Privacy Policy

Our Core Promise

Your data is sacred. IsItDebateable and the Augmented Wisdom Engine (AWE) platform are built on the principle that user privacy is non-negotiable. We do not sell, trade, rent, or share your personal information with any third party for advertising, marketing, or profiling purposes — ever. Every architectural decision we make prioritizes your security and privacy above convenience or profit.

🍪Zero-Cookie Policy

We operate a strict zero-cookie policy. The AWE platform does not store cookies on your browser — not for tracking, not for analytics, not for advertising, and not for session persistence. Where session management is required, we use secure, server-side-only session tokens that are never exposed to the browser's cookie jar. This means:

• ●No tracking cookies are ever placed on your device
• ●No third-party cookies from advertisers, analytics platforms, or social networks
• ●No persistent cookies that survive after you close your browser
• ●No supercookies, fingerprinting scripts, or any browser-based tracking mechanism
• ●Session data is managed entirely server-side and destroyed when your session ends
• ●We do not use localStorage or sessionStorage for any personally identifiable information

🛡Anti-Keylogger & Input Protection

We take active measures to protect your keystrokes and input data from interception:

• ●All form inputs involving sensitive data (passwords, payment details, personal information) are transmitted over TLS 1.3 encrypted connections exclusively
• ●Payment processing is handled entirely by Stripe — your card number, CVV, and billing details never touch our servers. Stripe's PCI DSS Level 1 certified infrastructure handles all payment data directly in their secure iframes
• ●We do not include any third-party scripts that monitor, record, or replay user input behavior (no session replay tools, no heatmap trackers, no form analytics)
• ●No JavaScript keyloggers, input monitors, or clipboard readers are present anywhere in our codebase
• ●We actively audit our dependency tree to ensure no supply-chain attacks introduce input-capturing code
• ●Content Security Policy (CSP) headers restrict which scripts can execute, blocking unauthorized code injection

📋What Data We Collect

We collect only what is strictly necessary to operate the platform:

• ●Account information: Username, email address, and hashed password (we never store plaintext passwords)
• ●Profile data: Any information you voluntarily add to your public profile
• ●Platform activity: Debates participated in, scores earned, DUST token balances and transactions — stored server-side only
• ●Payment records: Transaction IDs and subscription status only — Stripe holds all financial details on their PCI-compliant infrastructure
• ●Content you create: Arguments, publications, and submissions you actively post to the platform
• ●Device authentication tokens: For verified device management, stored server-side with no browser persistence

🚫What We Never Collect

The following data is never collected, stored, or processed by our platform:

• ●Browser fingerprints or device fingerprints
• ●IP-based geolocation tracking or IP address logs beyond immediate request handling
• ●Keystroke patterns, typing cadence, or mouse movement data
• ●Contacts, photos, files, or any data from your device beyond what you explicitly upload
• ●Cross-site browsing history or referral tracking
• ●Biometric data beyond what you explicitly enroll in our optional security features (stored encrypted, server-side only)
• ●Social media profiles, friend lists, or third-party account data
• ●Advertising identifiers or marketing profiles

💳Payment Security (Stripe)

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment industry. Here is exactly how your payment data is protected:

• ●Your credit card number, expiration date, and CVV are entered directly into Stripe's secure, isolated iframe — these values never pass through our servers
• ●We receive only a tokenized reference (a Stripe customer ID and subscription ID) — we cannot see or reconstruct your card details
• ●Stripe encrypts all data at rest using AES-256 and in transit using TLS 1.3
• ●We do not store, log, or cache any payment credentials anywhere in our infrastructure
• ●Refund processing is handled through Stripe's dashboard — we never re-enter or access your payment details
• ●Webhook communications from Stripe to our servers are verified using cryptographic signatures to prevent tampering

🔒Data Encryption & Storage

Your data is protected at every layer:

• ●All data in transit is encrypted using TLS 1.3 — the most current transport encryption standard
• ●Passwords are hashed using industry-standard one-way hashing algorithms — they cannot be reversed or decrypted, even by us
• ●Database access is restricted to authenticated, authorized server processes only — no direct external access is possible
• ●Server infrastructure uses encrypted storage volumes
• ●API keys, secrets, and credentials are stored in environment variables, never in source code
• ●Regular security audits review our codebase for vulnerabilities including XSS, CSRF, SQL injection, and other OWASP Top 10 threats

🔗Third-Party Services

We minimize third-party dependencies. The services we do use are limited to:

• ●Stripe — Payment processing only. Subject to Stripe's own privacy policy. We share only email and name for receipt/invoice purposes
• ●Vercel / Railway — Hosting infrastructure. No user data is shared with the hosting provider beyond what is necessary to serve the application
• ●No Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any third-party tracking/analytics service is used
• ●No advertising networks or ad exchanges are integrated into the platform
• ●No social media SDKs or tracking pixels are loaded

⚖Your Rights & Controls

You have full control over your data:

• ●Access: You can request a complete export of all data we hold about you at any time
• ●Deletion: You can request permanent deletion of your account and all associated data. We will comply within 30 days and confirm deletion in writing
• ●Correction: You can update or correct any personal information through your account settings or by contacting us
• ●Portability: Your data export will be provided in a standard, machine-readable format
• ●Objection: You can object to any specific data processing and we will cease that processing unless legally required to continue
• ●These rights apply regardless of your location — we extend GDPR and CCPA-level protections to all users globally

👶Children's Privacy

The AWE platform is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children. If we discover that a child under 13 has created an account, we will immediately delete the account and all associated data. If you believe a child under 13 is using our platform, please contact us immediately.

🚨Data Breach Protocol

In the unlikely event of a data breach:

• ●Affected users will be notified within 72 hours of discovery via their registered email
• ●A public disclosure will be posted on the platform detailing the scope and nature of the breach
• ●Immediate containment measures will be enacted including credential rotation and access revocation
• ●A full post-incident report will be made available to affected users
• ●Relevant regulatory authorities will be notified as required by applicable law

Policy Updates

If we make material changes to this privacy policy, we will notify users via an in-platform announcement at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. Previous versions of this policy will remain accessible for reference.