Privacy Policy

CrossCheck AI — A Platilus Product

Last updated: May 6, 2026
Effective: May 6, 2026

1. Data Controller

Platilus LLC ("Platilus", "we", "us") is the data controller for personal data collected through platilus.com and the CrossCheck AI service ("Service").

• Registered address: D. Agmashenebeli Avenue, N 177, Floor 1, Apartment N5, Kobuleti district, Georgia
• Registration number: 447010323
• General contact: [email protected]
• Data Protection contact: [email protected]

This Privacy Policy applies globally to all users of the Service, regardless of location. Where local laws provide additional or different rights, they are described in the jurisdiction-specific sections (§14). We comply with the most protective standard applicable to each user.

2. Our Role: Controller and Processor

CrossCheck AI is a verification service that orchestrates analysis across multiple AI models. Depending on how you use the Service, we act in different capacities under GDPR Article 4:

BYOK mode (verification session): Your verification request is sent to our server, which orchestrates multi-model analysis by forwarding your request to your chosen AI providers using your API keys. We process the request solely to execute the verification. We do not use your task content for any purpose other than executing your verification and returning results to you. We act as a data processor for the duration of the session.

Hosted mode (verification session): Currently available to selected beta administrators only. In Hosted mode, your input is forwarded to LLM providers using our credentials. We do not currently apply automated PII redaction; we recommend that users avoid submitting highly sensitive personal information (government IDs, financial account numbers, medical records) when using Hosted mode. We act as a data processor for verification content, with the same data-handling commitments as BYOK mode.

Account administration (all modes): We are the data controller for account data — your email address, encrypted API keys, account preferences, and authentication state. Legal basis: contract performance (GDPR Art. 6(1)(b)) for service delivery, and legitimate interest (Art. 6(1)(f)) for security and abuse prevention.

Service operation logging (all modes): We are the data controller for session metadata generated during verification (token counts, model versions, latency, cost, structural data such as atomic claims extracted by our analysis pipeline). Legal basis: legitimate interest in service operation, quality monitoring, and improvement (see §6 Data Flywheel for current and planned use).

Feedback (all modes): We are the data controller based on your explicit consent when you voluntarily submit ratings or corrections.

3. What We Collect

Data collection differs by service mode.

3.1. All users

• Email address — provided through OTP-based sign-in to the Service, or through email signup forms on platilus.com
• Authentication cookies — Supabase session cookies (essential, required for login functionality in the Service)
• CSRF protection cookies — Next.js __Host- cookies (essential, required for security in the Service)
• A/B testing cookie — cc_variant cookie (essential for site functionality on platilus.com, 30-day duration, contains only an A/B test variant identifier)
• Cookie preference cookie — cc_consent cookie (essential, records your choice on the cookie banner, 365-day duration)
• IP address — temporarily logged in server logs for security and abuse prevention (90-day rolling retention)

We use Plausible Analytics on platilus.com for cookieless, privacy-friendly aggregate analytics (page views, referrers, country-level location). Plausible does not use cookies, does not collect personal data, and operates exclusively from the European Union (Germany). It cannot be used to identify individual visitors.

We do not use Google Analytics, Google Tag Manager, Facebook Pixel, PostHog, Hotjar, Clarity, or any other tracking analytics. If we add such tools in the future, we will update this Privacy Policy and obtain consent where required by applicable law.

3.2. BYOK mode users

• API keys: Encrypted with AES-256-GCM and stored in our database. The encryption key is stored separately from the encrypted data. We decrypt your keys solely to execute verification requests on your behalf. Keys are never logged in plaintext, displayed in full, or shared with third parties. You can view masked versions, update, or delete your keys at any time through Settings.
• Session data: AI model responses, identified disagreements between models, confidence scores, atomic claims extracted by our verification pipeline, cost and performance metrics. This data may reflect content from your verification request.
• Feedback: Ratings and corrections you voluntarily submit.

3.3. Hosted mode users

When Hosted mode is enabled for your account, the following additional processing applies:

• Task text: Forwarded to selected LLM providers (see §7) using our API credentials. Task text is held in server memory during the session and stored as part of session data alongside model responses (see retention in §8).
• Session data: Same as BYOK mode (responses, disagreements, claims, metadata).
• PII redaction: Not currently applied automatically. We recommend avoiding highly sensitive personal information in Hosted mode submissions. An automated PII scrubber is planned for a future release.

