Privacy Policy
This policy explains what personal information Seerai collects, why we collect it, who we share it with, and what rights you have. It applies to seerai.amayx.com and our hosted services.
§1Overview and scope
This Privacy Policy (“Policy”) describes how Seerai (“Seerai”, “we”, “us”, or “our”) collects, uses, discloses, and retains personal information when you:
- Visit our website at
seerai.amayx.comand any subdomain we control; - Create an account, sign in, or use the Seerai hosted dashboard or API at
api.seerai.amayx.com; - Purchase credits, subscriptions, or other paid features from us; or
- Communicate with us by email, support channels, or social media.
This Policy does not cover:
- The open-source Seerai Zotero plugin distributed under the MIT License. When you run the plugin from source against your own local API keys, no personal information reaches us.
- Third-party services we link to but do not operate, including the AI providers you choose to send requests to.
§2Who is the data controller
The data controller for the personal information described in this Policy is Dr Alk (sole proprietor), operating as Seerai, reachable at:
Email: privacy@amayx.com
Registered email for legal notices: admin@amayx.com
Postal address: [Entity registered address on file — request via email for the current address]
If we engage a sub-processor that independently determines the purposes and means of processing your personal information, that sub-processor acts as its own data controller. For example, PayTabs processes your payment-card data as an independent controller under its own privacy policy.
§3Information we collect
We collect the minimum information needed to operate the service securely and to bill you accurately. The categories below are organized so they map directly to the disclosures required by the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA).
A. Information you give us directly
| Category | Examples | Source |
|---|---|---|
| Identifiers | Email address, display name, user ID assigned at sign-up | Account creation, magic-code sign-in |
| Account settings | Notification preferences (email/in-app), credit-warning thresholds | Dashboard settings page |
| Support content | Messages and attachments you send to our support email or chat | When you contact us |
| Payment identifiers | Name, billing email, country code, last four digits of the payment instrument (full card numbers never reach our servers) | PayTabs checkout flow |
B. Information we collect automatically
| Category | Examples | Purpose |
|---|---|---|
| Technical identifiers | IP address, request timestamps, request IDs | Rate limiting, abuse prevention, fraud detection |
| Device & browser metadata | User-Agent string, screen size | Diagnostic logs and responsive layout |
| No behavioural analytics | We do not deploy Google Analytics, Meta Pixel, Plausible, PostHog, Sentry, Mixpanel, or any other analytics or session-replay tool. No advertising pixels are loaded. | Privacy by default |
Cookies and similar technologies
See our dedicated Cookie Policy for the complete list. We use only strictly-necessary cookies — those required to keep you signed in and to protect against forged requests.
C. Information you create in the hosted service
- Conversations and messages with hosted agents: stored on our database so you can review history. You can delete a conversation at any time; we delete the underlying messages within 30 days after you delete the conversation.
- Agent definitions: name, system prompt, model choice. These are your content and you can delete them at any time.
- Encrypted AI provider keys: when you supply your own OpenAI/Anthropic/Mistral/etc. key through our dashboard we encrypt it with AES-256-GCM at rest using a server-side secret. The plaintext is held in memory only for the duration of a single API call to the upstream provider.
D. Information we do not collect
- The contents of your Zotero library — PDFs, annotations, notes, tags stored in Zotero. These are fetched in real time from your local Zotero client (or the Zotero web API, depending on your configuration) and are not uploaded to Seerai.
- The full text of prompts and completions for the open-source plugin when you point it at your own API keys with the network proxy disabled.
- Government identifiers (SSN, national ID), payment card numbers, biometric data, health information. You should not provide any of these to us.
§4How we use information
We use personal information for the following purposes:
- Provide the service: authenticate you, route API requests to the right AI provider, deduct credits, sync state across your devices, deliver conversation history.
- Process payments and prevent fraud: create and reconcile PayTabs transactions, detect anomalous login patterns, enforce rate limits.
- Communicate with you: send transactional emails (sign-in codes, receipts, payment failures, credit-balance warnings when you opt in), and respond to your inquiries.
- Maintain and improve the service: diagnose outages, debug errors, understand feature usage from aggregated, non-identifying server logs. We do not build user profiles and we do not use third-party analytics.
- Comply with law and enforce our terms: respond to lawful requests, investigate violations of the Terms of Service.
We do not:
- Sell personal information for money or other value.
- Share personal information for “cross-context behavioural advertising” (CCPA “sharing”).
- Train, fine-tune, or otherwise use your content to improve any AI model. Your prompts and completions are passed through to the AI provider you choose and back to you — we do not retain them for training.
§5Legal basis for processing (GDPR)
For residents of the European Economic Area, the United Kingdom, or Switzerland, Article 6 of the GDPR requires a lawful basis for each processing activity. We rely on the following bases:
- Contract (Art. 6(1)(b))
- To create and maintain your account, deliver the API and dashboard you have signed up for, deduct credits, and process recurring subscription payments.
