Invariant  ·  Platform Policy

Privacy Policy

Effective April 15, 2026
Questions privacy@invariant.ai
Reading time ~8 minutes

This policy explains what Invariant collects, why we collect it, where it lives, how long we keep it, and the choices you have. We've tried to write it in plain language. Where we need to be precise, we are.

01

Information we collect

We collect information you provide when you create an account, contact us, or use Invariant services — together with a small set of technical signals the product needs to function and stay safe.

Account information

When you sign up, we collect your full name, email address, and password. We also generate a unique user ID and record when you created your account and last logged in.

Device information

We collect device identifiers (browser fingerprint), IP address, User-Agent string, screen resolution, timezone, and language preferences. This helps us recognize devices and protect accounts from abuse.

Conversation data

Your chat messages, conversation history, chat titles, and timestamps are stored locally in your browser's storage (localStorage and IndexedDB). Only chat IDs and high-level metadata reach our servers.

Usage data

We track API usage, points spent (for guest users), daily usage limits, session activity, and feature usage to operate rate limits and improve the product.

User preferences

Theme preferences, font size, response length preferences, and notification settings are stored in your browser so the product remembers how you like it.

02

Sessions & authentication

We maintain session information to keep you securely logged in and protect your account from unauthorized access.

  • Session tokens are generated on login, expire after 30 days, and are tied to your device fingerprint and IP.
  • Session cookies are marked Secure and HttpOnly so they are not exposed to scripts.
  • Password resets produce temporary tokens that expire in 15–30 minutes and are deleted after use.
  • Login activity (timestamps, device, IP) is retained to help you catch unauthorized access and to detect abuse.
03

Beta program data

When you apply to the beta program, we collect additional information to evaluate eligibility and coordinate feedback.

  • Application information: name, email, role, team, timezone, use case, feedback plans, and motivation.
  • Eligibility verification: we may verify age and jurisdiction based on what you provide.
  • Review: applications may be reviewed by a mix of automated checks and human reviewers.
  • Agreements: we retain records of the commitments you accepted on entry to the program.
04

Third-party integrations

When you connect a third-party service to Invariant, we store the credentials we need to provide the integration.

  • OAuth connections with GitHub, Google, Notion, Slack, Discord, Dropbox, OneDrive, GitLab, Jira, Linear, Confluence, and Trello.
  • Stored credentials: access tokens, refresh tokens, third-party user IDs, and scopes — typically kept in your browser's local storage.
  • OAuth cookies: short-lived (10 minutes) cookies during the authentication flow to maintain state and prevent CSRF.
  • Scoped permissions: only the scopes required for the feature you're using.
05

How we use your data

We use your information to operate the platform, keep it safe, personalize your experience, and communicate with you.

  • Service delivery — authenticating users, serving features, and preserving preferences.
  • Security — device fingerprints, IPs, and session data help us detect abuse and enforce bans.
  • Rate limiting — usage data enforces fair-use limits, including the guest user daily cap.
  • Personalization — your preferences customize themes, layouts, and feature availability.
  • Improvement — aggregated usage patterns, error logs, and feedback inform product decisions.
  • Communications — security notices, policy updates, and responses to your support requests.
06

Storage & location

Your data lives in a few different places depending on what it is.

  • Browser storage — conversations, preferences, OAuth tokens, and session info live in localStorage, sessionStorage, and IndexedDB on your device.
  • Server database — account information, sessions, device associations, reset tokens, and settings live in our server database.
  • Temporary storage — beta applications and processing data may be held briefly in memory before being stored or discarded.
  • Sync — most conversation data stays on your device. Account data lives on our servers so you can sign in from anywhere.
07

Retention

We keep personal information only as long as needed to provide the services, comply with law, resolve disputes, and enforce our agreements.

  • Active accounts — retained while your account is active and for a reasonable period after closure.
  • Sessions — session tokens expire after 30 days of inactivity and are periodically cleaned up.
  • Password resets — reset tokens expire in 15–30 minutes and are deleted after use.
  • Enforcement records — ban and device association logs are retained up to 24 months unless a longer period is required by law.
  • Account closure — chat metadata on our servers is deleted or anonymized within 30 days of closure, except where retention is required.
  • Conversation history — since conversations live in your browser, they persist until you clear them. You can export or delete at any time.
  • Usage records — guest usage data is tracked daily and may be retained for operational analysis.
08

Automated decisions

We use automated systems to detect abuse and enforce platform safety rules. Where a decision materially affects your account, a person can review it.