3.4. Email signup forms (platilus.com)

When you sign up for early access through forms on platilus.com (homepage, about page, blog articles), we collect:

• Email address — your submitted address
• Source attribution — UTM parameters (utm_source, utm_medium, utm_campaign, utm_content) from the URL, if present, and source (referrer or direct)
• Page — which page you submitted from
• A/B test variant — value of the cc_variant cookie (used to evaluate landing page variants)

This data is sent to Formspree (our form processor — see §7.1), which forwards it to our internal email address ([email protected]). We use this data to: (a) contact you about beta access, (b) understand which marketing channels reach interested users.

Legal basis: consent (Art. 6(1)(a)) — your submission of the form constitutes consent to receive a reply from us. You can withdraw consent at any time by contacting [email protected] to be removed from our mailing list.

3.5. Sensitive Personal Data (GDPR Article 9) — User Responsibility

CrossCheck AI is not designed to process special categories of personal data as defined by GDPR Article 9. These categories include:

• Data revealing racial or ethnic origin
• Data revealing political opinions, religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a person
• Data concerning health (physical or mental)
• Data concerning a person's sex life or sexual orientation

You agree not to submit such data to the Service. This includes verification queries, feedback corrections, and any other content you provide.

If you submit Article 9 data despite this prohibition:

1. We process it on the same legal basis as ordinary task content (Art. 6(1)(f) — Legitimate Interest), not under Art. 9(2) special-category basis. We have not obtained your explicit consent for special-category processing and do not rely on any other Art. 9(2) exception.
2. The third-party AI providers receiving your query (per §7.2 — BYOK or Hosted mode) may apply their own usage policies, which can include refusal to respond, content filtering, or account-level enforcement.
3. We cannot guarantee the elevated protection that GDPR Art. 9 requires for sensitive data — your standard L3 PII protections (encryption-at-rest, scrubbing of detected entities) still apply, but no Art. 9-specific safeguards exist in our pipeline.

If you need to verify content involving health, legal, or other sensitive matters, redact the sensitive details before submission. For example, replace "I have type-2 diabetes" with "I have a chronic medical condition" — preserve the structure of your question without disclosing the specific category.

Acknowledgment in product: First-time users of the Service will be asked to acknowledge this clause via a one-time confirmation in the application interface. Continued use of the Service after this acknowledgment constitutes ongoing acceptance of this clause.

3.6. What we never collect

• Passwords of third-party services
• Government-issued ID numbers (except as may be incidentally included in submitted task text — see §3.3 advisory above)
• Health or biometric data — see §3.5 for full disclosure
• Payment card details (when payment is enabled in the future, processing will be performed by a PCI-compliant payment provider)

4. Legal Basis for Processing

Under GDPR Article 6, we process personal data on the following bases:

Legitimate Interest Assessment (session logging): We have conducted a Legitimate Interest Assessment (LIA). Logging session metadata serves the purposes of service operation, quality monitoring, abuse detection, and product improvement. Rights of data subjects are protected through: encryption at rest, access controls, the right to request deletion, and the right to opt out of non-essential logging via [email protected]. The risk to rights and freedoms is minimal compared to the benefit.

Mandatory vs. optional data (Art. 13(2)(e)): Providing your email address is required to create an account and use the Service. If you do not provide it, you cannot access CrossCheck AI features that require authentication. All other personal data (feedback, corrections, profile details) is optional — withholding it does not restrict your access to core verification features.

5. How We Use Data

• Providing the CrossCheck AI verification service
• Executing your verification requests across selected AI models
• Maintaining account security and preventing abuse
• Improving verification quality through aggregated, structured analysis of model behavior (see §6)
• Communication about product updates (only to users who opted in)

We do not use your personal data for advertising, profiling for marketing purposes, or sale to third parties.

6. Data Flywheel: Current State and Planned Development

CrossCheck AI's value depends on understanding where AI models agree and disagree. We do this by analyzing structured data from verification sessions.

Current state (as of the effective date of this Policy):

We log session metadata (token counts, model versions, costs, latency, atomic claims extracted by our verification pipeline) for service operation, quality monitoring, and product improvement. This data is associated with your account but is not used for advertising, profiling for marketing, or shared with AI providers for their model training.

