Privacy Policy

Last updated: March 13, 2026

At Contral ("we", "us", "our"), we respect your privacy. This policy explains how we collect, use, and protect your information when you use the Contral IDE, our website (contral.ai), and related services.

1. Information We Collect

Account Information

When you sign up, we collect your email address, display name, and authentication data via Firebase Authentication (Google sign-in or email/password).

Usage Telemetry

With your consent, the Contral IDE collects anonymized usage analytics to help us improve the product. This includes:

  • Feature usage counts (e.g., number of build messages, explanations, deep dives)
  • LLM API call metadata (model used, duration, success/failure — never your code or prompts)
  • Session lifecycle events (create, delete, switch)
  • Mode changes (Fast, Plan, Deep)
  • Error events (error type only, no stack traces containing user data)

If you decline consent, we only track aggregate feature counts with no metadata, device identifiers, or session information.

Device Identification

For fraud prevention and abuse detection, we generate a device identifier based on hardware characteristics (a one-way hash — we cannot reverse it to identify your hardware). This is used solely to detect multi-account abuse under our legitimate interest basis (GDPR Art. 6(1)(f)).

Billing Information

Payment processing is handled by Dodo Payments. We do not store your credit card or bank details. We retain your subscription status, plan, and billing interval to manage your tier access.

2. How We Use Your Information

  • Product improvement — Usage telemetry helps us identify which features are valuable and where users encounter issues
  • Tier enforcement — We track usage counts to enforce free/Pro/Pro+ quota limits
  • Abuse prevention — Device IDs and IP addresses help us detect multi-account abuse and quota gaming
  • Billing — Subscription management and payment processing
  • Communication — Account notifications, billing alerts, and product updates (you can opt out)

3. What We Never Collect

  • Your source code or project files
  • Your prompts or conversations with the AI agent
  • File contents, file names, or directory structures
  • Clipboard contents or screenshots
  • Keystrokes or input patterns

4. Data Storage & Retention

  • All data is stored in Google Cloud Firestore (Firebase) with encryption at rest
  • Telemetry events — retained for 90 days, then automatically deleted
  • Usage snapshots — retained for 2 years for analytics
  • Account data — retained until you delete your account
  • Payment records — retained as required by law (typically 7 years)

5. Your Rights

Depending on your jurisdiction, you have the following rights:

All Users

  • Access — Request a copy of all data we hold about you
  • Deletion — Request deletion of your telemetry and usage data
  • Export — Download your data in JSON format (data portability)
  • Consent withdrawal — Decline or revoke telemetry consent at any time in the IDE settings

GDPR (European Union)

Legal bases: consent (Art. 6(1)(a)) for telemetry, legitimate interest (Art. 6(1)(f)) for device fingerprinting and abuse prevention, contract performance (Art. 6(1)(b)) for billing and account management. You may exercise your right to object under Art. 21.

CCPA (California)

We do not sell your personal information. You have the right to know what data we collect, request deletion, and opt out of any future data sales (though we have no plans to sell data).

DPDP Act (India)

You have the right to access, correct, and erase your personal data. You may nominate another person to exercise your rights. We will respond to requests within 30 days.

6. How to Exercise Your Rights

You can manage your data directly:

  • Export your data — POST to /api/privacy/export-data with your auth token
  • Delete your telemetry — POST to /api/privacy/delete-data with your auth token
  • Revoke consent — Click "Decline" on the consent banner in the IDE, or clear contral-privacy-consent from localStorage

Or email us at contact@contral.ai and we will respond within 30 days.

7. Third-Party Services

  • Firebase (Google) — Authentication and database. Privacy policy
  • Dodo Payments — Payment processing. Privacy policy
  • Vercel — Website hosting and analytics. Privacy policy
  • NVIDIA NIM / OpenAI / OpenRouter — LLM inference. Your prompts are sent to these providers to generate responses. We use API-only access (no training on your data).

8. Contact

If you have questions about this privacy policy or want to exercise your data rights: