Privacy Policy.

Disagreeable AI (“we”, “us”, “the Service”) is operated by Suncost Labs at disagreeable.ai. Application servers are located in Frankfurt, Germany (Hetzner Cloud). We are the controller of personal data processed in connection with the Service for the purposes of the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018 / UK GDPR, the California Consumer Privacy Act (“CCPA”) as amended by the CPRA, and other applicable privacy laws.

For privacy questions or to exercise your rights, contact contact@suncostlabs.com. We are below the threshold that would require us to formally appoint a Data Protection Officer; the privacy contact handles all data subject requests.

We minimize data collection to what we need to operate the Service and pursue our research mission. Each processing purpose has a specific legal basis under GDPR Article 6 (and Article 9 where applicable, though we do not deliberately solicit special category data).

We do not sell personal data, and we do not share chat content with third-party model trainers. We do not use chat content to train our own models without your explicit research consent (see §5).

The default state of your “training and improvement” consent flag depends on the region you select at signup, in line with regional law.

• EU, UK, Switzerland, EEA: the consent flag is off by default. We ask you to opt in during onboarding. If you do not opt in, we still operate the Service for you; we simply do not include your interactions in training or improvement datasets.
• Everywhere else (US, Canada, Australia, etc.): the flag is on by default with prominent disclosure. You may opt out at any time in Settings.

You can change your consent state at any time. We log every change with a timestamp; this audit trail is part of our GDPR accountability obligation under Article 7(1).

When you allow improvement use (the consent toggle in onboarding and Settings), we may include your chat-turn records and the model-generated annotations on those turns in datasets used for the following purposes only:

• Training, fine-tuning, and evaluating our AI models, including open-weights releases.
• Internal quality and safety analysis of model behavior (sycophancy, calibration, civility, and similar).
• Public benchmark releases (e.g. AntiSyc-Eval) with full datasheet, after consent re-checking and PII review.
• Aggregate or de-identified academic publication where we choose to share findings.

Each record carries provenance metadata: dataset name, schema version, consent snapshot, judge model, and label origin. This is documented in our public source code.

We will not: sell your data, share it with third-party model trainers, or release identifiable conversations publicly. We may share aggregate, anonymized, or rigorously de-identified data with academic collaborators under data use agreements.

If you withdraw consent, we exclude your records from all future exports and training runs. Models trained before your withdrawal cannot have your data un-baked from their weights, but no new training will use your data, and your records are deleted on request (see §7).

We use the following subprocessors. Where data leaves the EU/UK/EEA, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

When you submit a message, the message text is sent to OpenRouter to be routed to the underlying model provider. We request zero-retention from OpenRouter where supported; underlying providers may retain copies for short abuse-monitoring periods per their terms.

• Account, chat sessions, chat messages: for the life of your account. On account deletion, purged within 30 days from primary storage and within 90 days from backups.
• Usage records: 24 months, then aggregated and de-identified.
• Billing records: retained as required by tax and accounting law, typically 7 years.
• Request logs (IP, UA): 30 days, then deleted.
• Training records (consented): indefinite under your consent. On withdrawal, excluded from future exports and deleted on request.
• Anonymous chats (when anonymous tier is enabled): 30 days from creation, then auto-deleted.
• Consent audit log: 7 years, as required to demonstrate GDPR compliance under Art. 7(1) and 5(2).

Subject to your jurisdiction, you have the following rights. We respond to verified requests within 30 days (extendable to 90 days for complex requests under GDPR Art. 12(3)).

• Right of access (Art. 15 GDPR / CCPA right to know): request a copy of your personal data. Use the “Export my data” button in Settings for an immediate machine-readable export.
• Right to rectification (Art. 16): ask us to correct inaccurate personal data.
• Right to erasure / “right to be forgotten” (Art. 17 / CCPA right to delete): ask us to delete your data. Use the “Delete my account” button in Settings.
• Right to data portability (Art. 20): get your data in a structured, commonly used format. The export endpoint returns JSON.
• Right to restrict processing (Art. 18) and right to object (Art. 21): particularly for processing based on legitimate interests (research use outside the EU).
• Right to withdraw consent (Art. 7(3)): at any time, with no detriment to the Service. Toggle it in Settings and your data is excluded from all future training and evaluation exports immediately.
• Right to lodge a complaint (Art. 77): with your local supervisory authority. For Germany, the Hamburg Data Protection Commissioner; for the UK, the ICO; for the US, your state Attorney General.
• California residents: CCPA / CPRA rights including the right to know what personal information is collected, the right to delete, the right to correct, and the right to non-discrimination for exercising rights. We do not sell personal data and do not engage in cross-context behavioral advertising; the “Do Not Sell or Share My Personal Information” right is therefore not applicable, but if you wish to confirm, contact contact@suncostlabs.com.

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Art. 22). The Service produces critique text in response to your prompts; this is not a legal, medical, financial, or other consequential decision about you.

We use a small number of cookies, all functional or strictly necessary:

• Clerk session cookies — authentication. Strictly necessary.
• Stripe cookies — payment processing on checkout pages. Strictly necessary.
• Theme preference cookie — remembers light/dark mode. Functional.
• Anonymous-tier session cookie (when applicable) — pseudo-user identifier with a 30-day TTL. Functional.

We do not use third-party advertising, behavioral tracking, or analytics cookies.

• TLS 1.2+ in transit; provider-level encryption at rest.
• Default-deny on all API routes; per-user usage caps; per-IP rate limits.
• Error monitoring without chat content payloads.
• Bot/abuse protection at signup (CAPTCHA via Clerk).
• Annual review of subprocessors and access controls.

The Service is not directed to children under 13 (or 16 in jurisdictions that require it). We do not knowingly collect personal data from children. If you believe a child has used the Service, contact us to request deletion.

We will notify you in-product or by email of material changes at least 14 days in advance. Material changes to research consent posture take effect only on prospective acceptance — they will not retroactively re-consent you to anything you had previously declined.

For all privacy questions, requests, or complaints: contact@suncostlabs.com. For general questions: contact@suncostlabs.com.