Privacy Policy
This Privacy Policy describes how BizTransit Sdn Bhd (Registration: 891234-X), operating as AI Supreme Council ("we", "us", "our"), collects, uses, and protects information when you use our services at aiscouncil.com and bcz.co (the "Service").
1. Information We Collect
1.1 Information You Provide
- Account information: When you sign in via OAuth (Google, Apple, GitHub, Facebook, or WeChat), we receive your name, email address, and profile picture from the identity provider. We do not receive or store your password from any provider.
- API keys: When you enter API keys for AI providers (Anthropic, OpenAI, xAI, OpenRouter, Google Gemini, Ollama), these are stored exclusively in your browser's localStorage. We never transmit, collect, or store your API keys on any server.
- Conversations and bot configurations: All chat messages, bot configurations, system prompts, and session data are stored locally in your browser using IndexedDB and localStorage. This data never leaves your device unless you explicitly share it via a URL.
- Feedback and correspondence: If you contact us via email, we retain the contents of your messages and our responses.
1.2 Information Collected Automatically
- Geo-location (country level): We use Cloudflare's geo-detection to determine your country code for pricing tier purposes. This is a country-level determination only (e.g., "MY" for Malaysia) and is not a precise location. The country code is stored as a short-lived cookie (
ais-country, 24-hour expiry). - Standard web server logs: Cloudflare Pages may log IP addresses, browser type, and request timestamps as part of standard CDN operations. We do not operate separate analytics or tracking systems.
1.3 Information We Do Not Collect
- We do not use analytics services (no Google Analytics, no Mixpanel, no Amplitude).
- We do not use tracking pixels or advertising beacons.
- We do not set cross-site tracking cookies.
- We do not read, intercept, or store your conversations with AI models.
- We do not collect device identifiers, fingerprints, or persistent tracking IDs.
2. Multi-Provider OAuth Authentication
We support sign-in through multiple identity providers. The data received from each provider is limited to what is necessary for account creation and identification:
| Provider | Data Received |
|---|---|
| Name, email, profile picture, Google user ID | |
| Apple | Name (first sign-in only), email (may be relay address), Apple user ID |
| GitHub | Username, email, avatar URL, GitHub user ID |
| Name, email, profile picture, Facebook user ID | |
| Nickname, avatar URL, WeChat OpenID/UnionID |
We store only the minimum data needed to identify your account (provider ID, name, email, avatar URL). We do not access your contacts, posts, files, or other data from any provider.
3. How We Use Your Information
- Account management: To create and maintain your account, authenticate sessions, and provide customer support.
- Service delivery: To serve the correct pricing tier based on your country.
- Communications: To respond to your inquiries and send essential service notifications (e.g., terms updates).
- Security: To detect and prevent abuse, unauthorized access, and policy violations.
4. How Your Data Flows
Understanding data flow is central to our privacy model:
- Conversations: Your messages are sent directly from your browser to the AI provider's API (Anthropic, OpenAI, xAI, Google, etc.) using your own API key. Our servers never see the content of your conversations.
- Bot sharing: When you share a bot via URL, the bot configuration (name, model, system prompt, temperature) is encoded in the URL fragment (after the
#). URL fragments are never sent to servers by browsers, so we do not receive shared bot configurations. - OpenRouter free models: When using free models through OpenRouter, your messages are routed through OpenRouter's infrastructure. OpenRouter's own privacy policy governs how they handle that data. We recommend reviewing OpenRouter's privacy policy.
5. Data Storage and Security
- All user-generated content (conversations, bots, settings) is stored in your browser's IndexedDB and localStorage.
- Authentication session tokens (JWTs) are stored in your browser and expire after 24 hours.
- All connections use HTTPS/TLS encryption.
- We use Cloudflare Pages for hosting, which provides DDoS protection and WAF (Web Application Firewall).
- Payment processing is handled by Stripe and PayPal, both PCI DSS compliant. We do not store credit card numbers or payment details.
6. Data Sharing
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
- Identity providers: OAuth authentication requires communication with Google, Apple, GitHub, Facebook, or WeChat during sign-in.
- Payment processors: Stripe and PayPal process subscription payments on our behalf.
- Infrastructure: Cloudflare provides CDN, DDoS protection, and DNS services.
- Legal requirements: We may disclose information if required by law, regulation, or legal process.
7. Cookies and Local Storage
We use minimal cookies for essential functionality only. See our Cookie Policy for full details.
ais-geo-tier: Geo pricing tier (24-hour expiry)ais-country: Country code (24-hour expiry)- No advertising, analytics, or third-party tracking cookies
8. Your Rights
Because your data is stored locally in your browser, you have direct control:
- Access: All your data is in your browser. Use the Export function to download it.
- Deletion: Clear your browser data or use the app's settings to delete specific bots, conversations, or all data.
- Portability: Export your data as JSON at any time from Settings.
- Restriction: You can use the Service without signing in (guest mode) to minimize data collection.
- Account deletion: Contact [email protected] to request deletion of your server-side account data.
9. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at [email protected].
10. International Data Transfers
BizTransit Sdn Bhd is based in Malaysia. Your authentication data may be processed in Malaysia and in the jurisdictions where our infrastructure providers (Cloudflare, payment processors) operate. By using the Service, you consent to the transfer of your limited account data to these jurisdictions.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the Service. The "Effective" date at the top indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact
For privacy-related inquiries, contact us at:
Privacy Officer
BizTransit Sdn Bhd (891234-X)
Level 28, Lingkaran Syed Putra
Mid Valley City, Kuala Lumpur 59200, Malaysia
Email: [email protected]