  • Automated analysis of click patterns, message content, and technical signals to identify spam, fraud, and policy violations.
  • Possible outcomes include warning flags, temporary restrictions, rate limits, or suspension while a case is reviewed.
  • Human review — you may request a person to review any automated decision by emailing privacy@invariant.ai or contacting support.
09

Security

We use administrative, technical, and operational safeguards to protect your data from unauthorized access, loss, or misuse.

  • Transport encryption — HTTPS for data in transit between your browser and our servers.
  • Access controls — employee and system access to personal data is scoped to legitimate business needs.
  • Session security — tokens are securely generated, expire automatically, and are validated on each request.
  • Monitoring — we maintain audit logs and review them for anomalies and suspicious activity.
  • Passwords — we encourage strong, unique passwords. Reset flows include expiring tokens and verification.
  • Browser storage — data in your browser is subject to your browser's security policies. Keep your device updated.
10

Your choices

You can access, correct, or delete your information at any time by contacting us or using in-product controls.

  • Account management — update your profile and password in Settings.
  • Data access — request a copy of the personal data we hold about you.
  • Data deletion — request deletion of your account and associated data (subject to legal retention obligations).
  • Browser data — clear conversation history and preferences via your browser or in-product controls.
  • Communication preferences — manage notifications, product updates, and marketing emails.
  • Third-party connections — disconnect integrations at any time to revoke stored OAuth tokens.
11

Cookies & tracking

We use minimal cookies and browser storage to provide essential functionality. We do not run third-party analytics or advertising trackers.

  • OAuth cookies — secure, HttpOnly, expire after 10 minutes, used only during authentication.
  • Session cookies — secure, HttpOnly, used to keep you signed in across the product.
  • Consent cookie — stores your cookie preference so we don't prompt you repeatedly.
  • localStorage — session tokens, preferences, device IDs, OAuth tokens, and chat history.
  • sessionStorage — short-lived data such as OAuth redirect URLs during authentication.
  • IndexedDB — structured chat data including messages, conversations, and shared chats.
  • Device fingerprint — a combination of non-invasive browser properties for security and rate limiting.
  • No third-party tracking — no Google Analytics, ad pixels, or session-replay tools.
12

Service providers

We rely on a small set of trusted service providers to help us operate the platform. They only receive the data needed to perform services on our behalf.

  • AI model providers — when you use AI features, prompts may be sent to third-party model providers for processing. Their own privacy policies apply.
  • OAuth providers — when you connect a third-party service, that service shares what you authorized and what its policy permits.
  • Hosting & infrastructure — our application and database run on infrastructure providers with limited operational access.
  • Vendor requirements — providers are required to protect data with reasonable security and use it only for authorized purposes.
13

Children's privacy

Invariant is not intended for children, and we take steps to verify that users meet our age requirements.

  • Minimum age — you must be at least 13 (or older, where local law requires it) to use the service.
  • COPPA & parental consent — we do not knowingly collect personal information from children under 13 without verifiable parental consent.
  • Parental rights — a parent or legal guardian may contact us to review, delete, or revoke consent for a child account.
  • Suspension — accounts found below the minimum age may be suspended or removed, with limited data retained for enforcement.
14

Accounts & enforcement

We maintain systems to enforce the terms of service and protect the platform from abuse.

  • Account status — accounts can be active, restricted, suspended, or banned. We track the current state and material changes.
  • Ban enforcement — if an account is banned, we store the reason, expiration (where temporary), and associated device fingerprints.
  • Device-based enforcement — device associations help enforce restrictions across devices used by the same account.
  • User types — registered, guest, and owner accounts carry different permissions and rate limits.
  • Premium status — beta tester and similar flags affect feature access and usage limits.
15

Policy updates

We may update this policy to reflect changes in our practices or legal requirements. The latest version always lives on this page with an updated effective date.

If a change is significant, we'll flag it in-product or by email. Continued use after the effective date means you accept the updated policy.

16

Contact

For privacy questions, data requests, or to exercise your rights, reach us at privacy@invariant.ai. Include the email tied to your account so we can respond quickly.

Reach out
We'll respond within five business days.

For account issues or technical support, you can also use the help section inside the product, or visit the status page for live platform updates.

privacy@invariant.ai