Privacy Policy

Last updated: 20 May 2026 · Effective immediately

This policy explains what data Conjure (operated by SPECTR) collects about you, why we collect it, who else sees it, and what rights you have over it. We aim for plain English. If anything below is unclear, email hello@useconjure.app.

What we collect

Account info

• Email address, display name, and (if you sign in via Discord) your Discord ID and avatar URL. We get these from Clerk, our authentication provider, when you sign up.

Things you create

• Bot configurations: the name, description, and source code files for each bot you build.
• Chat history with the AI: the prompts you send and the responses (including any reasoning we surface) for each bot. We keep this so future iterations have context.
• Discord bot tokens: encrypted with AES-256-GCM before being written to disk. The decryption key is stored in our deployment environment, separate from the database. We never log decrypted tokens or display them back to you.

Usage metrics

• AI update counts per calendar month — for quota enforcement and billing.
• Token usage and estimated cost per call — for our own unit-economics tracking.
• Deployment events — when each bot was deployed, started, stopped, or failed.

Payment info

If you subscribe to a paid plan we store your Stripe customer ID so we can reconcile invoices and webhooks. We never store full card numbers — Stripe handles that on PCI-compliant infrastructure.

What we don't collect

• We don't collect data about the Discord servers your bot operates inbeyond what's necessary to deliver Fly logs to you. If your bot itself stores data about its users (level data, warnings, etc.), that lives in your bot's persistent volume and we don't inspect or analyze it.
• We don't use your bot code or chat history to train AI models— neither ours nor third-party model providers'. Anthropic processes your chat content per its privacy policy but does not use API customer data for training by default.
• We don't sell your data. Ever. Not to advertisers, not to data brokers, not to anyone.

Why we collect it

• To run the Service: deploy your bots, route AI requests, store your work between sessions.
• To bill you: track usage against plan limits, process payments through Stripe.
• To prevent abuse: the monthly bot-creation quota relies on counting historical creations.
• To support you: when you email us, we can pull up your account to help.
• To improve the product: aggregate metrics (e.g. average tokens per generation) inform what we work on next. We never look at individual bot code or chat without your explicit permission.

Who else processes your data

We use third-party services to deliver Conjure. Each only sees the data they need to do their job:

• Clerk — authentication, session management, user profile. Receives your email and OAuth identity.
• Stripe — payment processing. Receives billing name, address, payment method, and your subscription tier.
• Anthropic — AI code generation. Receives your chat prompts and the bot context we provide as system prompt. Does not retain content beyond standard API operation per its policy.
• Fly.io— bot hosting. Receives your bot's source code (encrypted in transit), runtime configuration, and the encrypted Discord token (we decrypt only at deploy time).
• Cloudflare R2 — code artifact storage (future). Receives encrypted code snapshots.
• Vercel — hosting for the Conjure web app itself.
• Postgres (managed) — primary database.

How long we keep it

• Active account data: as long as your account exists.
• After account deletion: bot code, tokens, and chat history are deleted within 30 days of your delete request. Anonymized usage aggregates may persist indefinitely.
• Backups: up to 90 days for disaster recovery, after which they age out.
• Billing records: kept for 7 years as required by tax law.

Security

Bot tokens are encrypted at rest with AES-256-GCM using a key held only in our deployment environment. Database traffic is TLS-encrypted in transit. Authentication is handled by Clerk, which supports multi-factor authentication — we strongly recommend enabling it. We follow the principle of least privilege internally: only the deploy service can read decrypted tokens, and only to hand them straight to Fly.

Your rights

Under the UK GDPR (and equivalent regimes elsewhere), you can:

• Accessyour data — email us and we'll send a machine-readable export.
• Correct inaccurate data — most of it you can edit yourself; for the rest, email us.
• Delete your account — settings → delete account, or email us.
• Objectto processing or withdraw consent. Note that withdrawing consent typically means we can't continue providing the Service.
• Complainto the UK Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data.

Email hello@useconjure.app for any of the above. We respond within 30 days.

Cookies and tracking

We use a small number of strictly-functional cookies (auth session, CSRF protection — set by Clerk). We don't use third-party advertising or behavioural tracking cookies. We don't need a cookie banner because we don't set anything that requires consent.

International transfers

Conjure is operated from the UK. Some processors (Clerk, Anthropic, Stripe, Fly) are based in the US and process data there. Where data crosses borders, we rely on Standard Contractual Clauses or equivalent mechanisms.

Children

Conjure is not directed at children under 13 (16 in the EEA). We don't knowingly collect data from anyone in those age brackets. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we make material changes we'll notify you by email or in-app at least 30 days before they take effect.

Contact

Privacy questions, data-subject requests, breach notifications: hello@useconjure.app. The data controller is SPECTR.