How we treat what you share with us.

Correlate is a small archive about the things we have in common across traditions. We collect only what we need to keep your account, your saves, and your conversations working. We do not sell your data. We do not show you ads.

• Account data — your email, display name, optional handle, optional profile picture, and a securely hashed password (we never store your password in plain text). If you sign in with Google, we receive your name, email, and profile picture from Google's OAuth response.
• Content you create — your Oracle conversations, saved correlations, weekly posts, comments, pins, reactions, direct messages, and your bio. Anything you choose to make public is publicly visible; anything kept private remains visible only to you.
• Direct messages — stored on our servers so you can read them across devices. They are not end-to-end encrypted. They are visible only to you and the recipient.
• Notifications — when you opt in to web push, we store an anonymous push subscription endpoint so we can deliver notifications. You can revoke this at any time in your browser settings or in Correlate Settings.
• Usage data — minimal server logs (IP address, request path, response code, timestamp) kept for debugging and abuse prevention. Not used for advertising.

• We do not run third-party advertising trackers.
• We do not sell your personal data to anyone, ever.
• We do not access your device's contacts, camera, microphone, or location.

• To keep you signed in and remember your saves.
• To deliver notifications you have opted in to (email, web push, in-app bell).
• To answer your Oracle questions — your prompts are sent to a large language model provider (OpenAI / Anthropic / Google) over an authenticated API. Providers may retain prompts for abuse and safety review per their own policies. We do not use your conversations to train models.
• To prevent abuse, spam, and to honor lawful requests.

We use a small set of vetted infrastructure providers strictly for the operation of the service:

• MongoDB Atlas — primary database hosting.
• OpenAI / Anthropic / Google — the large language models powering the Oracle.
• Resend — transactional email (digests, account emails).
• Emergent — application hosting + Google OAuth flow.

Each provider sees only the data necessary for its specific function and is bound by its own privacy policy. We do not share data with advertisers.

• Profile visibility — toggle “Public reading shelf” in Settings to control whether other readers see your pins, reactions, and saves.
• Direct messages — toggle “Allow DMs” in Settings to close your inbox to new conversations.
• Email — opt out of digest + notification emails in Settings. You can also use the unsubscribe link in any email we send.
• Push notifications — revoke in your browser permissions or from Settings.
• Delete your account — write to us at the address below and we will delete your account and associated content within 30 days.

We keep your account data and content for as long as your account is active. Server logs are kept for up to 90 days. If you delete your account, we remove your data within 30 days, except where law requires us to retain certain records (such as for fraud investigations).

Correlate is not directed at children under 13. If you believe a child has provided us personal data, please contact us and we will delete it promptly.

We will update this page when our practices change. The “Last updated” date at the top reflects the most recent version. Material changes will be communicated by email or an in-app notice.

Questions or requests about your data may be sent to privacy@correlate.online.