Planned during beta period:

• Self-service opt-out toggle in account settings
• First-session notice informing users about logging and opt-out options before any session-related data is collected
• Full pseudonymization pipeline for cross-session learning, separating analytical data from user identifiers using GDPR-recognized pseudonymization techniques

How we will update you:

We will update this section of the Privacy Policy when each capability becomes available. Email subscribers and active users will receive notification of all material changes with at least 14 days' notice before changes take effect.

To opt out today:

Contact [email protected] from the email address associated with your account. We will apply opt-out to all future sessions within 30 calendar days. We will also delete previously stored session metadata associated with your account upon request, except where retention is required by law or by overriding legitimate interest (e.g., security investigation in progress).

7. Third-Party Processors

A current and complete list of sub-processors is maintained at platilus.com/legal/subprocessors. The following describes categories and key processors as of the effective date of this Policy.

7.1. Infrastructure and website

7.2. AI Service Providers

In BYOK mode, your verification request is processed by AI providers you select using your own API keys. In Hosted mode, the Service uses our credentials with selected providers. In both modes, task text passes through our server for verification orchestration.

Approved AI providers:

Important distinction — PRC-origin models vs. PRC-hosted endpoints:

Some AI models (such as DeepSeek R1) were originally developed by companies headquartered in the People's Republic of China. However, when these models are hosted and served by Microsoft Azure or Amazon Web Services, your data is processed by Microsoft or Amazon — not by the original Chinese developer. In these cases, a DPA exists with the hosting provider, data remains in the EU/US, and standard GDPR transfer mechanisms apply. These intermediary-hosted models are treated as approved providers.

Prohibited endpoints: Direct API connections to AI providers headquartered in jurisdictions without adequate data protection (as recognized by the European Commission) are PROHIBITED for Hosted mode. This currently includes all direct PRC-based endpoints:

This restriction applies because: (a) the PRC Personal Information Protection Law (PIPL) permits government access to data without judicial oversight comparable to GDPR standards; (b) no adequacy decision exists between the EU and PRC; (c) Standard Contractual Clauses cannot effectively mitigate the risk of state access under PRC National Security Law.

BYOK users and restricted providers: The Service currently does not support direct BYOK connections to PRC-based API endpoints. If this changes in the future, the interface will display a jurisdictional warning and require explicit acknowledgment of risks before any connection is established. We reserve the right to immediately disable access to any provider that becomes subject to international sanctions, export controls, or regulatory orders.

Model training policies: Approved AI providers listed above (Anthropic, OpenAI, Google, Microsoft Azure, Mistral) do NOT use data submitted via API for model training. For details on each provider's data handling, see their respective DPAs linked in the table above.

8. Data Retention

We currently retain data until you request deletion. Automated retention windows are planned for a future release. Until automated retention is implemented:

To request deletion: Email [email protected] from the email address associated with your account. We will:

1. Verify your identity (typically by confirming the request from your account email)
2. Delete your data within 30 calendar days (15 days for Georgia residents, 15 business days for Brazil residents — see §14)
3. Confirm completion via email

What persists after account deletion:

• Server logs containing your IP address may be retained for up to 90 days from the date of the request, after which they are automatically deleted by log rotation
• Backups: Supabase performs automated daily database backups with up to 7-day retention. Deleted data may persist in backups until backup rotation completes (maximum 7 additional days)
• Aggregated, non-identifying analytical data is not subject to deletion under GDPR Recital 26 if it cannot be linked to you

Planned (during beta period): Self-service deletion via account settings, automated retention windows for session data, audit log of deletion operations.

9. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability — receive your data in a structured format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3))

How to exercise your rights: Contact [email protected]. We will respond within 30 calendar days as required by GDPR Article 12. If we need additional time (up to 60 calendar days for complex requests), we will inform you within the initial 30-day period.

Shorter deadlines by jurisdiction: Georgia residents — 15 calendar days. Brazil residents — 15 business days. We always comply with the shortest applicable deadline for your jurisdiction.

Data portability format: Upon request, your data will be provided in machine-readable JSON format within 30 days via a secure download link.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. For Georgia: Personal Data Protection Service (PDPS) at pdps.ge. For EU residents: your local Data Protection Authority. For UK residents: Information Commissioner's Office (ICO) at ico.org.uk. See §14 for additional jurisdiction-specific authorities.

10. EU Representation and GDPR Article 27

As an entity established in the Republic of Georgia, Platilus LLC processes the personal data of individuals located within the European Economic Area (EEA) in the context of offering our closed beta services. At this current stage of our operational deployment, we do not maintain a physical establishment within the Union, nor have we appointed an EU Representative as defined by Article 27(1) of the GDPR.

