Privacy Policy

ConGro AI (“we”, “us”, “our”) is operated by Oddly Effective LLC, a Florida limited liability company. Questions about your data: start@oddlyeffective.com.

We only collect what we need to provide, bill for, secure, and improve the Service.

Account data

• Email address (required for sign-in)
• Hashed password (we never see your plaintext password; Supabase Auth handles it)
• Optional profile fields: display name, handle, nickname, work description, avatar URL
• Subscription plan, status, credit balance, billing period dates
• Administrative flags (admin role, if applicable)

Product usage & chat

• Messages you send to the AI and the AI's responses, stored so your chat history persists across sessions
• Credit usage events (model used, token counts, feature tag, timestamp, credit cost)
• Desktop-app active-session heartbeats (device ID, platform, client version, last-seen timestamp)
• Support events emitted by the desktop app (support code, event type, optional message)
• Crash and error reports from the desktop app (error type, stack, scrubbed context snippet, app version)
• Pageview and UI-interaction analytics via PostHog (see below). Events are not tied to your email at the PostHog side and are identified only by a random internal id.

Billing

• Stripe holds your card details, address, and identity documents; we do not. We keep only a mirror of invoice metadata (amount, currency, status, invoice URL, paid-at timestamp) and the Stripe customer/subscription ID so we can match charges to your account.
• Charges appear on your bank statement as ODDLY EFFECTIVE.

What we do NOT collect

• We do not read, upload, or index your ETABS / SAP2000 model files, geometry, or design outputs beyond what you explicitly paste into the chat.
• We do not scan files on your computer outside the ConGro AI data folder.
• We do not sell your personal data.
• We do not share your data with advertisers or data brokers.
• We do not use your prompts, chat history, or outputs to train general-purpose AI models.
• We do not collect biometric, precise-geolocation, or financial data outside Stripe's scope.

Retention

• Account + subscription data: kept while your account is active, then deleted within 30 days of account deletion (except where we're required to keep it for a legal reason — see below).
• Chat history + usage logs: 24 months, unless you delete them sooner or delete your account.
• Analytics events (PostHog): 12 months.
• Error reports: 90 days.
• Financial records (invoices, tax): 7 years after the calendar year of the transaction, as required by US tax law. After that we delete or pseudonymize.

• Operate the Service — authenticate you, serve AI responses, bill your subscription, enforce credit limits.
• Support — respond when you email us, investigate bugs, diagnose issues using support codes.
• Security — detect and prevent fraud, abuse, or unauthorized access.
• Improve the product — analyze aggregate, anonymized usage patterns to decide what to build next. We do not read individual chats for this.
• Legal compliance — respond to lawful requests, preserve records we're legally required to keep, enforce our Terms.
• Communications — send billing notices, product updates, and service announcements. We do not send marketing emails without your opt-in.

These third parties process your data on our behalf so the Service can function:

Each of these providers is bound by its own privacy commitments. Cross-border transfers (for example, when a user outside the US sends a request to our US-based Supabase) rely on Standard Contractual Clauses or equivalent safeguards where required.

Depending on where you live, you may have some or all of the following rights. We honor them regardless of where you live, to the extent practical:

• Access — request a copy of your data. Settings → Account → “Export my data” produces a JSON archive.
• Correction — correct inaccurate personal data in Settings → General.
• Deletion — delete your account and personal data via Settings → Account → “Delete account”. Financial records are retained as described above.
• Portability — receive your data in a machine-readable format (JSON).
• Opt out of sale / sharing — we don't sell or share your data for targeted advertising. There's nothing to opt out of.
• Non-discrimination — we will not deny service, change prices, or degrade quality because you exercised a privacy right.
• Appeals (for US state-law requests that are denied) — email start@oddlyeffective.com.

California residents. Under the CCPA/CPRA you can exercise the rights above. We do not sell personal information and do not share it for cross-context behavioral advertising. Categories we collect are listed under “What data we collect”.

Other US states (Virginia, Colorado, Connecticut, Utah, Texas, etc.) have similar rights which we also honor.

EU / UK / EEA / Swiss residents. The Service is not actively marketed in the EU. If you use it from the EU you have rights under GDPR / UK GDPR (access, rectification, erasure, restriction, portability, objection, withdraw consent, and to lodge a complaint with your local supervisory authority). Because we're not EU-established and not offering goods or services in the EU, we have not appointed an Article 27 Representative; if that changes we'll update this policy before accepting EU users.

To exercise any right, use the in-app controls or email start@oddlyeffective.com. We respond within 30 days and may need to verify your identity before acting.

Passwords are hashed by Supabase Auth (we never see the plaintext). Connections use TLS 1.2 or higher. Access to our database is restricted to a small number of named administrators and audited. No system is 100% secure — if you suspect unauthorized access to your account, contact us immediately.

If we experience a personal-data breach that's likely to result in material risk to you, we will notify affected users by email without undue delay and comply with any applicable state breach-notification laws. Where required, we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

We use a small number of first-party cookies and localStorage items to keep you signed in, remember your admin-tab preference, cache your profile, and remember your cookie-consent choice. We don't use advertising cookies or cross-site tracking. PostHog uses a first-party cookie (or localStorage fallback) with a random, not-email-linked, identifier to stitch pageviews; you can decline this via our cookie banner.

ConGro AI is a professional engineering productivity tool intended only for users 18 years of age or older. We do not knowingly collect personal data from children under 18. If we learn that we have inadvertently collected data from a child, we will delete it.

If you use the Service from outside the United States, you consent to the transfer of your personal data to the United States, where our servers are located and our personnel work. US laws may not provide the same level of data protection as the laws of your country. See the Terms of Service Section 18 for more.

We may update this Policy. Material changes will be announced via email to the address on your account and noted with a new “Last updated” date at the top. Continued use of the Service after the effective date constitutes acceptance.

• Privacy / data requests: start@oddlyeffective.com
• General support: start@oddlyeffective.com
• Parent company: Oddly Effective LLC, a Florida limited liability company
• Website: https://oddlyeffective.com