pocai
ModelsDocsPricingSupporters
Try for free
pocai

Building safe, beneficial artificial intelligence for everyone.

Product

  • Models
  • Docs
  • Pricing
  • Supporters
  • Console

Company

  • About
  • News
  • Contact

Legal

  • Privacy
  • Terms
  • Cookies
  • Security

© 2026 Pocai. All rights reserved.

Legal · Version 2

Privacy Policy

Effective 2026 · Last updated 2026

Pocai is an independent project operated by a single developer. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data. We take your privacy seriously and design our systems to minimize data collection.

1. Who We Are

Pocai is operated by a single independent developer based in Turkey as a personal project. There is no company, legal entity, team, or investors. All data handling is done in accordance with this policy.

2. Data We Collect

Email & Name

Collected at registration for account identification. Used to communicate service updates.

Date of Birth

Collected for age verification at signup. Used only to confirm eligibility and never for profiling or advertising.

Parent Email

Collected from users aged 13-15 in certain regions for verifiable parental consent under GDPR Article 8.

Login Sessions

IP, country/city, browser info, device ID, and success/failure status. Used for security monitoring.

Console Activity

API key creation, usage metrics, and settings changes logged for account management.

IP Address

Logged by Cloudflare for security. Not used for tracking, profiling, or advertising.

Usage Data

API request counts and token consumption. Used for rate limiting and billing.

3. How We Use Your Data

Your data is used exclusively to provide, maintain, and improve the service:

  • Authenticating your account
  • Managing API access and rate limits
  • Detecting and preventing unauthorized access and abuse
  • Processing moderation demo text through a self-hosted AI model for content classification (text is processed in real-time and not stored or used for model training)
  • Communicating service updates when necessary

What we do NOT do with your data: We do not sell, rent, or trade your personal data. We do not use your data for advertising or profiling. We do not use your content to train or improve AI models — including moderation demo text sent to our self-hosted model, which is processed in real-time and never retained by the model. We do not share your data with third parties except those listed below.

4. Legal Basis for Processing

We process your personal data based on: (a) your consent when you create an account, (b) contractual necessity to provide the service you requested, (c) legitimate interests in securing and improving the service, and (d) compliance with legal obligations where applicable. You may withdraw consent at any time by deleting your account.

5. Third-Party Services

Supabase

Authentication, database, and email delivery.

Privacy →

Cloudflare

Edge network, API proxy, and DDoS protection.

Privacy →

hCaptcha

Bot and spam protection on registration and login.

Privacy →

Vast.ai

GPU infrastructure provider for self-hosted AI moderation model.

Privacy →

Each provider has its own privacy practices. The developer has no control over their data processing.

6. Data Security & Information Security Program

We maintain a written information security program for all personal data, including children's personal information. This program includes:

  • All connections use HTTPS with TLS encryption in transit.
  • Database encryption at rest is provided by Supabase infrastructure.
  • Passwords are hashed using bcrypt. No plain-text password storage.
  • Row-level security ensures users can only access their own data.
  • Annual risk assessments and security testing of safeguards.
  • Access controls: only the developer has administrative database access via service role keys.
  • Incident response: security incidents are investigated and reported to affected users and relevant authorities within 72 hours.

Designated security program coordinator: trypocai@proton.me.

7. Cookies & Storage

Only essential authentication session cookies set by Supabase are used. No tracking, advertising, or analytics cookies. Local storage is used for UI preferences and magic link cooldown timestamps. See our Cookie Policy for complete details.

8. Data Sharing

We do not sell personal data. We may share data with third-party service providers (Section 5) solely as necessary to provide the service, and when required by law or to protect our rights. We do not transfer personal data to third parties for their own marketing purposes.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

Right to access your data
Right to correct inaccuracies
Right to data portability
Right to request deletion
Right to withdraw consent
Right to restrict processing

To exercise any of these rights, email trypocai@proton.me. You can also delete your account via Console Settings. When you request deletion, your account is scheduled for permanent deletion after a 30-day grace period. During this period, you can cancel the deletion by signing in and using the Cancel Deletion option in Settings.