Platilus LLC explicitly relies on the exemption provided under GDPR Article 27(2). Our processing activities are currently strictly limited to a closed beta testing phase involving a highly restricted number of users, rendering the processing "occasional" under regulatory guidelines. We do not engage in the large-scale processing of special categories of data (as defined in Article 9) or data relating to criminal convictions (as defined in Article 10). The limited scope and nature of our processing — restricted to account administration, service execution, and session metadata logging — present an unlikely risk to the fundamental rights and freedoms of natural persons.

Data subjects within the EU may direct any inquiries, Data Subject Access Requests (DSARs), or privacy concerns directly to our Data Protection contact at [email protected]. We remain fully committed to responding to all requests within the statutory timeframes mandated by GDPR Article 12 (30 calendar days, or shorter where required by national law).

Upon transition from closed beta to wider commercial availability, or when our processing scale exceeds the threshold for "occasional" processing under Article 27(2), Platilus LLC will appoint an established commercial EU Representative. This Privacy Policy will be updated to reflect that appointment, including the representative's name, address, and contact details, with at least 14 days' notice to existing users via email.

11. Automated Decision-Making

CrossCheck AI generates trust scores and identifies disagreements between AI models. These are informational tools to assist your professional judgment. No automated decisions with legal or similarly significant effects are made based on your personal data within the meaning of GDPR Article 22.

12. International Transfers

The Service is operated from Georgia, which does not currently hold an EU adequacy decision under GDPR Article 45. Personal data processed by Platilus LLC may be transferred from the European Economic Area to Georgia and to sub-processors located outside the EEA.

Transfer mechanisms:

• EEA → Georgia (Platilus LLC): Personal data transferred from the EEA to Georgia is protected by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), supplemented by additional technical and organizational measures (encryption in transit and at rest, access controls, audit logging) as described in §15.
• Georgia data protection law: Georgia enacted comprehensive personal data protection legislation effective March 1, 2024, closely mirroring the GDPR framework. While this does not constitute an EU adequacy decision, processing activities of Platilus LLC are subject to oversight by the Personal Data Protection Service (PDPS) of Georgia under a substantively equivalent legal regime.
• Sub-processors in the United States: Transfers are protected by the EU-US Data Privacy Framework (where the sub-processor is DPF-certified) and/or SCCs as a fallback mechanism. See §7 for the per-processor mechanism.
• Sub-processors in the EU/EEA: Mistral AI (France), Plausible Insights OÜ (Estonia/Germany), and other EU-based sub-processors do not require additional transfer safeguards beyond GDPR.

For UK residents: Transfers from the UK are additionally protected by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCC, as required under UK GDPR.

For Swiss residents: Transfers comply with the Swiss Federal Act on Data Protection (FADP) using SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

13. Children

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [email protected] and we will delete it promptly.

14. Jurisdiction-Specific Rights

The rights in §9 apply to all users globally. The following sections provide additional information required by specific laws.

14.1. European Union / EEA Residents (GDPR)

Your rights under GDPR are described in §9. Supervisory authority: your local Data Protection Authority (list at edpb.europa.eu). Transfer safeguards: SCCs and EU-US DPF (see §12). EU Representative: see §10 regarding our reliance on the Article 27(2) exemption during closed beta.

14.2. United Kingdom Residents (UK GDPR)

UK GDPR provides equivalent rights to EU GDPR as described in §9. Supervisory authority: Information Commissioner's Office (ICO) at ico.org.uk. Transfer mechanism: UK IDTA or UK Addendum to EU SCC (see §12).

14.3. Georgia Residents (Law on Personal Data Protection)

As a company registered in Georgia, we comply with the Georgian Law on Personal Data Protection (effective March 1, 2024). Supervisory authority: Personal Data Protection Service (PDPS) of Georgia. Response time for data subject requests: 15 calendar days (shorter than the 30-day GDPR default). You may lodge a complaint with the PDPS at pdps.ge.

