REASONINGSERVICES

Navigation

SubscribeContact Sales

Privacy Policy

Last Updated: May 18, 2026

1. Introduction

Reasoning Services LLC ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection laws.

2. Data Controller / Business Information

The data controller (GDPR) and business (CCPA) responsible for your personal data is:

  • Business Name: Reasoning Services LLC
  • Location: United States
  • Privacy Email: privacy@reasoning.services
  • Support Email: support@reasoning.services

3. Categories of Personal Information

The following table describes the categories of personal information we collect, mapped to the statutory categories defined in California Civil Code §1798.140(v)(1)(A)–(K). These labels are required by CCPA §7011(c)(1)(A).

CCPA personal information categories collected by Reasoning Services LLC, including whether each category is collected and whether it is sold or shared. All categories: not sold or shared.
CCPA Statutory CategoryExamples of Data CollectedCollected?Business PurposeSold or Shared?
(A) Identifiers
  • Email address
  • Cognito user ID (UUID)
  • OAuth provider subject identifier (Google/GitHub)
YesAuthentication, account creation, and account managementNo
(B) Customer Records (Cal. Civ. Code §1798.80(e))
  • Name (contact form submissions only — not stored with account)
YesResponding to customer inquiries via the contact formNo
(C) Characteristics of Protected ClassificationsNot collectedNoN/ANo
(D) Commercial Information
  • Subscription tier
  • Payment status
  • Stripe transaction history
  • Customer ID
YesSubscription management, payment processing, and billing dispute resolutionNo
(E) Biometric InformationNot collectedNoN/ANo
(F) Internet or Other Electronic Network Activity
  • Pages visited
  • Click patterns
  • Referring URLs
  • Session duration
YesProduct improvement, performance monitoring, and user experience optimizationNo
(G) Geolocation Data
  • Anonymized and truncated IP address (regional precision only — city/country)
YesAnalytics aggregation and fraud/abuse preventionNo
(H) Professional or Employment-Related InformationNot collectedNoN/A — OAuth authentication provides email address only, no employment dataNo
(I) Education Information (non-public per 20 U.S.C. §1232g)Not collectedNoN/ANo
(J) Inferences Drawn from Personal InformationNot collectedNoN/A — no profiling or inference generation is performedNo
(K) Sensitive Personal Information — Account Login (§1798.140(ae)(1)(B))
  • API keys (hashed for validation)
  • Account login credential (email address used as identifier)
YesAuthenticating API requests and securing account accessNo
(K) Sensitive Personal Information — Contents of Communications (§1798.140(ae)(1)(E))
  • Contact form message content
YesResponding to customer inquiries and support requestsNo
(F) Internet or Other Electronic Network Activity
  • User-submitted content to MCP reasoning tools (prompts, analysis subjects)
YesProcessing MCP tool requests in real-timeNo

Affirmative sale/sharing statement (CCPA §7011(c)(1)(D)–(F)): In the preceding 12 months, Reasoning Services LLC has not sold or shared the personal information of consumers to third parties, as those terms are defined under the CCPA.

4. How We Use Your Information

  • Service Delivery: To provide and maintain our MCP reasoning tool services
  • Authentication: To verify identity via OAuth 2.1 (Google, GitHub)
  • Billing: To process subscription payments and manage accounts via Stripe
  • Communication: To respond to inquiries and deliver transactional email
  • Security: To detect and prevent fraud, abuse, and security threats
  • Analytics: To monitor performance and improve the user experience via Google Analytics 4 (enabled by default for non-EU visitors with opt-out; opt-in required for EU/EEA/UK/Switzerland visitors)
  • Legal Compliance: To comply with applicable laws and regulations

5. Data Sharing and Disclosure

5.1 Service Providers (Business Purpose Disclosures)

We disclose personal information to the following service providers for business purposes (CCPA §7011(c)(1)(H)–(J)). All providers are contractually bound to process data only as instructed.

