Privacy Notice for Socialism AI

Effective date: November 17, 2025

Services covered: the chatbot available at https://ai.wsws.org and any paid access sold by Left Insight LLC (418 N. Main Street, Suite 200-#3872, Royal Oak, MI 48067–1813), doing business as Socialism AI (also referred to as we, our, or the Service).

1) Who we are and how roles work

Socialism AI is the controller of your personal data when you use the Service.

A controller is the entity that determines why and how your personal data is processed.

Contact for privacy matters (Data Protection Officer)

Address: Data Protection Officer

418 N Main St, Suite 200 #3872

Royal Oak, MI 48067, USA

Email: privacy@ai.wsws.org

2) What we collect

We collect information in three ways: (1) data you provide, (2) data collected automatically, and (3) data we receive from other sources.

2.1 Data you provide

  • Account data: email, username, billing details for paid subscriptions.
  • Payment data (via Stripe): card details, billing address, transaction metadata.
    • We do not store card numbers; Stripe, our PCI/DSS-certified processor, stores them.
  • Prompts and outputs: the text you enter and the responses generated.
  • Support messages: emails or support tickets you send.
  • Profile photos (optional): if you upload a photo. These files may contain EXIF metadata with additional personal information.

2.2 Data collected automatically

  • Technical/usage data: IP address, timestamps, request identifiers, user‑agent, error codes, coarse location (derived from IP for localization and security).
  • Cookies/SDKs: strictly necessary cookies; optional analytics tools (e.g., PostHog) if enabled.
  • Regional flag (derived from IP): used server-side to determine your region (e.g., EEA vs. non‑EEA) and show correct consent settings and legal notices.
    • We do not derive precise location.
    • Only a transient region flag is stored; the IP is discarded immediately.

2.3 Data from other sources

We may receive limited data used for fraud detection and abuse prevention—for example from Stripe (see below).

3) Why we use data (purposes) and legal bases

3.1 Core operation

We process data to:

  • operate the chatbot,
  • route requests to model providers,
  • return responses,
  • manage accounts and subscriptions,
  • provide user support,
  • process payments,
  • maintain availability and reliability,
  • prevent abuse and security issues,
  • measure system capacity.

If you upload a profile photo, it may be shown in your account or chat interface.

Legal bases: - In the EEA/UK: see the EEA/UK Addendum for GDPR bases.

  • Outside the EEA/UK: contractual necessity, legitimate interests (e.g., security), consent where required, and compliance with legal obligations.

3.2 Communications

Transactional emails about your account, legal notices, and service updates; optional product updates and other non-transactional emails only with your opt-in.

3.3 Analytics (if enabled)

Product analytics and diagnostics (e.g., PostHog, see below). Posthog is used to see how frequently various product features are used.

Legal basis: Consent where required by local law.

3.4 Model training

By default, inputs/outputs are not used to train foundation models. If training on your inputs/outputs is proposed, we will only do so with appropriate consent or as required by applicable law.

Stripe, Inc. (payments) – processor / independent controller

Registered addresses

  • US: Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA
  • EU: Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Dublin D02 H210, Ireland
  • EU tech entity: Stripe Technology Europe, Limited, The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland

Data processed

User ID, name (for paid accounts), billing email, billing address, transaction ID, card details, device/IP data, amount, and fraud‑detection telemetry. We do not store card numbers; Stripe stores them and is PCI/DSS‑certified.

Purposes

Payment execution, fraud prevention, bookkeeping, AML and regulatory duties.

Legal basis (EEA/UK)

See the EEA/UK Addendum.

Transfers & safeguards

Primarily USA; SCCs and DPF used where applicable.

Retention

As needed for service delivery and statutory obligations.

Official documentation

Hetzner Online GmbH (server hosting & infrastructure) – processor

Registered address

Industriestr. 25, 91710 Gunzenhausen, Germany

Data processed

Service data stored on our servers (chat transcripts, settings, uploaded files), server logs (IP, timestamps, metadata), and backups.

Purposes

Hosting, infrastructure operation, backups, monitoring, disaster recovery.

Legal basis (EEA/UK)

Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Transfers & safeguards

Data stored in Germany; SCCs for any transfers.

Retention

Active data retained during service use; backups for 30 days.

Official documentation

Neon, Inc. (database hosting) – processor

Registered address

Neon, Inc., 221 Main Street, Suite 300, San Francisco, CA 94105, USA

Region

AWS eu-central-1 (Frankfurt)

Data processed

User accounts, chat transcripts, settings, metadata, query logs, connection data, backups.

