Privacy Policy

Last updated: May 20, 2026

1. The Short Version

Conare ("we", "us", "our") operates conare.ai. We provide persistent memory for AI coding agents.

In plain English:

  • Your memories live in their own isolated database — one per user, not a shared table.
  • We do not train AI models on your content. We do not sell or share it.
  • You can export everything via the API and delete your account at any time.
  • The only places your content touches outside Conare are the third-party services listed in section 5, used strictly to deliver the product.

The rest of this document is the specific, legally complete version of that.

2. Data We Collect

2.1 Account Data

When you sign in with Google OAuth, we receive and store:

  • Name — your Google profile name
  • Email address — used as your account identifier
  • Profile picture URL — displayed in the dashboard

We never receive your Google password. We do not request scopes beyond basic profile and email. We do not retain Google OAuth refresh tokens beyond what is required to maintain your session.

2.2 User Content

Content you submit to Conare via the dashboard, CLI, MCP server, or API:

  • Conversation summaries — context indexed from your AI coding sessions
  • Memories — text you save explicitly for retrieval by your AI tools
  • Connector data — content you choose to index from connected services (e.g., Notion pages, via OAuth scopes you grant)

Your content is stored in a per-user isolated Cloudflare Durable Object — effectively a separate SQLite database scoped to your account. Cross-user queries are not supported by the storage layer. We use your content only to provide the service to you: to index it, search it, and return it on your own retrieval calls.

2.3 Usage Analytics

We use DataFast (datafa.st), a cookie-less, privacy-focused analytics service, to collect:

  • Page views and navigation patterns (no personal identifiers)
  • Custom events: button clicks, feature usage, authentication flow completion
  • Browser type, device type, and approximate geographic region

DataFast does not use tracking cookies, does not retain raw IP addresses, and does not build cross-site user profiles. Analytics data is aggregated and cannot be tied back to identifiable individuals.

2.4 Infrastructure Metadata

Conare runs on Cloudflare Workers, which are stateless by design. Cloudflare processes request metadata (IP addresses, headers, TLS handshakes) transiently to route and secure traffic, subject to Cloudflare's privacy policy. We do not configure long-lived server access logs.

3. How We Use Your Data

  • Provide the service — store, index, search, rank, and return your memories on your retrieval calls
  • Authenticate you — verify your identity and manage sessions
  • Improve the product — understand aggregate usage patterns via anonymous analytics
  • Communicate with you — send service-related emails (e.g., security alerts, billing if applicable)

What we explicitly do not do:

  • Sell your data to third parties — ever
  • Use your content to train, fine-tune, or evaluate AI models — ours or anyone else's
  • Share your content with other Conare users or unrelated services
  • Build advertising profiles or track you across the web
  • Read your content for any purpose other than serving it back to you

4. Storage & Security

Your data is stored on Cloudflare's global network, distributed across:

  • Durable Objects (SQLite) — per-user isolated storage for memories and chunks. Each account is provisioned its own database instance, not a tenant row in a shared table.
  • D1 (SQLite) — account metadata (name, email, account creation timestamp)
  • KV — API key records and short-lived session data
  • Vectorize — vector embeddings derived from your content, used for semantic search
  • R2 — large object storage for connector content where applicable

All data is encrypted in transit (TLS 1.3) and encrypted at rest by Cloudflare's infrastructure. Admin endpoints are gated by HMAC-based authentication. Rate limits and per-user quotas are enforced to prevent abuse. All database queries are parameterized — we do not accept raw SQL from user input.

5. Third-Party Sub-processors

These are the only third parties that touch your data, what they do with it, and where to find their data-handling commitments:

ServicePurposeData shared
CloudflareHosting, storage, networkAll service data, encrypted
Google OAuthAuthenticationName, email, profile picture (received from Google)
ZeroEntropyVector embeddings & rerankingText chunks (for embedding/rerank only; not retained for training)
DataFastPrivacy-focused analyticsAnonymous page views & events (no personal identifiers)
NotionOptional connectorWorkspace pages you authorize via OAuth

We do not use third-party AI services (OpenAI, Anthropic, Google Gemini, etc.) to process your stored memories. Embedding and reranking happen via ZeroEntropy; everything else runs on Conare's own infrastructure.

6. Cookies

We use the minimum cookies required for the product to function:

  • Session cookie — authenticates your dashboard session. First-party, essential.
  • Color mode preference — remembers your light/dark theme.

We do not use third-party tracking cookies, advertising cookies, or any cross-site tracking.

7. Your Rights

Regardless of jurisdiction, you have the right to:

  • Access — request a copy of all data we hold about you
  • Export — download your memories at any time via the Conare API
  • Correct — update your account information (managed through your Google account)
  • Delete — request deletion of your account and all associated content
  • Restrict — ask us to limit how we process your data
  • Object — object to specific processing activities

To exercise any of these rights, email artem@conare.ai. Account deletion requests are honored within 30 days, and in practice are typically completed within 24 hours of receipt.

8. Data Retention

  • Account data — retained while your account is active; removed on account deletion
  • User content (memories & chunks) — retained while your account is active; removed on account deletion
  • Vector embeddings — derived from your content; removed alongside the source content
  • Connector data — retained while the connector is active and your account is active; removed when you disconnect the integration or delete your account
  • Analytics data — aggregated and anonymous; retained indefinitely (cannot be tied to individuals)

Cloudflare's infrastructure may retain encrypted backups for short, technical-recovery windows as part of its standard operations, subject to its own data-handling commitments. We do not maintain separate user-content backups outside of Cloudflare's storage layer.

9. International Data Transfers

Your data is processed on Cloudflare's global edge network, which spans multiple countries. By using Conare, you consent to your data being processed in jurisdictions outside your country of residence. Cloudflare maintains appropriate safeguards for international transfers, including Standard Contractual Clauses where applicable.

10. Children's Privacy

Conare is not intended for, and is not knowingly used by, children under 18. We do not knowingly collect data from children. If you believe a minor has provided us with personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy over time. Material changes will be communicated by email or in-app notification. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of Conare after a change constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or anything security-related, email artem@conare.ai. A real human (the founder) reads every message.