1. What we collect

When you sign up we collect your email and a hashed password (bcrypt). We never store passwords in plaintext. Display name and profession are optional and self-reported.

When you chat we store the message content and the model's reply along with token-level cost figures. This is required to compute your usage and to bill (when applicable).

2. What we do not collect

• No third-party trackers (no Google Analytics, no Facebook Pixel).
• No advertising cookies.
• No keystroke logging or screen recording.

3. Public data

The data inside CasmoZ — permits, assessor records, etc. — is sourced from public government APIs. We do not sell or resell raw datasets. CasmoZ adds value through the AI layer; the underlying public data remains public.

4. Cookies

We use one cookie: a NextAuth JWT session cookie. It is HTTP-only, SameSite=Lax, and expires 30 days after your last activity.

5. Data export and deletion

You can export all your data (chat history, saved entities, billing history) at any time as a single JSON file. You can delete your account from Settings; deletion is permanent and immediate.

6. Payments

Payments are processed by a PCI-DSS Level 1 certified payment provider. We never see, store, or transmit your card number — all PCI-relevant data is handled outside our infrastructure. We retain only an opaque customer reference and your subscription state.

7. Contact

Questions? Reach out.