Privacy Policy

These Terms govern your use of the Pythia platform. For privacy queries: abel@getpythia.co.uk.

What we collect

When you use Pythia, we collect your email address and company name for account management, and the financial models and context you upload for evaluation.

How we process it

Uploaded models are analysed to produce a structured summary. That summary — not your raw file — is sent to Anthropic's Claude API for evaluation under zero-data-retention terms: Anthropic does not store your data after processing. Evaluation outputs are stored in your account and accessible via your dashboard.

Storage and sub-processors

Your data is stored on infrastructure hosted within the EU (Supabase/AWS eu-west-1). We use Anthropic (USA, zero-data-retention) for AI processing and Google Cloud Platform (EU) for our backend. We do not sell your data or share it for marketing purposes.

Retention

Your data is retained for the duration of your account. On closure, all data is deleted within 30 days. Model files and evaluation outputs can be exported before deletion.

Your rights

Under UK and EU GDPR, you have the right to access, correct, delete, or export your personal data. Contact us at abel@getpythia.co.uk. You may also lodge a complaint with the ICO.

Security

Pythia implements technical and organisational measures to protect personal data appropriate to the risk, including:

  • Encryption in transit: TLS 1.2+ on all connections between your browser, our backend, and our sub-processors
  • Encryption at rest: AES-256 server-side encryption for all stored data and files (Supabase/AWS S3)
  • Access control: Role-based access control with row-level security enforced at the database level; all queries are scoped to the authenticated user's company
  • File access: Model files are stored in private buckets and accessible only via short-lived signed URLs (1-hour expiry), generated after verifying company membership
  • Authentication: JWT-based authentication with short-lived access tokens; passwords hashed by Supabase Auth and never stored in plaintext
  • Rate limiting: Applied to authentication, submission, and upload endpoints
  • Secrets management: API keys and credentials stored in GCP Secret Manager; not stored in source code

Full detail of our technical and organisational measures is available to customers on request under our Data Processing Agreement.

Changes

We will notify you of material changes to this policy by email.