Obsidian RE ("we," "us," or "our") operates the website obsidianre.co and the Obsidian RE platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
1. Information We Collect
We collect information you provide directly and information generated through your use of the Service.
Account Information
- Name and email address
- Password (stored as a salted, one-way hash — we never store plaintext passwords)
- Google OAuth profile data (name, email, and profile picture) if you sign in with Google
Training and Usage Data
- Conversation transcripts and messages from training sessions
- AI-generated scores, grades, and debrief content
- Scenario selections, session duration, and performance metrics
- Speech analysis data (filler words, pacing, tone metrics)
Payment Information
- Billing name and address
- Payment card details are collected and processed exclusively by Stripe — we do not store your full card number, CVC, or expiration date on our servers
- Stripe customer ID and subscription status
Automatically Collected Data
- IP address, browser type, operating system
- Pages visited, referring URLs, and access timestamps
- Device identifiers
2. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service: Run training sessions, generate AI coaching feedback, produce scores and debriefs, and display your performance history
- AI Processing: Your conversation data is sent to the Anthropic API to power the AI training simulations and generate feedback. Anthropic processes this data according to their own privacy policy and does not use API inputs to train their models
- Analytics: Understand usage patterns, improve scenarios, and enhance platform performance
- Billing: Process payments, manage subscriptions, and send receipts
- Communication: Send account-related emails such as password resets, subscription confirmations, and important service updates
- Security: Detect and prevent fraud, abuse, and unauthorized access
3. Cookies and Local Storage
We use the following client-side storage mechanisms:
- Session cookies: Used to maintain your authenticated session while using the platform
- Authentication tokens: Stored in localStorage to keep you signed in across browser sessions. These tokens expire and are rotated periodically
We do not use third-party advertising or tracking cookies. You can clear localStorage and cookies through your browser settings, though doing so will sign you out of the platform.
4. Third-Party Services
We share data with the following third-party service providers, each operating under their own privacy policies:
- Stripe — Payment processing. Stripe receives your payment card details and billing information to process transactions. See Stripe's Privacy Policy
- Google — OAuth authentication. If you sign in with Google, we receive your name, email, and profile picture from Google. See Google's Privacy Policy
- Anthropic — AI processing. Conversation data from training sessions is sent to Anthropic's API to generate AI responses and coaching feedback. See Anthropic's Privacy Policy
We do not sell your personal information to any third party.
5. Data Retention
We retain your data as follows:
- Account data: Retained for as long as your account is active. If you delete your account, we remove your personal information within 30 days
- Training session data: Retained for as long as your account is active so you can review past sessions and track progress. Deleted upon account deletion
- Payment records: Retained for up to 7 years as required by tax and financial regulations
- Server logs: Automatically purged after 90 days
6. Data Security
We implement industry-standard security measures to protect your information, including:
- Encryption of data in transit via TLS/HTTPS
- Salted, one-way password hashing
- Access controls and authentication for internal systems
- Regular security reviews
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
7. Your Rights and Choices
All Users
- Access, update, or correct your account information at any time from your dashboard
- Delete your account and associated data by contacting us
- Opt out of non-essential communications
California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt out of the sale of your personal information — we do not sell personal information
- Non-discrimination for exercising your privacy rights
European Economic Area Residents (GDPR)
If you are located in the EEA, you have the right to:
- Access your personal data and receive a copy in a portable format
- Rectify inaccurate personal data
- Request erasure of your personal data ("right to be forgotten")
- Restrict or object to the processing of your personal data
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with your local data protection authority
Our legal bases for processing your data include: performance of a contract (providing the Service), legitimate interests (analytics, security), and consent (where applicable).
8. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete that information promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you by email or through the platform. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, contact us at:
Email: support@obsidianre.co
Website: obsidianre.co