Privacy Policy
Effective May 22, 2026
1. Introduction and Scope
socialistic.ai (the "Service") is operated by 海苔社区 ("海苔社区", "we", "us", or "our"). This Privacy Policy applies to all personal data collected through the Service at https://socialistic.ai, including the web application and APIs. By using the Service you acknowledge the practices described here. If you do not agree, you should stop using the Service.
2. Service Architecture
The Service runs across a Next.js web and API layer hosted on Vercel; skill-execution agents ("Goose agents") on virtual private servers managed by 海苔社区; and authentication, database, and storage from Supabase. Each component processes personal data only as needed to perform its function, and communication between components is encrypted in transit with HTTPS/TLS.
3. Data We Collect
- 3.1 Account and authentication data. When you sign in, we receive and store profile information from the method you choose — currently Google, GitHub, or WeChat, or a one-time email sign-in link. Depending on the method, this may include your display name, email address, avatar image, and a unique identifier from the provider. We never receive or store a password.
- 3.2 User content. This includes Skill metadata (source URL, title, description, configuration), Own key mode API keys supplied by creators, files and links submitted on the cold-start surface, and the messages exchanged in conversation sessions.
- 3.3 Telemetry and usage data. We collect product analytics through PostHog (pages viewed, interface interactions, feature events, session duration, referral source) and standard server logs (IP address, user-agent, timestamps, response codes, request URIs), used only for operating, monitoring, and debugging the Service.
- 3.4 Credit and transaction data. If you use credits, we store your wallet balance and an append-only ledger of credit movements — tips, hosted-usage charges, and promotional grants — including the amount, reason, counterparty, and what authorized each movement.
4. How We Use Your Data
We process your personal data to authenticate you and maintain your account; to render and distribute the Skill cards you create; to provision and manage Goose agent sessions; to transmit your messages to the third-party LLM provider configured for a Skill; to operate the credit system and keep an auditable record of credit movements; to diagnose errors and maintain stability; and to comply with legal obligations. We do not sell, rent, or license personal data. We do not use the content of your messages, uploaded files, or conversation history to train or improve any machine-learning model.
5. Data Flow During Skill Execution
When a consumer runs a Skill, their input — text, uploaded files, code, and URLs — is sent from our backend to the third-party LLM provider configured for that Skill, using either the creator's Own key mode API key or, for a hosted Skill, the platform's key. The provider returns a response, and both input and response are stored in our database so the conversation can continue. We do not inspect, analyze, or mine the substance of your conversations or files for any purpose beyond technically delivering the Service. Each LLM provider's own privacy policy governs how it handles the data it receives.
6. LLM API Key Security
We know an API key is sensitive. If you are a creator who uses Own key mode, this is how your key is protected:
- Your key is never visible to consumers, to other creators, or to anyone you share your Skill with. It never appears in a shared page, URL, share surface, or conversation. Only you, signed in to your own account, can view or change it.
- Your key is stored on our servers solely to serve LLM calls for your Skill, and is transmitted only over encrypted (HTTPS/TLS) connections between the browser, our servers, and the agent runtime.
- Access to the systems that hold your key is limited to authorized personnel on a need-to-know basis. You can change, remove, or rotate your key at any time from your skill configuration; removing it immediately stops the Skill from being shareable. All data in transit between clients, our servers, and internal components is protected with TLS.
7. Credit and Financial Data
The credits ledger is the authoritative, append-only record of every credit movement; your wallet balance is a cached read of that ledger. We retain ledger and transaction records for as long as needed to provide the Service, resolve disputes, and meet legal and accounting obligations, which may extend beyond account closure.
8. Third-Party Data Recipients
- 8.1 Identity providers. Google LLC, GitHub, Inc., and/or Tencent (for WeChat sign-in) receive and process authentication data when you choose to sign in through them.
- 8.2 LLM providers. When a Skill runs, your messages and attached content are sent to the third-party LLM provider configured for that Skill. We do not control how those providers handle data.
- 8.3 Infrastructure and service providers. Vercel, Inc. (hosting and CDN), Supabase, Inc. (database, authentication, storage, and delivery of email sign-in links), and PostHog, Inc. (product analytics). Each acts as a data processor on our instructions under its own data processing agreement.
We do not disclose personal data to advertisers or data brokers, or to any third party for marketing purposes.
9. Data Retention
Account data is kept while your account is active. Skill metadata, conversation history, and uploaded files are kept until you delete them or close your account, after which the associated data is removed from active systems within thirty (30) days; encrypted backups are purged within ninety (90) days. Credit ledger and transaction records are retained longer where needed to meet legal, accounting, and dispute-resolution obligations.
10. Your Rights and Choices
Subject to applicable law, you may access the personal data we hold about you, request correction or deletion, object to or restrict certain processing, and request a portable copy. You can delete your Skills at any time from your skills page, and you can contact us to exercise any right or to request account deletion. We respond to verified requests within thirty (30) days or as the law requires.
11. Cookies and Tracking
The Service uses a small set of first-party cookies strictly necessary for authentication sessions, language preference, and recording your response to the pay-willingness question. PostHog sets a first-party analytics cookie for visitor deduplication; you can block it via your browser settings without losing core functionality. We do not use third-party advertising cookies or cross-site tracking.
12. Children's Privacy
The Service is not directed to, and we do not knowingly collect personal data from, anyone under thirteen (13) or under the age of digital consent in their jurisdiction. If we learn we have collected such data, we will promptly delete it.
13. Abuse Reports and Investigations
If you report abuse, or are the subject of a report, we process the information in the report — including the Skills, accounts, and evidence involved — to investigate and act on it. We treat a reporter's identity as confidential and do not disclose it to the reported party. We retain investigation and enforcement records for as long as needed to keep the Service safe, handle appeals, and meet legal obligations.
14. Modifications to This Policy
We may modify this Privacy Policy at any time. If we make a material change, we will update the "Effective" date above and, where practicable, give notice through the Service. Your continued use of the Service after a revised policy is posted constitutes acceptance.
15. Service Continuity
The Service is operated on a commercially reasonable, best-effort basis. We do not guarantee uninterrupted availability and may modify, suspend, or discontinue any part of the Service at any time, subject to Section 14 on material changes.
16. Contact
For questions or requests about this Privacy Policy or our data practices, email us at the address below.