Privacy notice

Last updated 2026-06-08

Perspicuity is operated by People and Planet Consulting Inc. ("PPC", "we", "us"), a Canadian corporation. This notice explains what we collect when you use Perspicuity, why we collect it, who we share it with, and the rights you have over it. We've written it for humans, not lawyers — if anything is unclear, write us at privacy@peopleandplanet.consulting.

The short version. We collect what you tell our agent and what you write in your decision documents. We use it to run the product for you, and — only if you explicitly opt in — to improve the product. We host on Hetzner in Germany. We never sell your data, and we never use your chat transcripts to train models. If you seal a decision, we store only ciphertext we cannot read. If you connect your own AI agent (a connector / MCP), that agent makes its own model calls — we don't proxy them and never see its API key.

1. Who is the controller

People and Planet Consulting Inc., a corporation incorporated under the Canada Business Corporations Act (corp 1542703-7, business number 784541351 RC0001). Privacy contact: privacy@peopleandplanet.consulting.

2. What we collect

Account data

Your name, email, and the identifier your identity provider (Keycloak) issues us when you sign in.
Account preferences: chosen voice settings, preferred LLM, UI theme, agent persona.

Decision content

The full text of your decision documents — problem statements, objectives, alternatives, consequences, recommendations.
Your full conversation with the agent (chat messages and, when voice mode is used, the text transcription of your speech).
Files you upload to your document library (and the text extracted from them).
Decision Quality check-ins and your reflections on them.

Usage data

Per-turn token and cost logs (which model was called, how many tokens).
Interaction events — what you clicked, what panel you opened. The agent reads a short trailing window of these to know what you just did.
Web server logs (IP address, user agent, URL path) kept for at most 30 days.

Payment data

If you buy credits, our payment processor (Helcim) handles your card directly. We see only the last 4 digits, an approval code, and a transaction ID — never the full card number.

What we do not collect

No third-party analytics, no marketing pixels, no ad trackers.
No fingerprinting beyond what's needed to keep your session signed in.
No location data beyond the city-level IP geolocation that your browser exposes in normal requests.

3. Sealed decisions and bringing your own agent

Sealed (zero-knowledge) decisions — content we cannot read

Any decision you mark as sealed is protected by zero-knowledge encryption. Its most sensitive prose — the consequence cells and the recommendation rationale — is encrypted by your own agent before it ever reaches us. We store only the ciphertext. The encryption key is derived inside your agent and is never sent to our server, so we cannot read or search those sealed fields — and neither can anyone who compels us to produce your data. The rest of the decision (labels, structure, numeric scores) stays readable so the document still works. Sealing is opt-in per decision and needs an agent that can hold a key in its own runtime (e.g. a coding agent).

When you connect your own agent (connectors / MCP)

You can use Perspicuity by connecting your own AI agent — Claude, Claude Code, ChatGPT, Codex, and similar — over the Model Context Protocol (MCP), using a bearer token you mint. In that mode your agent runs on your side and makes its own calls to its own model provider: we do not proxy that inference and never see your model provider's API key. We receive only the specific data your agent sends to our tools (the decision content it reads or writes). Your agent's provider (Anthropic, OpenAI, etc.) processes your conversation under their privacy terms as your chosen provider — they are not our sub-processor in this mode.

We store the bearer tokens you mint only as a one-way hash — never the token itself — alongside the label, scope, and expiry you set. You can see and revoke your tokens at any time.

4. Why we collect it — and the legal basis

Under GDPR, we rely on the following legal bases:

Contract performance (Art. 6(1)(b)) — running the product you signed up for: storing your decisions, processing your chat through an LLM, keeping you signed in, billing you for credits.
Legitimate interests (Art. 6(1)(f)) — minimal server logs for security and abuse detection, error monitoring, rotating backups. Balanced against your interest by minimizing retention and avoiding profiling.
Consent (Art. 6(1)(a)) — using anonymized excerpts of your structured decision content to improve the product (training data). Off by default; you turn it on if you want to.
Legal obligation (Art. 6(1)(c)) — keeping tax- relevant invoice records as required by Canadian law.

Because decision content often touches health, finances, relationships, or other sensitive matters, we treat it as special-category data under GDPR Art. 9 even when not structurally typed that way. We do not profile you, score you, or make automated decisions about you.

5. Who we share it with

We use a small set of sub-processors to run the service. The current list lives at /privacy/sub-processors and is updated when it changes. Every byte of your content that leaves our Hetzner server in Germany goes to one of them, for a defined purpose, under a contract.

We never sell your personal data. We never share it with advertisers. We do not allow our LLM sub-processors (Anthropic, Google) to train their models on your data — both contractually exclude API traffic from their training corpora.

6. International transfers

Your data is stored in Germany (Hetzner). Some of our sub-processors (Anthropic, Google, Resend) process data in the United States; both Anthropic and Google are certified under the EU–US Data Privacy Framework, which the General Court of the European Union upheld as valid on 2025-09-03. We keep Standard Contractual Clauses ready as a fallback should the DPF be invalidated.

7. How long we keep it

Account + decision content: for as long as your account is open. When you delete your account, we hard-delete decision content within minutes and anonymize the account row itself.
Backups: rotating pg_dump snapshots, capped at roughly two weeks. A deletion may persist in an off-line backup for up to that window before the snapshot rotates out.
Server logs: at most 30 days.
Billing records: 6 years, per Canadian tax law.
Anonymized training data (if you opt in): indefinitely, in anonymized form, as part of the dataset that improves Perspicuity.

8. Your rights

You can, at any time:

Access the data we hold about you — use Download my data in your profile to get a JSON export.
Correct your name, email, and preferences in your profile.
Delete your account — Danger zone in your profile. This hard-deletes your owned content and tombstones the account row.
Withdraw consent to training-data use at any time in Settings → Privacy. Withdrawal applies going forward; we cannot retrieve data already incorporated into a trained model, but we will stop including new content. You can also override the account-level setting on a per-decision basis (excluding a single decision even when your account allows training, or vice versa).
Object to any processing that relies on legitimate interests by emailing us.
Complain to your data-protection authority — in the EU your national DPA, in Canada the Office of the Privacy Commissioner.

9. Cookies and similar technology

Perspicuity uses only strictly-necessary cookies — we do not need a cookie banner under ePrivacy, but we list them here because the privacy notice must:

janus_session — keeps you signed in (OIDC session).
invite_token — short-lived, set when you click a team invite link.
welcome_code — short-lived, set when a promo code is in the URL.

We use localStorage (not a cookie) to remember your light/dark theme preference. There are no analytics or marketing cookies. There are no third-party trackers.

10. Children

Perspicuity is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, email us and we will close it.

11. Security

We use TLS in transit (Let's Encrypt via Caddy), encryption at rest on the underlying volumes, hashed bearer tokens, and a small number of audited sub-processors. We monitor errors via a self-hosted GlitchTip on the same machine.

If we ever suffer a personal-data breach that poses a real risk to you, we will notify you by email and (where required) the Office of the Privacy Commissioner of Canada within the timelines that PIPEDA and GDPR Art. 33–34 require.

12. Changes to this notice

If we change this notice in a way that materially affects how we handle your data, we will email you before the change takes effect and surface the change in-product. Minor edits (typos, clarifications) are made silently; the Last updated date at the top always reflects the most recent revision.

13. Contact

Email privacy@peopleandplanet.consulting. Postal: People and Planet Consulting Inc., Canada.