Privacy Policy

Last updated: April 2026

1. Introduction

metaphore ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada) and the General Data Protection Regulation (GDPR, EU/EEA).

This policy applies to all metaphore services including the website (metaphore.app), CLI tool, Telegram bot, browser extensions, and API.

2. Information We Collect

Account information

  • Name and email address (at registration)
  • Organization or role (if provided)
  • Password (stored in hashed form only)

Billing information

  • Payment details are collected and processed by Stripe. We do not store your full credit card number. We receive limited billing metadata (last 4 digits, expiration date, billing country) from Stripe for invoice and support purposes.

Usage data

  • Inputs you submit to the Service (technical content you ask metaphore to transform)
  • Output generated by the Service
  • Feature usage, timestamps, and channel (CLI, web, bot)
  • Saved presets and preferences

Automatically collected data

  • IP address
  • Browser type and operating system
  • Referring URL
  • Pages visited and time spent

Account signup

  • Email address and password (hashed) submitted via the metaphore console signup form

3. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process subscriptions and payments
  • Send transactional emails (receipts, account changes, security alerts)
  • Manage the early access waitlist and send product updates
  • Enforce usage limits and prevent abuse
  • Generate anonymized, aggregated analytics to improve the Service
  • Respond to support requests

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

4. Legal Basis for Processing (GDPR)

If you are in the EU/EEA, we process your data based on:

  • Contract performance: providing the Service you signed up for.
  • Legitimate interests: improving the Service, preventing fraud, ensuring security.
  • Consent: marketing communications and waitlist registration (you may withdraw consent at any time).
  • Legal obligation: tax and accounting requirements.

5. Third-Party Services

We use the following third-party processors:

  • Stripe — payment processing. Stripe is PCI DSS Level 1 certified. Their privacy policy applies to payment data.
  • Resend — transactional email delivery (account verification, security notifications). Resend processes your email address only to deliver these messages.
  • LLM providers — metaphore uses a Bring Your Own LLM (BYOLLM) architecture. You provide your own API key for a supported LLM provider (e.g., Anthropic, OpenAI). Your input text and API key are transmitted to the LLM provider to generate the metaphore output. Inputs are sent via API and are not used by these providers to train their models (per their API data usage policies). We do not send your name, email, or billing information to LLM providers.
  • Analytics — we use privacy-friendly, cookie-free analytics. No personally identifiable information is collected through analytics.
  • PostHog — product analytics used to understand feature usage and improve the Service. We configure analytics to minimize personal data collection and avoid storing sensitive transformation content in analytics events.

5.1 LLM API Keys

metaphore requires you to provide your own LLM API key to use the Service. Your API key is handled as follows:

  • Your API key is transmitted to the metaphore server solely to execute your transformation request.
  • Your API key is used in transit only and is not stored by metaphore in any database, log, or persistent storage.
  • All communication between your device, the metaphore server, and the LLM provider is encrypted via HTTPS/TLS.
  • metaphore does not monitor, log, or retain the content of your API key after the request is completed.
  • You are solely responsible for the security of your API key, any charges incurred with your LLM provider, and compliance with your LLM provider's terms of service.

If you believe your API key has been compromised through the Service, revoke it immediately with your LLM provider and contact us at info@coraware.net.

6. Data Retention

  • Account data: retained while your account is active and for a reasonable period afterward for legal and accounting purposes.
  • Usage history and outputs: retained while your account is active. You may delete your saved history at any time through the Service.
  • Billing records: retained as required by applicable tax and accounting laws (typically 7 years).
  • Waitlist data: retained until the early access program ends or until you request deletion.

7. International Data Transfers

metaphore is operated from Canada. If you access the Service from outside Canada, your information may be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection under GDPR.

Where our third-party processors are located outside of Canada or the EU/EEA, we ensure appropriate safeguards are in place (adequacy decisions or standard contractual clauses).

8. Cookies

This website does not use tracking cookies. If analytics are enabled, they use cookie-free, privacy-respecting methods that do not track individual users across sites. We may use strictly necessary cookies for authentication and session management.

9. Your Rights

Under PIPEDA, GDPR, and applicable privacy laws, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Data portability (receive your data in a structured format)
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (without affecting prior processing)

To exercise any of these rights, contact us using the information below. We will respond within 30 days.

10. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

For questions about this Privacy Policy, to exercise your rights, or to file a complaint, contact us at: info@coraware.net

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada or, if you are in the EU/EEA, with your local data protection authority.