Privacy Policy

Reasonate (“Reasonate,” “we,” “us”) is a small project that helps people demonstrate understanding by explaining concepts to an AI, which then evaluates their reasoning. This policy explains what data we collect, why, who we share it with, and your choices. Reasonate is operated by [[NEEDS: operator name]] as an individual / small-team project, not a registered company. Questions: [[NEEDS: contact email]], or use /contact.

Who this applies to

Reasonate is used by (a) learners and educators in classroom-style settings, and (b) job candidates completing interview-style assessments shared by a hiring organization. This policy covers both groups.

What we collect

• Account information: your email address, a password (stored as a bcrypt hash with cost factor 10 — never in plain text), and an optional display name and public handle. If you sign in via Google, we also store the OAuth account record that NextAuth creates (provider, refresh / access tokens) so we can keep you signed in.
• Profile and gamification state: optional bio, optional avatar/banner cosmetic picks, XP total, level, streak counters, and which achievements you’ve unlocked.
• Your reasoning conversations: every message you and the AI exchange while explaining a topic is stored as a row in our Turn table, tied to a Conversation tied to your account (or to an anonymous submission link if a teacher shared an assignment publicly). The full transcript is retained so you and any teacher who assigned the work can review it later.
• Assessment data: mastery level (0–5), display score (0–100), evidence-confidence band, per-attribute evidence items, the AI’s feedback summary, and which Mastery Map version scored you. For graded or hiring assignments, the assigning teacher or organization can see your submission and transcript.
• Integrity signals: while you’re in a conversation we record client-detected events such as paste, tab-away duration, and total time-on-task per turn. Teachers configure per-assignment policies that decide whether these affect a score.
• Uploaded learning material: if you upload a PDF, DOCX, or pasted text, we store the original file in Google Cloud Storage and the extracted plain text in our database so it can be used to generate a rubric or ground the AI’s questions.
• Payment data (only if you upgrade to a paid plan): Stripe handles payment; we keep a payment record (amount, currency, status, Stripe’s payment-intent id) and your Stripe customer id. Card details never touch our servers.
• Contact-form submissions: if you message us through /contact, we store your email, message, and a SHA-256 hash of your IP address (first 16 hex chars, used to spot abuse without storing the raw address).
• Cookies / session: NextAuth sets a JWT session cookie (next-auth.session-token) that is HTTP-only, Secure, and SameSite. We do not use third-party analytics, marketing, or cross-site tracking cookies.

We don’t ask for sensitive categories of data (race, health, sexual orientation, biometric, etc.) and don’t intentionally collect them. Conversation content is whatever you choose to type — please don’t paste material you don’t want stored.

How we use it

To run the service: create your account, hold the AI conversation, generate your scores and evidence, show you your results, and (when an educator or organization assigned the work) share results with that educator or organization. We use your email for authentication and for transactional communications such as password reset. We do not sell your personal data, and we do not run ad networks against it.

Automated assessment (important)

Reasonate uses Google’s Gemini API to evaluate and score your responses. Your mastery level, evidence-confidence band, and display score are produced by automated processing. This applies to learner practice and to job-candidate assessments alike. For graded or hiring use, a human reviewer (your teacher or the hiring organization) sees your transcript and score and can override the AI’s output via the per-assignment review tools. If you want to understand or contest a score, contact us at [[NEEDS: contact email]].

Who we share it with (third parties)

We use the following service providers to run Reasonate:

• Google (Gemini API): we send the topic name, topic description, the educator’s rubric, optional source material, and the conversation transcript so far (every turn, both yours and the AI’s) to Gemini so it can generate the next AI message and, on completion, extract evidence and produce a score. We use the standard Gemini API; we have not negotiated a custom data-processing agreement and have not enabled any opt-out from training on the standard tier [[NEEDS: confirm whether Gemini API tier excludes training; this depends on the account, not the code]].
• Neon (managed PostgreSQL): our database host. All user data — accounts, transcripts, scores, payments, contact-form messages — lives in a Neon-hosted Postgres database. Connection is over TLS.
• Google Cloud Storage: originals of files you upload (PDF / DOCX) are stored in a private GCS bucket; only Reasonate’s server credentials can read them for processing. (Generated evidence exports may be made temporarily readable via signed URLs.)
• Stripe: if you subscribe to a paid plan, Stripe processes the payment. We send Stripe your email and an internal user id; you give Stripe your card details directly through their hosted checkout. We never see your card number.
• Hosting platform: the web app runs on [[NEEDS: confirm hosting platform (Vercel, Render, self-hosted, etc.)]] which sees inbound HTTP requests in order to serve responses.
• Email delivery: at the moment, no outbound transactional email provider is wired up in the codebase. Password reset tokens are generated server-side but are not yet automatically emailed; if you need a password reset today, contact us. Once an email provider is added we will list it here.

We share assessment results and conversation transcripts with the educator or organization that assigned the work. We do not otherwise sell, rent, or trade your personal data, and we do not embed third-party analytics or advertising SDKs.

Data retention

We do not currently auto-delete anything. Conversations, transcripts, scores, integrity events, uploaded material, and account data are retained until you ask us to delete them or until we wind the service down. Password-reset tokens expire after one hour and are single-use; old / expired tokens are not yet auto-purged. To request deletion, email [[NEEDS: contact email]].

Your choices and rights

We do not currently have a self-service account-delete or data-export button. To request access to, correction of, export of, or deletion of your data, email [[NEEDS: contact email]] and we’ll handle it manually. Depending on where you live (for example the EU / UK or California) you may have additional rights under laws such as the GDPR or CCPA — the same email is how you exercise them.

Children

The product has no age gate and no parental-consent flow. Reasonate is not directed at children under 13, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will remove it. If Reasonate is used in a school setting with minors, the school is responsible for any required parental consents and for the lawful basis on which student data is processed.

Security

Reasonate takes reasonable steps to protect your data: passwords are bcrypt-hashed, password-reset tokens are SHA-256-hashed and single-use, the database connection uses TLS, and admin features are gated server-side. We have not been independently audited (no SOC 2, no ISO 27001, no formal pen-test), and as a small project we cannot guarantee absolute security. No method of storage or transmission on the internet is completely secure.

Changes

We may update this policy — for example as we add features, change subprocessors, or wire up a different email provider. When we do, we’ll change the “Last updated” date at the top of this page.

Contact

Operator: [[NEEDS: operator name]]. Contact: [[NEEDS: contact email]] (or send a note via /contact).