Last updated: May 5, 2026

Plain-English summary at the top, full details below. Have a licensed attorney review before commercial scale.

At a glance

• We are Applied Continuity LLC dba KnowledgeBricks, an Indiana LLC.
• We use Clerk for authentication, Stripe for payments, Supabase for our database, Vercel for hosting, OpenAI for embeddings, and Anthropic for AI-generated answers. Each is a sub-processor under this Policy.
• When you ask a question through Ask a SME, the question text is logged and stored in our database for product improvement and corpus development. Before storage, we run an automated PII redaction pass that replaces detected emails, phone numbers, SSNs, credit-card numbers, API keys, and secrets with placeholders.
• A nightly export copies that day’s redacted questions to a private repository we control. Exports are not shared with third parties.
• We do not sell or share your personal information for cross-context behavioral advertising.
• We do not use your subscriber data, your questions, or our Content to train third-party AI models, and our Terms forbid you from doing the same with our Content.
• You can email support@kbaas.ai at any time to access, correct, export, or delete your data.

1. Who we are

Applied Continuity LLC, an Indiana limited liability company doing business as KnowledgeBricks (“we”, “us”), operates knowledgebricks.com, logistics.knowledgebricks.com, and related services (collectively, the “Service”). This Policy covers all KnowledgeBricks properties unless a property posts its own policy that says otherwise. For purposes of GDPR, we are the data controller. For CCPA/CPRA purposes, we are a business.

For privacy questions, contact support@kbaas.ai with “Privacy Request” in the subject line.

2. Information we collect

2.1 Account information (via Clerk)

When you create an account, Clerk processes your email address, password (hashed), name (if provided), and any third-party identity tokens (e.g., Google OAuth). Clerk acts as our authentication processor; we receive a Clerk user ID and limited profile information. See Clerk’s Privacy Policy.

2.2 Billing information (via Stripe)

When you subscribe, Stripe, Inc. collects and processes your payment instrument, billing address, and transaction history. We receive a Stripe customer ID, subscription status, and metadata about your plan, but never your full card number. See Stripe’s Privacy Policy.

2.3 Subscription and access metadata

We store your tier (free, standard, pro), entitlement timestamps, and any complimentary access flags in our database (Supabase). This is necessary to deliver the paid Service.

2.4 Ask a SME questions

When you submit a question through Ask a SME, we log:

• The question text, after automated PII redaction (see Section 3).
• The AI-generated answer returned to you.
• The tier under which the question was asked, whether the answer was paywall-locked, and how many citations were returned.
• A coarse timestamp and a bucketed indicator of recent question volume from your account or IP (used for the anonymous 3-questions-per-day rate limit and abuse detection).
• For anonymous askers, a hashed IP address used only for the daily rate limit. We do not store the raw IP in the questions log.

2.5 Server logs

Like most web services, our hosting (Vercel) and database (Supabase) generate operational logs that include IP address, user-agent, request path, response status, and latency. These logs are retained for up to 30 days and are used to operate, secure, and debug the Service.

2.6 Cookies and similar technologies

We use a small number of strictly necessary cookies and tokens — primarily to keep you signed in (Clerk session), to remember your dark/light mode choice, and to enforce rate limits. We do not use third-party advertising cookies.

2.7 Information we do not collect

We do not knowingly collect data from anyone under 18. We do not request government IDs, financial account numbers, biometric data, or precise geolocation.

3. Automated PII redaction (questions log)

Before any question is written to our database, the question text is processed by an automated redaction routine. The routine detects and replaces the following patterns with neutral placeholders such as [EMAIL], [PHONE], [SSN], [CARD], [KEY], [SECRET], [TOKEN], [NAME], and [IP]:

• Email addresses
• Phone numbers (US and international formats)
• US Social Security numbers
• Credit-card-shaped numeric strings (Luhn-style)
• API key prefixes (sk_, pk_, AWS, GitHub tokens, and similar)
• Bearer tokens and authorization headers
• Tokens embedded in URL query strings
• Names introduced as “my name is …” or “I am …”
• IPv4 addresses

Alongside the redacted text we store a non-reversible summary of what categories were detected (e.g., {"type":"email","count":1}) so we can monitor redaction effectiveness. We do not store the original raw text.

Automated redaction is a best-effort system. It will not catch every form of personal data. Please do not paste sensitive personal information, customer-confidential data, or trade secrets into Ask a SME. If you accidentally submit such data, email support@kbaas.ai and we will purge the affected row from our database and from any subsequent export.