Turkish Users — KVKK (Kanun No. 6698) Hakları: Türkiye'deki kullanıcılar olarak şu haklara sahipsiniz: (a) kişisel verilerinizin işlenip işlenmediğini öğrenme, (b) işlenmişse buna ilişkin bilgi talep etme, (c) işlenme amacını ve bunların amacına uygun kullanılıp kullanılmadığını öğrenme, (d) yurt içinde veya yurt dışında kişisel verilerin aktarıldığı üçüncü kişileri bilme, (e) kişisel verilerin eksik veya yanlış işlenmiş olması hâlinde bunların düzeltilmesini isteme, (f) kanunda öngörülen şartlar çerçevesinde kişisel verilerin silinmesini veya yok edilmesini isteme, (g) otomatik sistemler vasıtasıyla ortaya çıkan sonuca itiraz etme, (h) kanuna aykırı işleme nedeniyle zarara uğramanız hâlinde zararın giderilmesini talep etme. Bu hakları kullanmak için trypocai@proton.me adresine e-posta gönderin.

10. Children's Privacy

Pocai requires users to be at least 13 years old. We do not knowingly collect data from children under 13. Date of birth is collected at registration for age verification. If the date of birth indicates the user is under 13, account creation is blocked. Accounts found to belong to users under 13 will be permanently deleted. If you believe a child under 13 has created an account, contact us immediately at trypocai@proton.me.

COPPA Compliance (US): We comply with the Children's Online Privacy Protection Act (COPPA) and its 2025/2026 amendments. We collect date of birth to verify age. If a user is under 13, we do not collect, use, or disclose their personal information. We maintain a written information security program for children's data, a published data retention policy, and obtain separate verifiable parental consent before disclosing children's personal information to third parties.

GDPR Article 8 (EU users): In EU member states, the digital age of consent is 13-16 depending on the country. Users aged 13-15 are required to provide a parent/guardian email address. We send a parental consent request to that address. Accounts cannot be activated until consent is confirmed. We reserve the right to request proof of parental consent and to suspend accounts where such consent cannot be confirmed.

California Age-Appropriate Design Code Act (CAADC): For users under 18 in California, we apply privacy-protective settings by default, minimize data collection to what is necessary for the service, and do not use dark patterns. Geolocation tracking is disabled by default for minor users.

11. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Specific retention periods by data category:

Profile data (email, name, DOB, parent email)

Until account deletion + 30-day grace period

Login session records

90 days, then automatically purged

API usage logs (input tokens, output tokens, costs)

12 months for billing and abuse prevention

Moderation demo logs (input text, results, feedback)

12 months, then anonymized or deleted

Consent audit logs

Permanently retained for compliance evidence

API keys

Until deleted by user or account deletion

Notification records

Until account deletion

Credit transaction history

Until account deletion

Backups (Supabase-managed)

Up to 30 days per provider policy

Indefinite retention is prohibited. When a retention period expires, data is automatically deleted or anonymized. Deletion requests are processed within 30 days. Account deletion schedules permanent deletion after a 30-day grace period during which the user may cancel.

12. International Transfers

Pocai is operated from Turkey. Data is processed and stored on Supabase infrastructure, which may be located in various regions including the United States and the European Union. Data protection laws in these regions may differ from your country of residence.

EEA/UK users: Transfers of personal data outside the European Economic Area are governed by Supabase's Data Processing Agreement, which includes Standard Contractual Clauses (SCCs) approved by the European Commission. We do not independently transfer your data outside Turkey/EEA — all such transfers occur through Supabase's infrastructure under these safeguards.

Turkish users: As a data controller based in Turkey, Pocai processes personal data in compliance with KVKK (Law No. 6698). Cross-border data transfers to Supabase are conducted under appropriate safeguards as required by KVKK Article 9.

13. Policy Changes

This policy may be updated at any time. Material changes will be communicated via the website or console. The version and effective date at the top of this page indicate the most recent revision. Continued use after an update constitutes acceptance of the revised policy. Significant changes may require re-consent.

14. Contact

Privacy inquiries: trypocai@proton.me

On this page

Who We AreWhat We CollectHow We Use DataLegal BasisThird PartiesSecurityCookiesData SharingYour RightsChildrenRetentionInternationalChangesContact