Privacy Policy - PeerVerify

1. Introduction

PeerVerify is a multi-model AI peer review system that helps you get more reliable answers by having multiple AI models answer your questions, review each other's responses, and synthesize a recommended answer.

We believe in transparency about how your data is handled. This policy explains what we collect, how we use it, and the choices you have—including the option to encrypt your data so that only you can read it.

2. Data We Collect

Authentication Data

We use Cloudflare Access for authentication. When you sign in, we receive:

Data	Source	Purpose
Email address	Your identity provider via Cloudflare Access	Identify your account, associate sessions with you
User ID	Cloudflare Access	Unique identifier for your account

We do not receive or store your password. Authentication is handled entirely by Cloudflare Access.

Session Data

When you use PeerVerify, we store:

Data	Purpose
Your questions/prompts	Send to AI models for processing
AI model responses	Display results, enable session history
Peer review analysis	Show how models evaluated each other
Compiled final answer	Present the synthesized response
Web search results	When enabled, store cited sources

Knowledge Base Documents

If you upload documents to your knowledge base:

File content (PDF, TXT, Markdown, HTML—up to 10MB)
File metadata (name, size, type)
Document descriptions you provide

User Settings

Your preferences, including theme, default model size, web search toggle, and encryption settings.

Audit Logs

For each session, we log events like when models responded and when reviews were completed. This helps with debugging and provides transparency about how your question was processed.

3. How We Use Your Data

We use your data to:

Process your questions through multiple AI models
Enable features like session history and search
Store your knowledge base documents for semantic search
Remember your preferences
Debug issues and improve reliability

What we do NOT do:

Sell your data to anyone
Use your data to train AI models (our AI providers have their own policies—see Third Parties)
Share your data with advertisers
Create marketing profiles
Track you across other websites

4. Zero-Knowledge Encryption

Your data, encrypted by you PeerVerify offers optional client-side encryption. When enabled, your session data is encrypted in your browser before being stored. Only you have the key.

How It Works

Algorithm: AES-256-GCM (industry-standard encryption)
Key derivation: PBKDF2 with 100,000 iterations
Your passphrase never leaves your device
Encryption key is derived locally and stored in your browser

What Gets Encrypted

Encrypted	Not Encrypted
Your original questions	Session metadata (timestamps, model IDs)
AI model responses	Encryption salt (required for key derivation)
Peer reviews	Knowledge base documents
Final compiled answers	User settings

Important Tradeoffs

Please understand before enabling:

No recovery: If you forget your passphrase, your encrypted data cannot be recovered. There are no backdoors.
Processing requires plaintext: The server sees your data in plaintext during AI processing. Encryption protects data at rest, not in transit to AI models.
Browser storage: Your encryption key is stored in your browser. Clearing browser data or using browser isolation will require re-entering your passphrase.

5. Client-Side Storage

We use browser storage to improve your experience:

localStorage

Key	Purpose	Contains
`peerverify_theme`	Remember theme choice	"light", "dark", or "system"
`peerverify_history`	Quick access to recent sessions	Last 5 session IDs
`peerverify_encryption_key`	Encryption parameters	Salt and timestamp (NOT the key itself)

IndexedDB

If encryption is enabled, your encryption key is stored in IndexedDB with an expiration time based on your "unlock duration" setting. The key itself cannot be extracted or exported.

Cookies

We do not set cookies. Authentication is handled via Cloudflare Access headers.

6. Third-Party Services

Cloudflare

PeerVerify runs entirely on Cloudflare's infrastructure:

Service	Purpose	Data Involved
Cloudflare Access	Authentication	Email, user ID
Workers	Application hosting	All application data
D1	Database	Sessions, responses, settings
R2	File storage	Documents, session exports
AI Gateway	AI model routing	Prompts, responses
AI Search	Semantic search	Session content, documents

See Cloudflare's Privacy Policy for details on how they handle data.

AI Gateway features: Content safety filters may block harmful content. Data Loss Prevention may block requests containing sensitive data patterns (like credit card numbers).

Ollama Cloud (Primary AI Provider)

Ollama Cloud is our default AI model provider. Your questions are sent to Ollama's API for processing. Web search queries (when enabled) are also processed by Ollama.

Ollama states: "Ollama does not log prompt or response data." See Ollama Cloud for details.

Cloudflare Workers AI (Fallback Provider)

Cloudflare Workers AI serves as a secondary fallback provider when Ollama Cloud is unavailable. Cloudflare-hosted AI models process your prompts within Cloudflare's infrastructure. Cloudflare states they do not use customer data to train models.

7. Data Retention

Data Type	Retention
Sessions	1 year by default (configurable to 1 month)
Knowledge base documents	Until you delete them
Audit logs	Deleted with their session
User settings	Until account deletion

Automatic Deletion

Sessions are automatically deleted after your configured retention period (1 year by default). You can reduce this to 1 month in your Settings.

Manual Deletion

You can delete individual sessions at any time from "My Sessions". Deleted sessions are permanently removed immediately along with all related data (responses, reviews, audit logs).

8. Your Rights

Access: View all your sessions in "My Sessions"
Export: Download your session data via the API
Delete: Delete knowledge base documents through the UI
Encrypt: Enable zero-knowledge encryption to protect data at rest
Opt-out: Stop using the service at any time

For full account deletion or data requests: Contact us at privacy@peerverify.dev.

For EU/UK Users

Under GDPR, we process your data based on:

Contractual necessity: Providing the service you requested
Legitimate interests: Improving service reliability and security

9. Data Security

Technical Measures

All connections use HTTPS/TLS encryption
Cloudflare Access for authentication (we don't store passwords)
Optional AES-256-GCM client-side encryption
AI Gateway content filters block harmful content
Data Loss Prevention blocks sensitive data patterns

Infrastructure Security

Cloudflare's network provides DDoS protection
D1 and R2 storage is encrypted at rest by Cloudflare
Worker isolation ensures request-level security

10. Children's Privacy

PeerVerify is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us data, please contact us for removal.

11. Changes to This Policy

We may update this policy as we add features. Material changes will be announced on the site. The "Last updated" date at the top indicates when changes were made.

12. Contact

For privacy questions or data requests:

Email: privacy@peerverify.dev