Purposes

Database hosting, replication, diagnostics, performance monitoring.

Legal basis (EEA/UK)

See Addendum.

Transfers & safeguards

EU storage; SCCs for external transfers.

Retention

Active data remains for duration of service.

Official documentation

PostHog (Cloud EU/US) – processor

Registered address

PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA

Data processed

Cookie/SDK identifiers, truncated IP, page views, clicks, timestamps, event metadata.

Purposes

Product analytics and diagnostics.

If analytics captures political inferences or chat content, explicit Art. 9(2)(a) consent is required.

Legal basis (EEA/UK)

Consent.

Region & transfers

Data stored in AWS eu-central-1 (Frankfurt). PostHog states no EU→US transfers on the EU Cloud.

Retention

90‑day auto‑deletion of event‑level data.

Official documentation

OpenAI, L.L.C. / OpenAI Ireland Ltd. – processor (model inference)

Registered addresses

  • EEA/CH: OpenAI Ireland Ltd, 117‑126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
  • US: OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA

Data processed

Prompts, outputs, minimal logs (timestamps, request IDs, edge IP), abuse‑signal metadata.

Training on inputs is OFF by default unless you opt in.

Purposes

Model inference.

Legal basis (EEA/UK)

See Addendum.

Transfers & safeguards

SCCs, DPF and supplementary measures.

Retention

~30 days (unless law requires longer).

Official documentation

Qdrant Solutions GmbH (vector database & semantic search) – processor

Registered address

Chausseestraße 86, 10115 Berlin, Germany

Data processed

Vector embeddings and metadata for retrieval-augmented generation (RAG) and semantic search.

We do not store raw user data in Qdrant.

Purposes

Vector storage and similarity search.

Legal basis (EEA/UK)

Contract necessity (Art. 6(1)(b) GDPR)

Transfers & safeguards

EU/EEA or adequacy regions; US transfers use DPF or SCCs.

Retention

For duration of Cloud Service Agreement.

Official documentation

Sentry (Functional Software, Inc.) – processor

Registered addresses

  • US: 45 Fremont Street, 8th Floor, San Francisco, CA 94105
  • EU: Functional Software GmbH, Rothschildplatz 3, 1020 Vienna, Austria

Data processed

Error events, stack traces, URLs, headers, IPs, emails, session replay (if enabled), performance data.

Purposes

Error tracking and performance monitoring.

Legal basis (EEA/UK)

Legitimate interests (Art. 6(1)(f) GDPR)

Retention

30 days for events/logs, 90 days for backups.

Transfers & safeguards

US/EU regions depending on selection; participates in EU‑US DPF.

Official documentation

Loops (Astrodon Corporation) – processor (email automation & campaigns)

Registered address

9450 SW Gemini Dr, PMB 22902, Beaverton, OR 97008‑7105, USA

Data processed

Email, user ID, optional name, subscription status, interaction metadata, deliverability/abuse logs.

No chat transcripts are sent.

Purposes

Transactional emails, newsletters (opt‑in), personalization (explicit Art. 9(2)(a) consent), segmentation, unsubscribe management.

Legal bases (EEA/UK)

  • Transactional: Art. 6(1)(b)
  • Newsletters: Art. 6(1)(a)
  • Political‑inference personalization: Art. 9(2)(a)
  • Deliverability/abuse logs: Art. 6(1)(f)

Retention

Personalization labels until withdrawal; events up to 13 months; suppression lists maintained to honor opt‑outs; logs 30–90 days.

Official documentation

Third‑party sign‑in (Google)

Data received

Provider user ID, email, profile name/avatar (if authorized).

We do not receive your password or contacts.

Purposes

Authentication and fraud prevention.

Legal basis (EEA/UK)

See Addendum.

SDK/Cookies

Google scripts load only after you click Sign‑In.

One‑Tap prompts run only with consent in EEA/UK.

Roles

Google: independent controller for identity services

Socialism AI: controller for your chatbot account

Retention

We retain your provider ID and email for as long as your account exists.

Official documentation

5) Cookies and similar technologies

We use cookies and similar technologies to operate the Service and, where permitted, to run analytics.

Strictly necessary storage

These cookies run without consent where allowed because they are required to deliver the Service you request (e.g., authentication tokens, quota management).

Consent records (EEA/UK)

We keep minimal proof of your consent decisions as described in the Addendum:

  • a user/account or consent-token ID,
  • consent purposes (including explicit Art. 9 consent, if given),
  • timestamp,
  • IP address,
  • consent policy version presented.

We do not store device fingerprints, browsing history, or chat content for consent proof.