- Legitimate interests (Art. 6(1)(f))
- To keep the service secure (rate limiting, fraud detection, audit logs), prevent abuse, debug errors, and respond to support requests. We balance these interests against your rights and freedoms and offer you the controls in section 12.
- Legal obligation (Art. 6(1)(c))
- To retain transaction records for tax and accounting obligations (typically 7 years), and to comply with lawful government requests.
- Consent (Art. 6(1)(a))
- For any optional processing where we ask, including marketing emails beyond the strictly transactional set, and any future non-essential cookies. You can withdraw consent at any time without affecting prior processing.
§6Sub-processors and third-party services
To run the service we share limited categories of personal information with the following sub-processors. We list only those that actually receive personal information. Each is bound by a data-processing agreement that restricts use to the agreed purposes.
| Sub-processor | What they process | Where | Why |
|---|---|---|---|
| InstantDB, Inc. (database) | Account profile, encrypted AI provider keys, conversation messages, agent definitions, transaction records, plugin session tokens | United States | Primary application database |
| Cloudflare, Inc. (Workers & R2) | All request bodies and responses passing through our hosted API and dashboard, IP addresses, edge logs (retention configured at the Cloudflare account level) | Global edge (US default) | Hosting the Next.js application, edge caching, denial-of-service protection |
| PayTabs (Saudi Arabia) | Name, email, country, IP address, payment instrument data (card numbers are tokenized and never stored on our servers) | Saudi Arabia (transaction processing); regional processing nodes for accepted payment methods | Process credit-pack and subscription payments in SAR and other supported currencies |
| Email delivery provider (for magic-code auth and receipts) | Recipient email, message body, bounce & delivery-status metadata | United States | Deliver sign-in codes, payment receipts, account notifications |
| AI providers (only when you send a request that selects them) | The prompt you submit and the model provider you select; the response is returned to you. Routing decisions, token counts, and aggregated cost are recorded in our database. | Provider’s own region (typically US or EU) | Forward your request to the AI model you have chosen |
If we engage a new sub-processor that handles personal information, we will update this list at least 30 days before the sub-processor begins processing, and notify active subscribers by email. Continued use of the service after the effective date of any update constitutes acceptance of the updated processing; you may object or close your account as described in section 12.
Linked third-party services (not sub-processors)
The Zotero plugin can connect to third-party services such as Google Drive and Box via an OAuth proxy we operate. When you initiate a connection, the OAuth provider processes your authorization under its own privacy policy. We never see your Google or Box password.
§7AI providers, your content, and training
The Seerai service is a thin routing layer between you and the AI provider you select. Important consequences:
- Your content is forwarded to your chosen AI provider. When you send a chat message or run an extraction, the request is sent to the provider you selected. That provider’s privacy policy then applies to that request.
- We do not train models on your content. We do not fine-tune, embed, or otherwise use your prompts, documents, or completions to improve any AI model. The only AI-related processing we do is forwarding, metering, and billing.
- Your content stays in your control. You can delete conversations, agents, and provider API keys at any time from the dashboard. Deletion removes the data from active systems within 30 days (see section 9).
- Choose providers that match your jurisdiction.For sensitive academic work, consider using a provider with a data-residency option or a self-hosted model (Ollama, LM Studio) so nothing leaves your device.
Each provider’s data-handling practices are described in its own policy. Common providers include OpenAI, Anthropic, Google (Gemini), Mistral, Groq, Together AI, and any OpenAI-compatible service you configure.
§9Data retention
We retain personal information only as long as needed for the purposes described in this Policy, then delete or irreversibly anonymize it.
| Category | Retention period | Basis |
|---|---|---|
| Account profile | Until you delete the account + 30 days | Service operation |
| Encrypted AI provider keys | Until you delete or rotate the key | Service operation |
| Conversation messages & agents | While the account is active; purged within 30 days of account deletion | Service operation |
| Transaction records (payment receipts) | 7 years | Tax & accounting law |
| API usage logs (token counts, model, cost) | 24 months | Billing reconciliation, fraud detection |
| Edge access logs (IP, request path) | Up to 30 days at Cloudflare (controlled by our Cloudflare account retention configuration) | Security & abuse prevention |
| Plugin session tokens | Until token expiry or logout | Authentication |
| Support emails | 24 months after last contact | Service improvement |
Aggregated, non-identifying analytics (for example, “the average number of chat requests per user per month”) may be retained indefinitely.
§10Security
No system is perfectly secure, but we apply defence-in-depth measures appropriate to the sensitivity of the data we hold:
- All traffic is served over HTTPS using TLS 1.2 or higher (Cloudflare edge terminates TLS; we use HSTS).