14.4. California and US State Residents

If you are a resident of California or another US state with comprehensive privacy law (including Virginia, Colorado, Connecticut, Oregon, Texas, Montana, Delaware, New Jersey, Minnesota, and others), you have the following rights:

• Right to know what personal data we collect, use, disclose, and share
• Right to delete your personal data
• Right to correct inaccurate personal information
• Right to opt-out of sale or sharing — we do NOT sell or share personal data with third parties for cross-context behavioral advertising
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond what is necessary to provide the Service
• Right to non-discrimination for exercising your privacy rights

We recognize Global Privacy Control (GPC) signals as a valid opt-out mechanism as required by California, Colorado, Connecticut, and other state laws.

To exercise these rights, contact [email protected]. We will verify your identity before processing your request.

14.5. Brazil Residents (LGPD)

Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have the right to: confirmation of processing, access, correction, anonymization of unnecessary data, portability, deletion, information about public and private entities with which your data is shared, information about the possibility of denying consent and its consequences, and consent withdrawal. Response time: 15 business days. Supervisory authority: ANPD (Autoridade Nacional de Proteção de Dados).

14.6. Canada Residents (PIPEDA / Quebec Law 25)

Under PIPEDA and Quebec's Law 25, you have the right to access, correct, and withdraw consent for the processing of your personal data. We process your data with your knowledge and consent, or where permitted by law.

14.7. Switzerland Residents (FADP)

Under the Swiss Federal Act on Data Protection (FADP), you have equivalent rights to those listed in §9. Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC). Transfer safeguards: SCCs as recognized by FDPIC (see §12).

14.8. Other Jurisdictions

If you are a resident of a jurisdiction with data protection laws not specifically listed above (including but not limited to Australia, India, Japan, South Korea, Singapore), you may exercise equivalent rights by contacting [email protected]. We will respond within the timeframe required by your local law or 30 calendar days, whichever is shorter.

15. Security Measures

We implement appropriate technical and organizational measures to protect personal data:

• Encryption in transit: TLS 1.3 for all connections between your browser, our servers, and sub-processors
• Encryption at rest: AES-256 (Supabase managed encryption)
• API key protection: AES-256-GCM encryption with separated key management. Server-side decryption occurs only at the moment of executing your verification request.
• Authentication: OTP-based email authentication via Supabase Auth, with optional Two-Factor Authentication (TOTP)
• Access control: Row-Level Security (RLS) on all database tables; principle of least privilege for administrative access
• Audit logging: Server-side logs for access events, API calls, and security-relevant operations (90-day rolling retention)
• Monitoring: Application errors and anomalies in authentication and API access patterns are recorded in our hosting provider's server logs (90-day rolling retention) and are not transmitted to any external error-tracking service
• Backups: Supabase automated daily backups with 7-day retention

16. Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
• If the breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay (GDPR Art. 34)
• All incidents are classified by severity and managed through our incident response procedures

17. AI Transparency (EU AI Act)

In compliance with the EU AI Act (Regulation 2024/1689) and equivalent AI transparency regulations:

• CrossCheck AI uses third-party artificial intelligence models (from Anthropic, OpenAI, Google, Microsoft, Mistral) to generate verification results
• Verification results, trust scores, and disagreement analyses are AI-generated content and are clearly labeled as such in the interface
• CrossCheck AI is classified as a limited-risk AI system under the EU AI Act — it assists human decision-making but does not make autonomous decisions with legal or similarly significant effects
• Users must review AI-generated results with their own professional judgment before relying on them for any decision
• For details on how each AI model processes data, see the DPA references in §7.2

18. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated revision date.

• Material changes will be communicated via email to registered users with at least 14 days' notice before taking effect
• Previous versions will be archived and available upon request to [email protected]
• Continued use of the Service after the effective date of changes constitutes acceptance of changes to processing based on contract or legitimate interest. For processing based on your consent (email communications, feedback), we will request renewed consent separately if material changes affect those activities.

Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity as part of the transaction. We will notify you via email at least 30 calendar days before any such transfer and provide you the opportunity to export or delete your data before the transfer takes effect.

19. Data Processing Agreement (DPA)

For Hosted mode users and customers requiring formal data processing agreements, a Data Processing Agreement is available upon request by contacting [email protected]. The DPA covers: scope and nature of processing, obligations of controller and processor, sub-processor management, data breach notification procedures, audit rights, and jurisdiction-specific transfer safeguards.

20. Contact

• Privacy inquiries and DSARs: [email protected]
• General questions: [email protected]
• Mailing address: D. Agmashenebeli Avenue, N 177, Floor 1, Apartment N5, Kobuleti district, Georgia

This Privacy Policy should be read in conjunction with our Terms of Service.