  • Amazon Web Services (AWS): Hosting, authentication (Cognito User Pool), container compute (ECS Fargate), storage (S3), CDN (CloudFront), and transactional email (SES). Categories: Identifiers, Account credentials.
  • Stripe: Payment processing and subscription management. Categories: Commercial information, Identifiers.
  • Upstash: Distributed rate limiting. Receives only hashed IP addresses. Categories: Geolocation data (anonymized).
  • Google Analytics 4: Web analytics. Receives page views and interaction data with IP anonymization enabled. Categories: Internet activity, Geolocation data (anonymized).

5.2 Service Provider Contractual Prohibitions (CCPA §7051)

Each service provider listed in Section 5.1 is contractually bound by the following restrictions per California Code of Regulations, Title 11, §7051 (ADR-308):

  • Processing personal information only for the specific business purpose disclosed — no secondary or undisclosed use
  • Prohibition on selling or sharing consumer personal information
  • Prohibition on using personal information for cross-context behavioral advertising
  • Prohibition on combining personal information received from us with data from other sources for independent purposes
  • Implementation of reasonable security measures appropriate to the data types processed
  • Notification to us if the provider determines it can no longer meet its CCPA obligations
  • Granting us the right to audit or verify compliance

Google Analytics classification note:Google Analytics 4 is operated by Google as an independent data controller for certain purposes (safety, service improvement). Google's GA4 configuration on this platform is limited to anonymized page-view analytics with anonymize_ip: true and no advertising features enabled. Analytics opt-out options are described in Section 12 (Cookies and Tracking Technologies) below.

5.3 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities (e.g., court orders, subpoenas). We notify affected individuals unless legally prohibited.

5.4 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the CPRA:

  • Right to Know (§1798.110): You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete (§1798.105): You may request that we delete your personal information, subject to certain exceptions permitted by law.
  • Right to Correct (§1798.106): You may request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing (§1798.120): You have the right to opt out of the sale or sharing of your personal information. As stated above, we do not sell or share your personal information, so no opt-out mechanism is required.
  • Right to Limit Use of Sensitive Personal Information (§1798.121): You may direct us to limit our use of sensitive personal information to what is necessary to provide requested services. We use sensitive personal information only for service delivery purposes.
  • Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any of your CCPA rights. We will not deny services, charge different prices, or provide a lower quality of service based on your exercise of these rights.

6.1 Submitting a CCPA Request

To exercise your CCPA rights, email us at: privacy@reasoning.services

We will acknowledge your request within 10 business days and respond within 45 days. We may extend this period by an additional 45 days when reasonably necessary with notice. We may need to verify your identity before processing your request.

6.2 Authorized Agent Requests

You may designate an authorized agent to submit requests on your behalf. The authorized agent must provide written authorization signed by you, and we may require you to verify your identity directly with us. Contact privacy@reasoning.services with the subject line "Authorized Agent Request" for instructions.

6.3 Opt-Out Preference Signals

We recognize browser-based opt-out preference signals, including Global Privacy Control (GPC). If your browser sends a GPC signal, we will not enable analytics tracking by default, regardless of your region. You can also opt out of analytics at any time using the "Opt out of analytics" link in the footer or the Cookie Settings panel on our Cookie Policy page.

7. Your Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right to Access: Request a copy of your personal data we hold
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing of your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

7.1 Exercising Your Rights — Response SLAs

To exercise any of these rights, please:

  • Email us at: privacy@reasoning.services

We acknowledge privacy requests within 5 business days. An automated message confirms receipt; a human replies within that window. Full resolution: within 30 days for GDPR requests (Article 12), and within 45 days for CCPA requests (§1798.130). If a request is complex and we need more time, we will tell you why and when to expect resolution before the deadline.

