True North is a family-oriented AI chat service that lets you talk to multiple AI models, compare their answers, and set up supervised profiles for your children. This policy explains what we collect, why, who we share it with, and the choices you have. We have tried to write it so a busy parent can actually read it.
Account information. When you sign up, our identity provider (id.artilect.us) handles your login and gives us your email address and basic profile information (name, if provided). If you use Sign in with Apple, Apple provides a verified identifier and (if you choose to share it) your email address. We never see your password when you sign in through the identity provider, and we never see your Apple password.
Chats and messages. The messages you send, the AI responses you receive, and per-chat settings. This includes “Multi Chat” sessions where one prompt goes to several models.
Gems. Saved snippets/answers you choose to keep.
Memories. True North includes a memory feature: after conversations, an AI
model automatically extracts short notes about your preferences and context (for example,
“prefers metric units”) so future chats can be more helpful. These memories are
stored with your account, can be viewed and deleted in the app, and can be downloaded in full
at any time (Settings β Memory export, or GET /api/mem/export).
Images and files. Images and attachments you upload to chats, and images the service generates for you. These are stored on our servers.
Usage and cost records. Which models you used, token counts, and the cost of each request. We use this to show you your usage, to bill you correctly, and to enforce spending limits.
Consent records. When you accept our Terms of Service and this policy (and attest that you are 16 or older), we record the time and the version of the text you accepted. When a parent creates a child profile, we record the time of parental consent and the version of the consent text the parent affirmed.
Child profiles. A child profile stores a display name, a hashed PIN, the parental-consent timestamp and consent-text version, the content-filter profile the parent chose, a data-retention setting, and the child's chats/messages. Child profiles have no email address β they exist only inside the parent's account. We do not currently collect birthdates; see section 6.
Push notification tokens. If you enable notifications in the iOS app, we store the device push token Apple gives us so we can tell you when a long-running request finishes.
Logs. Standard server logs (timestamps, IP addresses, request paths, errors) kept for security and debugging.
What we do NOT collect. We do not run advertising trackers or third-party analytics on the website or in the app. We do not sell your data. We do not build advertising profiles.
We do not use your conversations to train AI models ourselves. Prompts are sent to third-party model providers to generate responses (see section 3); their handling is governed by their own terms β via OpenRouter we route to providers under OpenRouter's data policies.
To run True North we share data with the following providers, each only for the stated purpose:
| Provider | Purpose | What they receive |
|---|---|---|
| OpenRouter (openrouter.ai) | AI model inference. OpenRouter is a routing layer that forwards your prompts to the third-party model providers you select (e.g. OpenAI, Anthropic, Google, Meta and others). | Your messages, conversation context, injected memories, and any images/attachments in the conversation. |
| fal.ai | Image generation (default image provider). | The image prompt you submit. |
| OpenAI | Image generation (for OpenAI-routed image models) and automated content moderation of image prompts/outputs, where enabled. | Image prompts and, for moderation, the content being checked. |
| Stripe | Payments (credit top-ups, subscriptions). | Payment details, email. We never see or store your full card number. |
| Apple | Sign in with Apple; push notifications (APNs). | Sign-in tokens; push tokens and minimal notification payloads (e.g. “your Multi Chat round finished” β not message content). |
| id.artilect.us | Identity provider β sign-up, sign-in, session management. | Email, password (held by the IdP, not by us), profile basics. |
| [EMAIL/SMTP PROVIDER] | Transactional email. Currently this is limited to waitlist/invite emails containing your email address, name (if given), and an access code. | Recipient email address and the message content described. |
| [HOSTING PROVIDER] | Hosting (infrastructure processor) β our servers and database run on machines rented from this provider; they store data on our behalf and do not access it for their own purposes. | All service data, at rest on their machines, under our control. |
Important: when you chat, your prompt content necessarily leaves our servers and goes to the AI model provider that generates the response. Do not put anything in a chat that you would not send to those providers.
All traffic to True North is encrypted in transit (TLS).
True North also offers an optional encrypted-conversations mode for individual chats. When enabled, messages are encrypted on your device with per-conversation keys, and encrypted copies of the conversation key are issued to each of your registered devices.
An honest caveat β this is not “end-to-end encryption”, and we deliberately don't call it that. The True North server is itself one of the “devices” that receives a copy of the conversation key. This is by design: the server must be able to read your message in order to send it to an AI model and get you an answer. So this mode protects your messages at rest (a stolen database backup, or a compromise that only reaches stored data, yields ciphertext without the server's separately-stored key file), but the server operator can technically decrypt conversation content while the service is running β unlike strict end-to-end-encrypted messengers such as Signal. We say this plainly so you can make an informed choice.
Child PINs are never stored in plain text β only a cryptographic hash.
You can create a public share link for a chat or a gem. Anyone with that link can view the shared content without logging in. Shares are off by default, are only created by your explicit action, and can be revoked at any time (revoking disables the link). Think before sharing content that contains personal information.
True North is built for families, and we treat children's data with extra care:
GET /api/family/children/{id}/export) and can delete the child profile
and all its data at any time.A child's chats are processed by the same AI model providers described in section 3, subject to the parent's filter settings.
Wherever you live, we extend you these rights over your personal data:
To exercise any of these, email [CONTACT EMAIL]. We may need to verify your identity first. If you are in the EU/EEA or UK you also have the right to complain to your data-protection authority.
We use only essential cookies: session cookies that keep you signed in (including separate, more limited cookies for child sessions) and remember whether the current session is a child session. There are no advertising cookies, no third-party analytics, and no cross-site tracking. Because we use only strictly-necessary cookies, we do not show a cookie banner.
We use TLS in transit, hashed credentials (PINs and, at the identity provider, passwords), scoped and audited access controls between family members (a child session cannot reach parent-only areas), spend/rate limits, and the optional encrypted-conversations mode described in section 4. No system is perfectly secure; see section 11.
If we learn of a breach that affects your personal data, we will notify affected users without undue delay β and where a supervisory authority must be informed, within the timeline the law requires (e.g. 72 hours under GDPR) β describing what happened, what data was involved, and what we are doing about it.
Our servers are hosted with [HOSTING PROVIDER] in [HOSTING REGION]. The AI model providers and other processors listed in section 3 may process data in other countries, including the United States. Where required, we rely on appropriate safeguards such as standard contractual clauses. [LAWYER: confirm transfer mechanism for each processor in the section 3 table.]
We may update this policy. For material changes we will notify you in the app or by email before they take effect, and we will always show the effective date at the top. Continued use after the effective date means the updated policy applies.
Questions, requests, complaints: [CONTACT EMAIL]
Controller: [LEGAL ENTITY, JURISDICTION],
[POSTAL ADDRESS].