Process your consulting sessions and generate reports • Send you transactional emails (session complete notifications, billing receipts) • Respond to your support requests • Monitor platform performance and fix bugs • Comply with legal obligations • Protect against fraud and abuse We do not sell your personal information to third parties. We do not use your consulting session content to train AI models without your explicit consent.

When you submit a consulting session, your inputs are sent to AI providers (Anthropic, OpenAI, and/or Google AI) to generate your report. These providers process your data under their own privacy policies and data processing agreements. Important: We do not use your session content, business details, or report outputs to improve our AI models. Your strategic data stays yours. AI-generated reports are stored in your account and are only accessible to you (and your team members if you are on a Team or Enterprise plan).

We share your information only in the following circumstances: • Service providers: We use third-party services including Clerk (authentication), Stripe (payments), Neon (database), Resend (email), UploadThing (file storage), and PostHog (analytics). These providers are contractually obligated to protect your data. • Legal requirements: We may disclose your information if required by law, court order, or governmental authority. • Business transfers: If Gevara is acquired or merges with another company, your information may be transferred as part of that transaction. • With your consent: We will share information with third parties when you have given us explicit consent to do so.

We retain your account information and consulting session data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law. Aggregated, anonymised analytics data (no personal identifiers) may be retained indefinitely for platform improvement.

Depending on your location, you may have the following rights regarding your personal data: • Access: Request a copy of the personal data we hold about you • Correction: Request that we correct inaccurate personal data • Deletion: Request that we delete your personal data ("right to be forgotten") • Portability: Request your data in a machine-readable format • Restriction: Request that we restrict processing of your data • Objection: Object to processing based on legitimate interests To exercise any of these rights, email privacy@gevara.ai. We will respond within 30 days.

We take the security of your data seriously. We implement industry-standard measures including: • TLS/SSL encryption for all data in transit • AES-256 encryption for data at rest • Access controls — only authorised personnel can access production data • Regular security audits and penetration testing • SOC 2 compliance (in progress) No system is 100% secure. If you believe your account has been compromised, contact security@gevara.ai immediately.

We use cookies and similar tracking technologies to operate and improve Gevara. For full details on the cookies we use, see our Cookie Policy at gevara.ai/cookies. You can control cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

Gevara is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website at least 30 days before the change takes effect. Your continued use of Gevara after the change constitutes acceptance of the updated policy.

For questions about this Privacy Policy or your personal data: Email: privacy@gevara.ai Response time: Within 5 business days For data deletion requests or exercising GDPR rights: Email: privacy@gevara.ai with subject line "Data Request"