- AI provider API keys are encrypted at rest with AES-256-GCM. Plaintext keys are held in process memory only for the duration of a single request.
- Authentication for the hosted API uses bearer tokens derived from a per-session secret; the secret hash is stored, not the secret itself. Tokens can be revoked at any time from the dashboard.
- Admin operations require a separate admin role and are logged.
- Access to production databases and secrets is restricted to named operators; rotation keys are stored in our deployment platform’s secret store.
- We maintain a process to investigate and notify affected users of security incidents as required by applicable law (including the 72-hour GDPR breach-notification window).
If you discover a vulnerability, please email security@amayx.com with a description and reproduction steps. We commit to acknowledging reports within five business days.
§11International data transfers
Seerai operates globally. Your personal information may be transferred to and processed in countries other than your own, including the United States, the Kingdom of Saudi Arabia, and any region in which an AI provider routes your requests.
When personal information leaves the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (the 2021 EU SCCs and the UK International Data Transfer Addendum) with InstantDB, Cloudflare, our email provider, and any future sub-processor.
- Encryption in transit and at rest, including AES-256-GCM for stored secrets and TLS 1.2+ for all network traffic.
- Recipient-side controls: we engage only sub-processors that publish an adequacy-aligned privacy and security posture.
You can request a copy of the transfer safeguards that apply to your data by writing to privacy@amayx.com.
§12Your rights
Regardless of where you live, you have the right to:
- Access the personal information we hold about you;
- Correct inaccurate or incomplete information;
- Delete your account and associated personal information (subject to the retention windows above);
- Export your data in a machine-readable format (a JSON export of your account profile, conversation messages, agent definitions, and transaction history is available on request);
- Withdraw consent for any processing based on consent, without affecting prior lawful processing;
- Object to processing based on legitimate interests;
- Complain to your local data-protection authority.
To exercise any right, email privacy@amayx.com from the email address on your account. We respond within 30 days (45 days for complex requests, with an explanation of the delay). We will not charge for exercising your rights unless a request is manifestly unfounded or excessive.
§13California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act, or “CCPA/CPRA”) gives you the following rights:
- Right to know what categories of personal information we collect, the categories of sources, the business or commercial purposes, and the categories of third parties to whom we disclose it. Sections 3, 4, and 6 of this Policy provide that disclosure.
- Right to delete personal information we have collected from you, subject to the exceptions in CCPA §1798.105(d) (for example, completing the transaction, detecting security incidents, complying with a legal obligation).
- Right to correct inaccurate personal information (CCPA §1798.106).
- Right to limit the use of sensitive personal information. We do not collect “sensitive personal information” as defined under CCPA, so this right is generally not applicable.
- Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising. No action is required to opt out.
- Right to non-discrimination for exercising any of the above rights.
Notice of collection at collection (CCPA §1798.100(b)): The categories of personal information we collect, the purposes for which we collect it, and whether we sell or share it are described in sections 3, 4, and 6 of this Policy. We do not collect sensitive personal information.
Categories of personal information collected in the preceding 12 months: identifiers (email, user ID, IP address), commercial information (transaction records, credit balance), internet-activity information (request logs), and inferences (rate-limit decisions, fraud signals).
How to submit a verifiable consumer request: Email privacy@amayx.com from the email address on your account. We may need to verify your identity before responding. You may designate an authorised agent by following the CCPA regulations (§999.326).
§14EEA, UK, and Swiss residents (GDPR/UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in section 12, plus:
- Right to lodge a complaint with your local supervisory authority. A list of national data-protection authorities is maintained by the European Data Protection Board at
edpb.europa.eu. The UK’s Information Commissioner’s Office is atico.org.uk. - Right to data portability for information you have provided to us based on contract or consent, in a structured, commonly used, machine-readable format (typically JSON).
- Automated decision-making. We do not subject your account to decisions based solely on automated processing that produce legal or similarly significant effects under Article 22 GDPR.
Our lead supervisory authority will be the authority for the jurisdiction of our registered establishment. Where required by Art. 27 GDPR, we will designate an EU representative before processing EU residents’ personal data on a systematic basis.
§15Children
Seerai is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. Researchers who are minors should use the service only under the supervision of a parent, guardian, or institutional account holder.
If you believe a child has provided us with personal information, please contact us at privacy@amayx.com so we can delete it.
§16Changes to this policy
We may update this Policy. When we do, we will revise the “Last updated” date above and, for material changes, notify active subscribers by email at least 30 days before the new Policy takes effect. Material changes include adding a new sub-processor, expanding the categories of personal information collected, or changing the purposes of processing.
The previous version of this Policy is available on request.
§17Contact us
Questions, complaints, or rights requests: privacy@amayx.com
Legal notices: admin@amayx.com
Security disclosures: security@amayx.com
We aim to respond to every privacy-related enquiry within 30 days. If we cannot, we will tell you why and what to do next.