Privacy Policy

Effective date: 18 April 2026

Who we are

AmIThat? is operated by Etherstep LLC, Minneapolis, Minnesota, USA. This policy explains what data is collected, how it is used, and your rights over it.

Data controller: Etherstep LLC, Minneapolis, Minnesota, USA — v@etherstep.com

What we collect

Text you enter. When you submit text, it is sent to OpenAI’s API to generate a response. We do not store this text on our servers. OpenAI may retain API inputs for a limited period for abuse and safety monitoring, in accordance with their API data usage policy. We do not use your input to train AI models. By submitting text, you acknowledge it will be processed by OpenAI to generate a response.

Sensitive information. You may choose to provide information that could be considered sensitive (e.g., health-related). We process this only to provide the Service and do not use it for any other purpose.

Saved reflections. If you save a reflection, it is stored either in your browser’s localStorage (guest) or in our Supabase-hosted database (signed-in users). Supabase servers are located in Frankfurt, Germany (EU). Data may be processed within the European Economic Area (EEA). Where data is transferred outside the EEA by our processors, appropriate safeguards (such as standard contractual clauses) are used.

Account data. If you create an account, we store your email address via Supabase Auth. We do not collect your name, phone number, or payment details.

Cookies. We use a single functional cookie to store your cookie consent preference. We do not use advertising or tracking cookies.

Usage data. We do not currently use analytics or tracking tools. Standard server logs (IP address, request path, timestamp) may be retained by our hosting provider (Vercel) for up to 30 days for security purposes. These logs are not used by us for analytics or profiling.

How we use your data

  • To provide the reflection service (input → OpenAI → response displayed to you)
  • To store your saved reflections so you can review them later
  • To authenticate your account and keep your library private
  • To respond to support requests you send us

Our legal basis includes performance of a contract (to provide the Service) and, where applicable, your consent (e.g., submitting text for reflection). By using the Service, you understand that your data may be processed in jurisdictions where our providers operate.

What we don’t do

  • We don’t sell your data
  • We don’t use your data for advertising
  • We don’t use your input to train AI models
  • We don’t track you across websites

Third-party processors

These providers act as data processors on our behalf.

OpenAI — processes your reflection input to generate responses. See OpenAI API Data Usage Policy.

Supabase — stores account and library data. See Supabase Privacy Policy.

Vercel — hosts the application. See Vercel Privacy Policy.

Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS) and access controls. No system is completely secure.

Your rights

Depending on where you are located, you may have rights under GDPR, CCPA, or similar laws. These include:

  • Access — request a copy of the data we hold about you
  • Deletion — delete your account and all associated data from your Profile page, or email us
  • Portability — request an export of your saved data
  • Correction — request correction of inaccurate data
  • Objection — object to certain processing

If you are located in the EEA, you also have the right to lodge a complaint with your local data protection authority.

To exercise any right, email v@etherstep.com. We will respond within 30 days.

Data retention

Guest data lives only in your browser’s localStorage and is never sent to our servers. Clearing your browser data removes it completely.

Signed-in account data is retained until you delete your account. Deleting your account removes all saved reflections and your email address from our database within a reasonable timeframe.

Children

This service is not directed at children. We do not knowingly collect data from children under the age required by applicable law (e.g., 13 in the U.S., 16 in parts of the EU). If you believe a child has provided us data, contact us and we will delete it promptly.

Changes to this policy

We may update this policy. Material changes will be indicated by updating the date at the top of this page. Continued use after a change constitutes acceptance of the updated policy.

Contact

Privacy requests: v@etherstep.com

General questions: v@etherstep.com