Privacy Policy

IdeaScore (“we”, “us”, “our”) is an AI-powered idea validation platform. Our registered contact for data matters is privacy@ideascore.app.

Account data

• Name and email address (provided at sign-up)
• OAuth tokens when you sign in with Google or GitHub (not stored permanently)
• Password hash (bcrypt, never stored in plaintext)

Usage data

• Idea texts you submit for analysis
• AI-generated analysis reports linked to your account
• Research queries performed during analysis
• Name suggestions generated for your ideas
• Comparison groups you create
• Public profile information (username, bio) if you choose to create one

Payment data

• Subscription status and plan level. Payment card details are processed exclusively by Stripe and are never stored on our servers.

Technical data

• Session tokens (stored in an HttpOnly cookie, expire after 30 days)
• IP address and user-agent (stored by BetterAuth for rate-limiting)

• Contract performance — to provide the service you signed up for.
• Legitimate interests — fraud prevention, rate-limiting, service security.
• Consent — sending optional email communications (you may withdraw at any time).
• Legal obligation — retaining billing records as required by law.

• Authenticate you and maintain your session
• Run AI analysis on ideas you submit
• Store and surface your analysis history (paid plans)
• Process payments via Stripe
• Send transactional emails (verification, payment receipts)
• Enforce rate limits and prevent abuse
• Display analysis history within your private dashboard (your ideas are never shared publicly)

We do not sell your data to third parties.

We share data only with the following sub-processors:

• Anthropic — idea text is sent to Claude API for analysis. Anthropic's API data-handling policy applies.
• Stripe — payment and subscription management. Stripe is a certified PCI DSS Level 1 provider. See Stripe's Privacy Policy.
• Resend — transactional email delivery.
• Vercel — hosting and serverless function execution.

All sub-processors are contractually bound to process data only as instructed.

We use only essential cookies:

• better-auth.session_token — authenticates your session. HttpOnly, Secure, SameSite=Lax. Expires after 30 days.
• ideascore-theme — remembers your light/dark mode preference. Stored in localStorage, never sent to our servers.
• ideascore-cookie-consent — remembers your cookie banner choice. Stored in localStorage.

We do not use advertising, tracking, or analytics cookies. You can re-show the cookie notice at any time via the Cookie Notice link in the footer.

• Account and idea data: retained until you delete your account.
• Session tokens: expire after 30 days of inactivity.
• Stripe billing records: retained for 7 years as required by financial regulations.

If you are located in the EU or UK, you have the right to:

• Access — download a copy of all data we hold about you (Settings → Download My Data).
• Erasure — delete your account and all associated data (Settings → Delete Account).
• Rectification — update your name or email in Settings.
• Portability — your data export is provided in machine-readable JSON format.
• Restriction / Objection — contact us at privacy@ideascore.app.
• Withdraw consent — unsubscribe from emails at any time via the link in any email.

You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

All data is transmitted over TLS. Passwords are hashed with bcrypt. Database access is restricted to application services only. We employ parameterised queries throughout to prevent SQL injection.

IdeaScore is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have done so, please contact us immediately.

We will notify registered users by email of any material changes. Continued use after the effective date constitutes acceptance.

For any privacy questions or to exercise your rights: privacy@ideascore.app