Home

Privacy Policy

Version v1.1 · Effective May 7, 2026

Qx10.lol ("the Service," "we," "us") is a discovery workspace. This policy explains what limited information we collect, why, and how it is handled. The Service is designed to keep most user content on the user's own device.

Snapshot: we do not sell or share your personal information for cross-context behavioral advertising. We do not use third-party advertising cookies. We honor the Global Privacy Control (GPC) browser signal.

1. Information we collect

  • Account identity. When you sign in with Google we receive your unique Google ID (sub), email address, display name, and profile picture URL. We do not receive your Google password.
  • Usage events. We record sign-in timestamps, the keywords you submit on the landing page, your chosen exploration goal (e.g. learn, research), and the timestamp of your privacy-policy consent.
  • Workspace content. The questions, answers, and notes you create live in your browser's local storage by default. They are uploaded to a third party only if you explicitly enable Google Drive backup, and are written to a hidden Drive app data folder owned by your own Google account.
  • Cookies. We use first-party, http-only cookies to remember your sign-in session and any optional Google Drive connection. We do not use third-party advertising cookies.
  • Aggregated analytics. Anonymous page-view metrics may be collected via Vercel Analytics and Google Analytics (if configured by the operator).

2. How we use the information

  • To authenticate you and keep you signed in.
  • To provide the AI-assisted exploration features you initiate (your prompts are sent to the configured AI provider — currently Google Gemini and/or OpenAI — only at the moment you press a button that triggers a request).
  • To understand aggregate usage (how many people use the Service, what topics are popular) and to detect abuse.
  • To respond to your requests (e.g. account deletion, data export).

3. Sharing — we do not sell or share for advertising

We do notsell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined in California law (Cal. Civ. Code § 1798.140). We have not done so in the preceding 12 months.

Limited information is processed only by infrastructure providers strictly necessary to operate the Service, acting as our service providers under written agreements that prohibit further use:

  • Google. For sign-in (OpenID Connect) and optional Drive backup.
  • AI providers. The model you select for each query (Google Gemini and/or OpenAI) receives the prompt you submit at the moment of the request.
  • Hosting. Vercel (application hosting), Supabase (server-side analytics storage when configured by the operator).
  • Optional tools. Tavily (web search) and ElevenLabs (voice), only if and when you invoke a feature that uses them.

4. Retention

The following retention periods apply:

  • User identity. Kept for as long as your account exists. Deleted within 30 days of an account-deletion request.
  • Sign-in / search / consent events. Kept for up to 24 months for product analytics and abuse detection. Cascade-deleted within 30 days of an account-deletion request.
  • Workspace content (local). Lives in your browser only — retained until you clear site data.
  • Workspace content (Google Drive). Retained in your own Google account's app-data folder until you remove it; we do not have an additional copy.

5. Security

Session cookies are sealed with AES-256-GCM and marked HttpOnly, Secure, and SameSite=Lax. We never store Google passwords. If you connect Google Drive, your refresh token is encrypted before being stored in a cookie on your device.

6. Your choices

  • You can sign out at any time from the user menu.
  • You can disconnect Google Drive backup from the Settings page.
  • You can clear all locally-stored workspaces by clearing your browser's site data for this domain.
  • You can download (Settings → Export my data) or permanently delete your account at any time (Settings → Danger zone).

7. Account deletion

You can permanently delete your account at any time from Settings → Danger zone. This removes your user record and cascade-deletes all associated server-side events. Workspaces stored locally in your browser are not affected — clear your browser's site data for this domain to remove those. Your Google account itself is untouched; you may additionally revoke this app's access at myaccount.google.com/permissions. If you cannot use the in-app option, email rpkim.jay@gmail.com from the address tied to your Google account; we will action the request within 30 days.

8. Children

The Service is not directed to users under 16. We do not knowingly collect personal information from a child under 16, and we do not sell or share personal information of consumers under 16. If you believe a child has provided us with personal information, contact us and we will promptly delete the information.

9. Your California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the rights below. We extend the same rights to all our users worldwide as a matter of policy.

9a. Categories of personal information we collect

In the past 12 months we have collected the following CCPA categories of personal information:

  • Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A)): Google subject id, email address, display name, profile picture URL, sealed cookie session id.
  • Internet or other electronic network activity (§ 1798.140(v)(1)(F)): timestamps of sign-in events, search keywords you submit on the landing page, the goal you select.
  • Inferences (§ 1798.140(v)(1)(K)): aggregate counters (total sign-ins, total searches, last-seen timestamp) derived from the events above.

We have notcollected information from the "sensitive personal information" categories defined in § 1798.140(ae) (e.g. SSN, financial account credentials, precise geolocation, race/ethnicity, biometrics, etc.). Because no sensitive PI is collected, the optional "Right to Limit Use of Sensitive Personal Information" is not applicable to this Service.

9b. Sources, purposes, and recipients

  • Sources: directly from you (sign-in, keywords) and Google (identity fields).
  • Business purposes (§ 1798.140(e)): authentication, providing the AI features you initiate, security/abuse detection, debugging, product analytics in aggregate.
  • Recipients: the service providers listed in Section 3.

9c. Your rights

  • Right to know. You can obtain a copy of the personal information we hold about you, including categories, sources, purposes, and recipients, from Settings → Export my data.
  • Right to delete. You can permanently delete your account from Settings → Danger zone.
  • Right to correct. Your name and profile picture are mirrored from Google on each sign-in; updating them in your Google account propagates them here. To correct your email, sign in with the corrected Google account.
  • Right to opt out of sale or sharing. We do not sell or share personal information; there is nothing to opt out of. See our Do Not Sell or Share My Personal Information page.
  • Right to limit use of sensitive PI. Not applicable — we do not collect sensitive PI.
  • Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right.

9d. How to submit a request

Use the in-app tools above for the fastest path. If you cannot access them, email rpkim.jay@gmail.com from the address associated with your account. We verify requests by matching the requesting email against the account's Google email. We respond within 45 days (extendable by an additional 45 days with notice).

9e. Authorized agents

You may designate an authorized agent to submit requests on your behalf. The agent must email us at the address above with: (a) your written, signed permission to act on your behalf, and (b) sufficient information to verify your identity (we typically require you to confirm directly via email from your account address).

9f. Global Privacy Control (GPC)

We treat the GPC browser signal as a valid request to opt out of sale and sharing under California law. Because we do not sell or share, the practical effect of the signal on this Service is limited to a confirmation of our existing posture; we will not knowingly engage in sale or sharing while a GPC signal is present.

10. Other US state privacy rights

Residents of states with comprehensive privacy laws (including without limitation Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have analogous rights to access, delete, correct, port, and opt out. To the extent applicable, we extend the same rights and processes described in Section 9 to residents of those states.

11. Changes

If material changes are made to this policy, the version number above will be incremented and you will be re-prompted for consent on next sign-in.

12. Contact

Questions or concerns: rpkim.jay@gmail.com.