Privacy Policy

Effective date: March 12, 2026

  The short version: We collect the minimum data needed to make the Service work. Your conversations are sent to Anthropic's API for processing. We share data with a small number of service providers listed below — only as needed to operate the Service. We do not sell your data. We do not use your conversations to train AI models.

1. Who We Are

DHU Labs ("the Service") is operated by TeamWeaver LLC, doing business as DHU Labs ("we", "us", "our"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

2. What We Collect

Data	Purpose	Retention
Account information — email address, display name, hashed password	Authentication and identifying your account (registration is invite-only)	Stored until you request account deletion
Conversation content — your questions and AI responses	Generating responses, maintaining conversation history so you can continue chats	Stored on our server until you delete the conversation or request account deletion
Code block metadata — programming language and position of code blocks within AI responses	Powering the code artifacts panel (a browsable view of code blocks in your conversations)	Stored alongside conversation content; deleted when the conversation is deleted
Session cookie — a random identifier stored in your browser	Maintaining your authenticated session and associating your conversations with your account	7 days (renews on each visit)
Usage metrics — token counts, model used, endpoint called, estimated cost	Enforcing per-user usage quotas and internal service monitoring	Stored on our server; aggregated in admin dashboard
IP address	Rate limiting (preventing abuse) and security audit logging	In server logs only; not stored in a database
Custom instructions — optional text you provide in Settings	Personalizing AI responses per your preferences	Stored with your account
Preferences — theme choice, mode selection, provider choice	Remembering your UI settings	Stored with your account
Memory facts — short factual statements automatically extracted from your conversations (e.g., "User is a software engineer")	Personalizing AI responses by remembering relevant context about you across conversations	Stored with your account; you can view and delete individual memories in Settings at any time (max 50 per user)
Subscription and billing data — subscription tier, Stripe customer ID, subscription status	Managing your subscription and enforcing usage quotas per tier	Stored with your account; payment details (card numbers) are held by Stripe, not by us
Password reset tokens — temporary tokens generated when you request a password reset	Verifying your identity during the password reset process	Expire after 1 hour; single-use; invalidated when a new reset is requested

What we do NOT collect

Registration is invite-only and requires an email address and password. We do not collect any personal information beyond what you provide at registration.
We do not use analytics trackers, advertising pixels, or third-party tracking scripts
We do not use cookies for advertising or cross-site tracking
We do not collect or store audio from voice input (see Section 3)

3. Third-Party Data Processing

The Service relies on a small number of third-party providers to function. We share only the minimum data necessary with each:

AI providers (Anthropic and xAI)

When you send a message, your conversation content is transmitted to an AI provider for processing. This is necessary to generate responses. The Service currently uses the following AI providers:

Anthropic (Claude) — the primary AI provider. Under Anthropic's Commercial API terms, Anthropic does not use your conversations to train their AI models. Anthropic may retain data as needed to comply with law and enforce their usage policies. See Anthropic's Privacy Policy.
xAI (Grok) — an alternative AI provider available when configured by the administrator. See xAI's Privacy Policy.

The AI may also perform web searches via Anthropic's built-in web search tool. When this occurs, search queries derived from your conversation are executed through Anthropic's search infrastructure. We do not control which search providers Anthropic uses.

When using the comparison feature, the same prompt may be sent to two model configurations simultaneously.

Stripe (subscription billing)

If you subscribe to a paid tier, your payment is processed by Stripe. We send Stripe your email address and subscription tier selection. Stripe collects and stores your payment details (card number, billing address) directly — we never receive or store your full payment information. See Stripe's Privacy Policy.

Cloudflare (CAPTCHA verification)

During account registration, the Service may use Cloudflare Turnstile to verify that you are a human. This sends your IP address and browser interaction data to Cloudflare for analysis. See Cloudflare's Privacy Policy.

Email delivery provider (password reset only)

If you request a password reset, your email address is shared with our email delivery provider (currently Resend) solely for the purpose of delivering the reset email. No other data is shared with this provider.

Browser speech recognition (voice input)

The Service offers an optional voice input button. If you use it, your browser's built-in speech recognition processes your audio. We never receive or store your audio. We only receive the transcribed text that your browser produces. However, your browser may transmit audio to its vendor for processing — for example, Chrome sends audio to Google's servers. This is governed by your browser vendor's privacy policy, not ours. Voice input is entirely optional; you do not need to use it.

Programmatic access (Agent API)

The Service supports programmatic access via API tokens for authorized integrations. If a third-party tool or agent accesses the Service on your behalf, it may read, create, or export conversations in your session. We are not responsible for how third-party tools handle data they retrieve from the Service.

4. How We Store Your Data

Conversation data and session information are stored in a SQLite database on the server that runs the Service. The Service uses HTTPS to encrypt all data in transit between your browser and our server.

Database backups are stored on Cloudflare R2 (an S3-compatible storage service) for disaster recovery. Backups are retained for up to 30 days and then automatically deleted.

Provider API keys stored by administrators are encrypted at rest using AES-256-GCM before being written to the database.

5. Data Security

We implement the following security measures:

Passwords hashed with industry-standard algorithms (never stored in plaintext)
Rate limiting on all API endpoints to prevent abuse
HttpOnly, SameSite=Lax session cookies to prevent cross-site attacks
CSRF origin validation on all POST requests
Content Security Policy headers to prevent script injection
Input length validation and error sanitization
Per-IP concurrent stream limits

No system is perfectly secure. We take reasonable precautions but cannot guarantee absolute security.

6. Your Rights

You have the right to:

Delete your conversations — use the delete button next to any conversation in the sidebar
Delete your memories — view and delete individual memory facts in Settings, or clear all memories at once
Export your conversations — use the export feature to download your conversation history as markdown
Export all your data — download a complete copy of your data (conversations, memories, settings, usage history) from your account settings
Delete your account — permanently delete your account and all associated data from your account settings; this action is immediate and irreversible
Change your password — via the Settings menu or the "Forgot password" flow on the login page
Manage your subscription — upgrade, downgrade, or cancel your subscription at any time via the billing portal

For EU/EEA residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation, including the right to access, rectification, erasure, data portability, and the right to object to processing. Our legal basis for processing your data is legitimate interest (providing the Service you requested) and, where applicable, your consent. To exercise these rights, contact us at the address below.

For California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, to request deletion, and to not be discriminated against for exercising your rights. We do not sell personal information. To exercise these rights, contact us at the address below.

For New York residents

We comply with applicable New York state privacy and data security laws, including the SHIELD Act. If we become aware of a data breach affecting your personal information, we will notify you in accordance with New York law.

7. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top indicates when the current version took effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions, data requests, or concerns:

Email: contact@dhulabs.com