OBSIDIANAITerms of Service →

Privacy Policy

Effective date: 14 March 2026

Obsidian AI ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use and store it, and your rights over it. It applies to all users of obsidianai.app and related services.

By using our Service, you acknowledge that you have read this Privacy Policy. If you do not agree, please stop using the Service and contact us to delete your account.

1. Data We Collect

1.1 Account Data

  • Username, email address, hashed password — collected on registration.
  • Terms of Service acceptance timestamp — recorded when you create your account.
  • Email verification status — whether your email has been verified.
  • Two-factor authentication status — whether 2FA is enabled (the TOTP secret is stored encrypted).

1.2 Usage Data

  • LLM usage events: model used, input token count, output token count, latency, session ID, timestamp. Message content is not stored in usage events.
  • Credit quota: monthly credits allocated, credits consumed, billing period dates.
  • Session and message history: agent sessions, messages, and file attachments you create — stored in our database for the purpose of providing the chat and agent features.
  • Login events: timestamps of successful and failed login attempts; account lockout state.

1.3 Billing Data

  • We store the Paystack customer code and subscription code associated with your account, and your current subscription status and plan tier.
  • We do not store your card number, CVV, or full payment details. All payment processing is handled by Paystack.

1.4 Third-Party API Keys (BYOK)

If you provide API keys for third-party LLM providers, those keys are stored encrypted in our database using AES-256 encryption with a platform-managed key. We access these keys only to make API calls on your behalf.

1.5 Technical Data

  • IP addresses may appear in server logs for security and abuse prevention purposes.
  • We use Sentry for error tracking. Error events include stack traces and may include request metadata (URL, method, status code). Sensitive fields (passwords, tokens, API keys) are scrubbed before any data is sent to Sentry.

2. How We Use Your Data

  • To provide the Service — authenticate your account, run agents, process LLM requests, store your configurations.
  • To enforce billing and usage limits — track credits consumed, gate tier features, process subscription events from Paystack.
  • To communicate with you — send email verification codes, password reset links, billing receipts, and important service announcements. We do not send marketing emails without your explicit consent.
  • To maintain security — detect abuse, enforce rate limits, investigate suspicious activity.
  • To fix bugs and improve reliability — Sentry error reports help us diagnose and resolve issues.
  • We do not sell your data, use your data for advertising, or use your data to train AI models.

3. Data Storage and Security

  • Database: Your data is stored in MongoDB Atlas. Data is encrypted at rest by the database provider.
  • Encryption in transit: All connections to the Service use TLS (HTTPS). API keys stored at rest are additionally encrypted using AES-256 at the application layer.
  • Passwords: Stored as bcrypt hashes. We never store or transmit plain-text passwords.
  • Refresh tokens: Stored in our database with one-time-use rotation — each token is invalidated when used.
  • File uploads: Stored in MongoDB GridFS (our database cluster). Not accessible to other users.
  • Data residency: Our MongoDB cluster is hosted on MongoDB Atlas. The specific region may vary; contact us for current data residency information.

4. Third-Party Services

We share limited data with the following third parties as necessary to provide the Service:

Paystack

Payment processor. We share your email address and billing information. Governed by Paystack's Privacy Policy.

Anthropic / Fireworks AI / Other LLM Providers

Your prompts and messages are sent to whichever LLM provider you or your agent is configured to use. Each provider's privacy policy governs how they handle this data.

Sentry

Error tracking. Receives anonymised crash reports. Sensitive fields are scrubbed before submission. Governed by Sentry's Privacy Policy.

Tavily

Web search tool. When you use the web_search agent tool, your queries are sent to Tavily's API.

We do not share your data with any other third parties except as required by law (e.g., in response to a valid court order).

5. Data Retention

  • Your account data and content are retained for as long as your account is active.
  • Usage events (token usage logs) are retained for 12 months for billing reconciliation, then deleted.
  • Server logs containing IP addresses are retained for up to 90 days.
  • On account deletion, all your data is permanently erased from our active database within 30 days (see Section 6).
  • Backups may retain deleted data for up to 30 additional days after deletion.

6. Your Rights

Depending on your location, you may have the following rights under applicable data protection law (including POPIA in South Africa, GDPR in the EU/EEA, and CCPA in California):

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Correct inaccurate data (you can update most data yourself in your account settings).
  • Right to erasure (right to be forgotten): Delete your account and all associated data via DELETE /account in the API, or by contacting us. We will process the deletion within 30 days.
  • Right to data portability: Export your data in machine-readable format via the account export feature (coming soon).
  • Right to object: Object to processing of your data where we rely on legitimate interests as a lawful basis.
  • Right to withdraw consent: Where we rely on consent, you may withdraw it at any time.

To exercise these rights, email us at privacy@obsidianai.app. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

7. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

8. Cookies

The Service uses session tokens (stored in browser memory via NextAuth) for authentication. We do not use third-party tracking cookies or advertising pixels. If we introduce non-essential cookies in the future, we will update this policy and display a consent banner as required by applicable law.

9. International Transfers

Our services are operated from South Africa. By using the Service, you consent to the transfer of your data to infrastructure providers (MongoDB Atlas, Sentry) that may process data in other countries. We ensure that any such transfers are governed by appropriate contractual safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The current effective date is always shown at the top of this page.

11. Contact & Data Enquiries

For any privacy-related questions, data requests, or complaints, contact our data privacy team at: privacy@obsidianai.app.

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

© 2026 Obsidian AITerms of Service