7.2 Data Protection Impact Assessments

We conduct data protection impact assessments (DPIAs) for processing activities likely to result in a high risk to the rights and freedoms of natural persons, in accordance with GDPR Article 35 (ADR-315). DPIAs have been conducted for:

  • MCP Tool Data Processing (DPIA-001): Processing of user-submitted prompts via third-party infrastructure (Anthropic). Residual risk: medium.
  • Google Analytics Monitoring (DPIA-002): Website behavioral analytics via Google Analytics 4. Residual risk: low.
  • Payment Gate (DPIA-003): Automated subscription access decisions via Stripe. Residual risk: low.

No processing activity has a high residual risk requiring Art. 36 prior consultation with a supervisory authority. DPIAs are reviewed annually or when processing activities materially change.

7.3 Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. For a list of supervisory authorities, visit: https://edpb.europa.eu/about-edpb/board/members_en

7.4 Breach Notification (Art. 34)

Under GDPR Article 34, if a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you "without undue delay." Our breach notification infrastructure (ADR-313) provides:

  • 72-hour supervisory authority notification (Art. 33): We will notify the relevant data protection authority within 72 hours of becoming aware of a qualifying breach.
  • Direct notification to you (Art. 34): When a breach poses a high risk to your rights and freedoms, we will contact you directly at the email address on your account describing: the nature of the breach, data categories affected, likely consequences, and remedial measures taken.
  • Art. 34(3)(a) exemption: If the affected data was encrypted such that it is unintelligible to any unauthorized person, individual notification may not be required. We document any such exemption in our breach register with a specific rationale.

Breach records are maintained permanently per Art. 33(5). Contact privacy@reasoning.services with any breach-related concerns.

8. Canadian Residents — PIPEDA

The following disclosures are required under the Personal Information Protection and Electronic Documents Act (PIPEDA), Schedule 1, Clause 4.8 (Openness) and Clause 4.8.2.

8.1 Privacy Officer

Per PIPEDA Schedule 1, Clause 4.1, we have designated a Privacy Officer who is accountable for our compliance with privacy obligations.

The identity of the Privacy Officer is made available upon request (Clause 4.1.2).

8.2 Data Subject Access Requests (DSAR)

Under PIPEDA Clause 4.9, you have the right to access your personal information. To submit a data access or correction request:

  1. Email privacy@reasoning.services with subject line "Data Access Request"
  2. Include your account email address so we can locate your records
  3. Specify what information you are requesting access to or corrections for
  4. We will respond within 30 days (Clause 4.9.4)

We may charge a reasonable fee for access requests under Clause 4.9.3 and will advise you of any applicable charges before processing your request.

8.3 Data Inventory (Clause 4.8.2(c))

The table in Section 3 above provides a complete inventory of personal information held by Reasoning Services LLC, including the type of data, its purpose, retention period, and whether it is shared with third parties.

8.4 Third-Party Sharing (Clause 4.8.2(e))

Reasoning Services LLC shares personal information with the service providers listed in Section 5.1 above. We do not share personal information with related organizations except as described in this policy. All third-party sharing is for identified business purposes only.

8.5 Cross-Border Data Transfers (Clause 4.1.3 & 4.8)

All personal information is processed in the United States through Amazon Web Services (AWS us-east-1 region, N. Virginia). This disclosure is required by PIPEDA Schedule 1, Clause 4.8 (Openness) and Clause 4.1.3 (Third-Party Accountability) (ADR-346).

Sub-Processor Register

The following sub-processors receive personal information in the United States:

  • Amazon Web Services (AWS)— AWS Cognito (identity and authentication), ECS Fargate (MCP tool compute), S3/CloudFront (static website), CloudWatch (operational logs). Location: AWS us-east-1, United States. Data Processing Agreement (AWS DPA) in place.
  • Stripe, Inc.— Payment processing and subscription management. Location: United States. Stripe DPA (standard) in place. PCI DSS Level 1 certified.
  • Google LLC— Google Analytics 4 (anonymized usage metrics). Location: United States. Google Analytics Data Processing Amendment in place.