Records are kept until withdrawal + 3 years for legal compliance, then deleted or anonymized.

Analytics and measurement

Analytics cookies or SDKs (such as PostHog) run only with consent in the EEA/UK and where otherwise required.

You may withdraw consent at any time in settings.

Geo-IP for consent settings

We derive a coarse region identifier server-side to show legally required consent banners and correct language.

Only a transient region flag is stored; the raw IP is discarded immediately.

Cookie table

Cookie name Purpose Validity
__Secure-better-auth.session_token Authentication session token 7 days
ph_phc_ZeyAXZSfFMa8BlMv58rH8COzzF0LXuaArx2WkeyQoc_posthog PostHog analytics identifier 365 days

6) Data transfers

We primarily host and process data in the European Union (Germany and Frankfurt AWS regions).

Some vendors operate in the United States or other third countries.

Where international transfers occur, we apply safeguards such as:

  • Standard Contractual Clauses (SCCs) under GDPR Art. 46
  • EU–US Data Privacy Framework, UK and Swiss extensions (where applicable)
  • Supplementary measures (encryption in transit, access controls)

Full details appear in the EEA/UK Addendum.

7) Retention

We retain personal data only as long as necessary for:

  • operating the Service,
  • resolving disputes,
  • security and fraud prevention,
  • complying with legal obligations.

Retention depends on:

  • the purpose for which data was collected,
  • whether consent was withdrawn,
  • the nature and sensitivity of the data,
  • the potential risks of misuse or disclosure,
  • applicable statutory obligations.

8) Your choices

You have several options to control your data:

  • Disable non-essential analytics through consent settings.
  • Avoid entering sensitive data you do not want processed.
  • Withdraw consent at any time in your account settings.
  • Close your account whenever you choose.

Accuracy of model outputs

AI-generated responses may contain inaccuracies.

If you believe generated content about you is false and want it corrected or removed, you may contact us. Requests will be handled according to:

  • applicable law, and
  • the technical limits of model architectures.

9) Automated decision-making

We do not engage in solely automated decision-making that produces legal or similarly significant effects.

For EEA/UK users, see the Addendum for GDPR-specific statements.

10) Children

  • United States: the Service is not for children under 13.
  • EEA/UK: not for children under 16, unless local laws allow a lower age and valid guardian consent is obtained.

11) U.S. state privacy disclosures

Residents of certain U.S. states (including CA, CO, CT, TX, VA, UT, OR, DE) may have statutory privacy rights such as:

  • Access and deletion
  • Correction
  • Data portability
  • Opt-out of:
    • sale of personal information
    • sharing for targeted advertising
    • certain profiling
  • California residents may limit use/disclosure of Sensitive Personal Information

California (CCPA/CPRA)

  • We do not “sell” or “share” personal information as defined under the CCPA/CPRA.
  • We provide required controls such as “Do Not Sell or Share” and “Limit Use of My Sensitive PI.”
  • We do not sell/share PI of consumers under 16; if this were ever proposed, opt-in consent would be required.

Colorado & Connecticut

We honor Universal Opt-Out Mechanisms (UOOM), including the Global Privacy Control (GPC), for targeted advertising and sale categories.

Texas and other states

Where required, you may opt out of targeted advertising, sale of personal data, and automated profiling.

Non-discrimination rules apply.

Exercising rights

Submit requests to privacy@ai.wsws.org.

We will verify your identity and provide an appeals process if required by state law.

12) How to contact us

For privacy requests or questions, email: privacy@ai.wsws.org. We route requests to the appropriate organization (ICFI, WSWS Inc., or Socialism AI) depending on your region and nature of the request.

EEA/UK/Switzerland Addendum (GDPR)

This Addendum applies to users in the European Economic Area (EEA), the United Kingdom (UK) and Switzerland.

A) Controllers and processors

Controller

Left Insight LLC (d/b/a Socialism AI)

418 N. Main Street, Suite 200-#3872

Royal Oak, MI 48067-1813, USA

Processors

We use several processors, including:

  • OpenAI
  • Stripe
  • PostHog
  • Hosting and email providers (e.g., Hetzner, Neon, Sentry, Loops)

Vendor details appear in Part 2.

