Skip to content
CEOS

Privacy Policy

v1.0 · Last updated: 5 June 2026

CEOS is operated by Sirius Crewing SRL(“The Swiss Man”), CUI RO4202566, Reg. Com. J13/3988/2019, registered office Str. Târgului nr. 9-11, sat Lazu, com. Agigea, jud. Constanța, Romania, the data controller for the purposes of the EU GDPR. This policy explains what we collect, why, who else processes it, how long we keep it, and the rights you have.

1. Data we collect

(a) Account data: email address, and either a hashed password or an OAuth identifier, plus an optional first/last name. (b) Your idea: the idea text and the clarification answers you submit for evaluation. (c) Usage data: which features you use, evaluation status, and internal cost/calibration telemetry. (d) Payment metadata from Stripe (e.g. plan, last-4, country). We do not store your full card number; Stripe handles the card.

2. How we use it

To (a) run the evaluation pipeline and deliver your Reality Check, (b) maintain your account and authenticate you, (c) take payment and manage your plan, (d) measure and improve the system’s calibration, and (e) contact you about your account or plan.

3. Legal basis (GDPR Article 6)

(a) Performance of a contract: to provide the Service you signed up for; (b) Legal obligation: tax and accounting; (c) Legitimate interest: securing and improving the Service and preventing abuse; (d) Consent: where we ask for it (e.g. optional communications).

4. AI and research processing of your idea

To produce a Reality Check we send your idea (and text derived from it) to third-party AI and research providers:
  • AI evaluation (Google Gemini API). We use the Gemini API on a paid tier, under which Google does not use your prompts or responses to train or improve its models; that content is not used for product improvement and is retained by Google only briefly for security and policy-compliance purposes. See Google’s Gemini API terms.
  • Market research (Tavily). The pipeline sends Tavily the search queriesit generates about your market and competitors, not your full idea verbatim. Under Tavily’s terms it may use query data to improve its service; see Tavily’s privacy policy. As good practice, avoid putting secrets or other people’s personal data in your idea text.

5. Sub-processors and sharing

We share data only with the service providers needed to run CEOS:
  • Google (Gemini API): AI evaluation (idea + derived text). US.
  • Tavily: automated market/competitor research (derived search queries). US.
  • Supabase: authentication and database (account + idea + outputs). EU region.
  • Vercel: application hosting and delivery. US/global edge.
  • Upstash (QStash / Redis): background job scheduling and rate-limiting (project IDs). EU region.
  • Stripe: payment processing. EU/US.
  • Resend: transactional email (your email address). US.
We do not sell your data and do not use it for third-party advertising. Each provider processes data under its own agreement; we work to bind them with data-processing terms.

6. International transfers

Some providers process data outside the EU (e.g. in the US). Where that happens, the transfer relies on an approved safeguard: the provider’s certification under the EU–US Data Privacy Frameworkwhere available, and otherwise the European Commission’s Standard Contractual Clauses (2021) together with supplementary measures. You can contact us for the specific mechanism that applies to each provider.

7. Retention

Account data: kept while your account is active and for a short period afterwards. Ideas and outputs: kept while your account is active so you can revisit them, unless you ask us to delete them sooner. When you delete a project it is soft-deleted (hidden and excluded from processing) and then purged on a routine cycle. Payment records are kept as long as tax law requires (up to 10 years in the EU).

8. Your rights (GDPR Articles 12–22)

You have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. To exercise any of these (including a full export or deletion of your ideas and account), email andreigegiu@gmail.com and we will action it within the statutory timeframe. You may also lodge a complaint with your local supervisory authority (in Romania, the ANSPDCP).

9. Cookies

We use essential cookies only, for authentication/session and (at checkout) payment. We do not use advertising or third-party tracking cookies. The cookie notice lets you acknowledge this; declining non-essential cookies does not limit the Service because we don’t set any.

10. Security

Data is transmitted over encrypted connections (HTTPS/TLS). Access to production data is restricted to authorised personnel under confidentiality, and our database and hosting providers apply encryption at rest on their infrastructure. No system is perfectly secure; we cannot guarantee absolute security.

11. Contact

Privacy questions and GDPR requests: andreigegiu@gmail.com.