Legal Basis for Transfer

Cross-border transfers are made on the following legal bases:

  • Contractual necessity: Processing in AWS us-east-1 is necessary to deliver the subscription services you contracted for. Canadian users access services deployed in the United States; no equivalent Canadian-region infrastructure is available with the same feature set.
  • Consent: By using our services, you acknowledge that your personal information will be processed in the United States, a jurisdiction with different privacy laws than Canada.
  • Contractual safeguards (Clause 4.1.3): Data Processing Agreements with each sub-processor require comparable protection to PIPEDA standards.

US Law Enforcement Access

US-based cloud providers (AWS, Stripe, Google) may be subject to US legal process (including the CLOUD Act and FISA §702), which could compel disclosure of data to US law enforcement without notifying the data subject. We cannot prevent such legal process but will:

  • Log any government access requests received, to the extent permitted by law
  • Notify affected individuals of any government disclosure if legally permitted to do so
  • Follow PIPEDA S.9(2.1)–(2.4) procedures for government disclosure requests

You may contact our Privacy Officer at privacy@reasoning.services for information about the contractual safeguards in place with each sub-processor.

8.6 Breach Notification

In the event of a security breach involving your personal information that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, and we will notify you directly by email to your registered account address. Notification will describe the nature of the breach, the information affected, steps you can take to mitigate harm, and remediation measures we have taken. Breach records are maintained for a minimum of 24 months per PIPEDA S.10.3.

8.7 Complaint to the OPC

If you are unsatisfied with our response to your privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at: https://www.priv.gc.ca/en/report-a-concern/

9. How to Exercise Your Rights

To exercise any privacy right under any applicable regulation:

We respond to GDPR requests within 30 days (extendable by 60 days with notice). We respond to CCPA requests within 45 days (extendable by 45 days with notice). We respond to PIPEDA requests within 30 days (extendable with notice and reason).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, in accordance with PIPEDA Clause 4.7 and GDPR Article 32, including:

  • Encryption in Transit: All data transmission protected using TLS 1.2+
  • Encryption at Rest: Data stored in AWS is encrypted at rest
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Rate Limiting: Protection against brute-force attacks and abuse (Upstash)
  • JWT Validation: Each service independently validates authentication tokens
  • Content Security Policy: Delivered via CloudFront response-headers policy
  • Secure Authentication: Constant-time comparison for API key validation

We do not operate any third-party error tracking or session replay service. Application errors are visible only in your browser's developer console; they are not transmitted off-device.

11. Data Retention

Retention periods by data category (PIPEDA Clause 4.5.2; CCPA §7012(e)(4)):

  • Account identifiers and credentials: Duration of active account plus 30 days after deletion
  • Billing and subscription records: Duration of active account plus 7 years (financial record-keeping)
  • Contact form submissions: Until the inquiry is resolved, then deleted within 30 days
  • Analytics data: 14 months (Google Analytics 4 data retention setting)
  • Rate limiting data: Hashed IP addresses retained for 24 hours
  • MCP tool inputs: Ephemeral — not persisted beyond individual request lifecycle

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies. For EU/EEA/UK/Switzerland visitors, analytics cookies require your explicit consent (opt-in). For visitors in other regions, analytics cookies are enabled by default with an opt-out mechanism. For detailed information, please see our Cookie Policy.

13. Children's Privacy

Our services are not directed to individuals under 16 years of age (or under 13 for COPPA purposes). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately at privacy@reasoning.services and we will delete such information promptly.

CCPA under-16 statement: We do not sell or share the personal information of consumers we know to be under 16 years of age.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. For transfers from the EEA, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • EU-US Data Privacy Framework certification (for US-based processors)
  • Additional security measures as required by GDPR Chapter V

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page with an updated "Last Updated" date
  • Sending you an email notification (if you have provided your email address)

You are advised to review this Privacy Policy periodically for any changes.

16. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices:

  • Privacy inquiries: privacy@reasoning.services
  • General support: support@reasoning.services