4. Nightly export of questions

Each day, a scheduled job exports the prior day’s redacted questions log into a markdown file inside a private repository we control (kbaas-ai/logistics-vault, path _questions/YYYY-MM-DD.md). This export contains the same redacted question text and answer summary that we already store in our database. The repository is private and access is limited to KnowledgeBricks personnel. Exports are retained indefinitely as part of our internal product-improvement corpus and are not shared with third parties or used to train external AI models.

5. How we use information

We use the information described above to:

• Provide the Service and authenticate you.
• Process payments and manage subscriptions.
• Operate the Ask a SME feature, including retrieval and rate limiting.
• Improve our Content and retrieval pipeline by analyzing redacted question patterns at an aggregate level.
• Detect and prevent abuse, account sharing, fraud, and security incidents.
• Send transactional emails (account, billing, security). We do not send marketing emails without separate opt-in.
• Comply with legal obligations and enforce our Terms and Acceptable Use Policy.

Lawful bases (GDPR / UK GDPR)

6. AI training

We do not sell, license, or otherwise make subscriber data, the questions log, or our Content available for training, fine-tuning, or evaluation of any third-party AI model. Our processors (Clerk, Stripe, Supabase, Vercel, OpenAI, Anthropic) are contractually limited to processing data for the purpose of delivering their service to us; we have selected processors that contractually do not use customer API content to train their general models. Specifically:

• OpenAI (embeddings) and Anthropic (answer generation) are accessed via their commercial APIs, which by default do not retain or train on submitted content.
• We may use the redacted questions log internally to improve our own retrieval, ranking, and Content gaps. We do not export it to third parties for training.

The reciprocal restriction — that you may not use our Content to train any AI system — is in our Terms Section 8.

7. Sharing and disclosure

We share information only with:

• Sub-processors that operate parts of the Service on our behalf (see Section 8).
• Professional advisors (attorneys, accountants, auditors) under confidentiality.
• Government authorities when required by valid legal process or to protect the rights, property, or safety of any person.
• Successors in connection with a merger, acquisition, or sale of assets, subject to a successor’s commitment to honor this Policy.

We do not sell personal information for monetary consideration, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

8. Sub-processors

We will update this list when we add or change sub-processors. For changes that materially affect the categories of personal data processed, we will provide notice via the Service or email.

9. International transfers

Our Service is hosted in the United States. If you access it from outside the US — including the EU/EEA, UK, Canada, or Brazil — your information will be transferred to and processed in the United States. Where applicable, we rely on Standard Contractual Clauses (2021 EU SCCs, with the UK Addendum where relevant) with our sub-processors to safeguard transfers.

10. Retention

11. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete data (“right to be forgotten” / right to deletion).
• Port data to another service in a structured, machine-readable format.
• Object to or restrict certain processing.
• Opt out of any “sale” or “sharing” — though we do not sell or share for advertising.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your supervisory authority (EU/EEA, UK) or your state attorney general (California and similar).

To exercise any right, email support@kbaas.ai with “Privacy Request” in the subject line. We will verify your identity through your registered email and respond within 45 days (CCPA) or 30 days (GDPR), and may extend by an additional period as permitted by law if your request is complex.

We will not discriminate against you for exercising your privacy rights.

12. Security

We use commercially reasonable technical and organizational measures, including TLS in transit, encryption at rest at our sub-processors, scoped access tokens, principle-of-least-privilege database roles, and automated PII redaction in the questions log. No system is perfectly secure; if we become aware of a breach affecting your personal data we will notify you and applicable regulators within the timeframes required by law.

13. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact support@kbaas.ai and we will delete it.

14. California-specific disclosures (CCPA / CPRA)

In the past 12 months we have collected the categories of personal information described in Sections 2 and 2.4 (identifiers, commercial information, internet/network activity, and the contents of questions submitted to Ask a SME after redaction). We collect this information directly from you and from our sub-processors. We use it for the purposes described in Section 5. We have not sold personal information for monetary consideration and we have not “shared” personal information for cross-context behavioral advertising.

California residents may exercise the rights to know, delete, correct, and limit the use of sensitive personal information, and may designate an authorized agent to act on their behalf, by contacting support@kbaas.ai.

15. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the latest version. For material changes, we will notify you via the Service or by email at least fifteen (15) days before they take effect.

16. Contact

Applied Continuity LLC dba KnowledgeBricks 6101 North Keystone, Suite 100 #1326 Indianapolis, IN 46220 United States support@kbaas.ai