Privacy Policy
Last updated: March 2026
Recense Ltd ("Recense", "we", "us") operates recense.ai. This policy explains what data we collect, why, and what we do with it.
The key point
Recense is local-first. Survey import, tabulation, and analysis run in your browser using WebAssembly. If you choose cloud save or the cloud dataset library, those project and dataset bytes are encrypted in your browser before upload. We do not offer remote raw-data access in the hosted product.
Enterprise hosted compute is a separate path. It only applies to datasets your organisation explicitly publishes for direct hosted access, and it is described separately from the standard client-encrypted cloud library model below.
What we collect and why
Account data
When you create an account, we collect your email address, name, and password (hashed). This is processed by Supabase (our authentication provider) and stored in their EU-hosted infrastructure.
Lawful basis: Contract performance (necessary to provide the service).
Subscription and billing data
If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your card details. We receive your subscription status, plan type, and billing history from Stripe.
Lawful basis: Contract performance; legal obligation (financial record keeping).
AI agent conversations
If you use the built-in AI agent, your conversation messages are proxied through our
server to the model provider (Anthropic, OpenAI, Google, or Fireworks AI, depending on
the model the agent routes to). These messages include questions you ask, context the app assembles
about your dataset schema, and the results of any tools the agent calls while answering.
When the agent needs to inspect your data to answer a question, it may call tools
(including read_raw_data) whose results contain respondent-level values;
those tool results become part of the conversation and are sent to the model provider
on the next turn.
We do not store the text of your conversation. Per-request metadata (user ID, timestamp, model, input/output token counts) is retained for billing and abuse detection. Under each provider's default API terms, inputs are not used to train models; we do not direct providers to train on your data.
If you use the Bring Your Own Key (BYOK) agent, conversations go directly from your browser to your chosen AI provider. We never see them.
Lawful basis: Consent (you explicitly opt in before using the AI agent).
Error tracking
We use Sentry for error monitoring. When an error occurs, we collect the error type and stack trace. We attach your Recense user ID (a UUID) so we can reproduce issues and respond to support tickets. We explicitly strip survey data, variable names, email addresses, IP addresses, cookies, and request bodies before sending to Sentry. You can opt out by enabling "Work Local" mode in account settings.
Lawful basis: Legitimate interest (maintaining service reliability and fixing bugs).
Usage metrics
We track aggregate usage (e.g. number of AI agent requests) for billing and cost management. We do not track which datasets you analyse, what variables you select, or what results you see.
Lawful basis: Legitimate interest (billing accuracy and capacity planning).
Hosted semantic variable search
If an organisation admin enables hosted semantic variable search, we send variable names, variable labels, and selected value labels to OpenAI to generate embeddings. This is optional and disabled by default.
Lawful basis: Consent / administrator instruction (the feature is explicitly enabled per organisation).
Enterprise hosted compute
If an organisation admin enables enterprise hosted compute and publishes a dataset to it, Recense stores Parquet and metadata artifacts server-side so the direct hosted endpoint can process that published dataset without an open browser tab.
This does not apply to unpublished cloud datasets, which remain client-encrypted before upload, and it does not enable remote raw-data access.
Lawful basis: Contract performance / administrator instruction (the feature and each published dataset are explicitly enabled by the organisation).
What we do not collect
- Remote raw-data access is not available in the hosted product
- Survey response data in plaintext on our servers for the standard cloud dataset library
- Table results or statistical outputs
- Analytics cookies or tracking pixels — we use no third-party analytics
- IP addresses (explicitly excluded from error tracking)
What we may process
- Cloud project ciphertext and cloud dataset ciphertext, if you choose to upload them
- Cloud dataset catalog metadata such as dataset name, filename, format, size, and timestamps so organisation members can browse the library
- Hosted-compute Parquet artifacts for datasets your organisation explicitly publishes to the direct hosted endpoint
- Variable names, labels, and selected value labels only when hosted semantic variable search is explicitly enabled by your organisation
Cookies
We use only essential cookies for authentication (session management via Supabase). We do not use analytics cookies, advertising cookies, or tracking pixels. See our Cookie Policy for details.
AI and model training
We do not use your data, conversations, or any content you create to train AI models. When you use the built-in AI agent, your conversations are processed by Anthropic, OpenAI, Google, or Fireworks AI under their default commercial API terms. We do not direct providers to train on your data. We do not retain the text of your conversations after the API request completes.
Data storage and security
Account and subscription data is stored in Supabase (hosted in the EU). All connections use TLS encryption. If you use cloud save or the cloud dataset library, your project or dataset data is encrypted client-side before upload. We do retain cloud dataset catalog metadata so your organisation can browse uploaded datasets. If your organisation enables enterprise hosted compute, explicitly published datasets are additionally stored as server-side Parquet artifacts for that direct service. For full details, see our Security page.
Your rights (GDPR)
If you are in the UK or EU, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Export your data in a portable format
- Object to or restrict processing
To exercise any of these rights, email support@recense.ai.
Data processors
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Authentication, database | Email, account data | EU |
| Stripe | Payments | Billing info | US/EU |
| Cloudflare | Hosting, CDN | IP (transient, not logged) | Global |
| Resend | Transactional email | Email address | US |
| Sentry | Error tracking | Error data, user ID | US/EU |
| Anthropic | AI agent (built-in, opt-in) | Conversation text, tool results (may include respondent-level data) | US |
| OpenAI | AI agent (built-in, opt-in) and hosted semantic search (opt-in) | Conversation text and tool results, or variable names and labels | US |
| Google AI | AI agent (built-in, opt-in) | Conversation text, tool results (may include respondent-level data) | US/EU |
| Fireworks AI | AI agent (built-in, opt-in) | Conversation text, tool results (may include respondent-level data) | US (EU regions available) |
Your rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale or sharing of personal information — we do not sell or share your personal information with third parties for advertising purposes
- Non-discrimination for exercising your privacy rights
To exercise these rights, email support@recense.ai.
Data retention
We retain your personal data only as long as necessary:
- Account data — retained while your account is active, deleted within 30 days of account closure
- Billing records — retained for 7 years as required by UK financial regulations
- AI agent conversations — not retained; processed in memory for the duration of the API request only
- Error tracking data — retained for 90 days by Sentry, then automatically deleted
- Cloud project and cloud dataset ciphertext — retained until you delete it
- Hosted-compute Parquet artifacts — retained until you unpublish the dataset from hosted compute, disable hosted compute for the organisation, or delete the dataset
- Cloud dataset catalog metadata — retained until you delete the dataset entry
Children
Recense is not intended for use by anyone under 16. We do not knowingly collect data from children.
Changes to this policy
We will update this page when the policy changes. Material changes will be communicated by email.
Contact
Recense Ltd
Email: support@recense.ai