B) Purposes, data, and GDPR legal bases

Purpose Data Legal basis
Provide the chatbot account data; prompts/outputs; technical IDs Art. 6(1)(b) (contract), Art. 9(2)(a) (explicit consent)
Add/replace profile photo photo file (thumbnail), file ID, timestamps Art. 6(1)(a) (consent)
Security, abuse prevention, reliability IP, logs, limited prompt metadata Art. 6(1)(f) (legitimate interests)
Payments and invoices billing metadata; transaction IDs Art. 6(1)(c) (legal obligation), Art. 6(1)(b)(contract)
Support and service messages; email delivery (Loops/SendGrid) contact details; ticket content Art. 6(1)(b) / Art. 6(1)(f)
Newsletters (optional) email address Art. 6(1)(a) (consent)
Personalised emails based on chats (political opinions possible) email address, inferred political opinions Art. 6(1)(a) and Art. 9(2)(a) (explicit consent)
Product analytics (PostHog) cookie/SDK IDs; events Art. 6(1)(a) (consent) + Art. 9(2)(a) (explicit consent, if special-category)
Regional compliance & localisation transient IP, region flag Art. 6(1)(f) (legitimate interests)
Model training on inputs/outputs (optional) prompts/outputs Art. 6(1)(a) (consent); for special-category data: Art. 9(2)(a) (explicit consent)

Special-category data (Art. 9 GDPR)

The chatbot’s core feature is personalized political interaction: it analyses your prompts and may infer your political positions, use that to tailor answers, show history and suggest follow-ups.

Because prompts and outputs may be linked to your account, this constitutes processing of special-category data under Art. 9 GDPR.

We process this data only when:

  • it is necessary for the core functioning of the Service (personalized political interaction), and
  • you give explicit consent (Art. 9(2)(a)).

You may withdraw this consent at any time. Keep in mind that you will then not be able to use the chatbot’s core feature anymore.

C) Cookies and SDKs (EEA/UK)

Strictly necessary storage

Runs without consent when required for service delivery. If personal data is involved, we rely on Art. 6(1)(f).

Analytics

Runs only with consent (Art. 6(1)(a)).

If analytics captures or infers political opinions through event metadata or chat content, we also request explicit Art. 9(2)(a) consent.

Email measurement pixels

Open/click tracking is considered device access under ePrivacy/TDDDG/UK PECR.

It requires consent and is off by default.

Consent records

We maintain minimal proof of your consent decisions:

  • user/account or consent-token ID
  • the purposes you selected (including special-category / Art. 9 consent)
  • timestamp
  • IP address
  • the policy/consent-settings version displayed to you

We do not store:

  • fingerprints
  • browsing history
  • chat content
    for consent logs.

Retention:

  • held until you withdraw consent, plus 3 years for legal defense
  • then deleted or irreversibly anonymized

You may withdraw at any time.

D) Automated decisions (GDPR Art. 22)

We do not make decisions with legal or similarly significant effects solely by automated means.

Human review is available where required.

E) Your GDPR/UK GDPR rights

You may exercise the following rights:

  • Access your data
  • Rectify inaccurate data
  • Erase data (“right to be forgotten”)
  • Restrict processing
  • Portability
  • Object to processing based on Art. 6(1)(f)
  • Withdraw consent at any time

Withdrawal does not affect prior lawful processing.

Contact: privacy@ai.wsws.org

You may lodge a complaint with your local supervisory authority:

https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

F) International transfers

We may transfer personal data to the United States when using vendors such as OpenAI, Stripe, Sentry, Loops, and others.

Safeguards include:

  • Standard Contractual Clauses (SCCs) (Art. 46)
  • Participation in the EU–US Data Privacy Framework, UK Extension, and Swiss–US Framework (where applicable)
  • Technical and organizational measures such as encryption and access controls

A copy of the SCCs can be provided upon request (with redactions).

G) Retention (EEA/UK)

  • Prompts/outputs: retained for 30 days by default for security and abuse prevention; longer only when necessary and documented

  • Analytics events (PostHog): 90 days, then aggregated

  • Account and billing data: retained for statutory periods

    1. H) Article 27 representative

EU/UK representative for Socialism AI: Christoph Vandreier, C/o SGP, Neuenburgerstr. 13, 10969 Berlin, left-insight@gleichheit.de

13) Necessity of provision (Art. 13(2)(e) GDPR)

To use the Service:

  • You must provide correct account and payment data for paid plans; without these, the subscription cannot be delivered.
  • Because the chatbot involves the analysis and inference of political opinions, explicit consent under Art. 9(2)(a) is necessary for its core functionality. If you do not grant this consent, we cannot provide the personalized features of the Service.

Non-essential analytics is optional.

14) Sources (Art. 14 GDPR)

Where we obtain data from third parties, categories include:

  • fraud-prevention or payment-security data from Stripe
  • infrastructure metadata from hosting and network providers