Skip to main content
← Back to app

Privacy Policy

What we collect, why, and your rights.

Last updated: 10 May 2026

Who we are

LLM-DX (the “Service”) is operated by Gavin Fitzpatrick (“we”, “us”), a sole operator based in the European Union. The Service is a free assessment tool that helps you audit the quality of your AI workflow practice across seven dimensions.

For the purposes of the EU General Data Protection Regulation (“GDPR”), we are the data controller for the personal data described below.

Data we collect

We aim to collect the minimum data necessary to operate the Service. Concretely:

CategoryWhat it isWhere it lives
Anonymous session IDA random UUID generated in your browser. Not linked to your identity. Used to deduplicate analytics submissions.Browser localStorage; assessment_metrics.session_id
UI preferences cookieA first-party functional cookie (llmdx_prefs, 180-day max-age, SameSite=Lax) that stores your in-app selections — results view mode (self / AI / delta), assessment mode, expanded dimension, and persona profile — so they persist across sessions. No identifiers, no third-party transmission.First-party cookie llmdx_prefs
Assessment scoresYour 1–4 ratings on 28 questions, plus dimension percentages and the overall score.assessment_metrics, assessment_history
Optional persona answersRole, experience, usage intensity, project pattern, workflow type, intake pain point. All optional; used for cohort benchmarks.assessment_metrics
AI audit metadataIf you import an AI audit, we store the resulting scores and evidence summary you paste in. We do not receive your raw conversations.assessment_metrics
Email address (sign-in only)If you sign in to save history, your email is stored by our authentication provider so you can sign in again.auth.users (managed by Lovable Cloud / Supabase) — not exposed in our app tables.
OAuth profile data (Google / Apple)If you sign in with Google or Apple, the provider shares your email and (where provided) name and avatar URL with us. We do not request additional scopes.auth.users.raw_user_meta_data
Sign-in IP & user agentYour IP address and browser user agent are logged briefly during sign-in by the auth provider for fraud and abuse prevention. Not used for analytics, profiling, or location tracking.auth.users.last_sign_in_ip
Prompt-copy eventsWhen you copy a course-correction prompt, we log which prompt was copied (no content, no identity) to gauge which guidance is useful.assessment_events

We do not collect: precise location, device fingerprints, third-party advertising identifiers, marketing trackers, or your raw AI conversation content.

Reset your preferences

Clear the llmdx_prefs cookie and any related browser storage (legacy persona profile in localStorage, transient session state). Your saved assessment history on the server is not affected — to delete that, see “Your rights” below.

Lawful basis for processing

Under GDPR Article 6, we rely on the following lawful bases:

  • Art. 6(1)(f) — Legitimate interests: anonymous assessment metrics and prompt-copy events. Our legitimate interest is improving the Service and producing aggregate industry benchmarks. The data is not linked to identifiable people; the impact on you is minimal.
  • Art. 6(1)(a) — Consent: storing assessment history against your account. You consent by signing in and choosing to save results. You can withdraw consent at any time by deleting your account (see “Your rights” below).
  • Art. 6(1)(b) — Contract: storing your email and auth credentials so we can provide the sign-in feature you requested.

How we use your data

  • To return your individual assessment results to you on screen.
  • To save your assessment history against your account, if you sign in.
  • To produce aggregate, non-identifying industry benchmarks (e.g. “median Knowledge Quality score by role”).
  • To detect bugs, abuse, and operational issues.
  • To respond to support requests you send us by email.

We do not use your data for marketing emails, advertising, profiling, automated decision-making, or sale to third parties.

Sharing & sub-processors

We do not sell or rent your data. We rely on the following sub-processors to operate the Service:

  • Lovable Cloud (Supabase) — hosts our database, authentication, and server functions. Acts as our data processor.
  • Cloudflare — edge network and DDoS protection for llm-dx.io. Processes request metadata transiently.
  • Google — only if you choose “Sign in with Google”. Google acts as an independent controller for the OAuth flow itself.
  • Apple — only if you choose “Sign in with Apple”. Apple acts as an independent controller for the OAuth flow itself.

Retention

  • Assessment scores (anonymised): retained indefinitely for aggregate benchmarking. When you are signed in, your scores are linked to your account by an internal identifier. If you delete your account, that link is permanently severed — the scores remain in anonymised form but cannot be reconnected to you or to any new account you create. GDPR basis: statistical purpose (Art. 89) and Recital 26 (truly anonymous data falls outside GDPR scope once the identifier link is removed).
  • Assessment history (signed-in users): retained for as long as your account exists. Deleted immediately and permanently when you delete your account. This cannot be undone — creating a new account with the same email address will not restore your previous history.
  • Account & email: retained for as long as your account exists. Deleted within seconds of you confirming “Delete account” in the app.
  • Feedback and support records: the content of bug reports and contact messages is retained as an operational audit log. On account deletion, your email address and account identifier are removed from these records; the message content is retained without personal identifiers.
  • Sign-in IP logs: retained per the auth provider’s policy, typically a short rolling window for security purposes.

Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure / “right to be forgotten”(Art. 17) — delete your account and all personal identifiers we hold about you. Available self-serve from Account menu → Delete account. Assessment history is deleted permanently and cannot be recovered. Anonymised assessment scores are retained for statistical purposes under Art. 89 but cannot be linked back to you or to any future account.
  • Right to restriction (Art. 18) — pause our processing of your data.
  • Right to data portability (Art. 20) — receive a copy of the data we hold about you in machine-readable format. Submit a request from the Contact section below. We will acknowledge within minutes and respond within 30 days.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to lodge a complaint with your national data protection authority. In Ireland this is the Data Protection Commission.

We respond to verified rights requests within 30 days. There is no charge unless requests are manifestly unfounded or excessive.

Security

Data is encrypted in transit (TLS) and at rest by our database provider. Access to production data is limited to the operator. Row-level security policies in the database ensure that signed-in users can only read their own assessment history. Account deletion runs server-side with elevated privileges. Assessment history, badges, and personal identifiers are deleted immediately. Assessment scores are pseudonymised by removing the account link rather than deleted — the scores retain no identifier that can be used to re-identify you. Feedback records are de-identified in the same operation.

No system is perfectly secure. If you discover a vulnerability, please contact us at the address below before disclosing publicly.

International transfers

Our database and edge infrastructure are hosted in the EU where possible. Where data is transferred outside the EEA (for example, when you sign in with Google or Apple, or when Cloudflare routes traffic via a non-EU edge), we rely on the recipient's Standard Contractual Clauses and any additional safeguards required by GDPR.

Children's data

The Service is intended for working professionals and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy occasionally to reflect product changes or new legal requirements. The “Last updated” date at the top of this page reflects the latest revision. Material changes will be flagged in the app before they take effect.

Contact / DPO requests

For privacy questions, GDPR rights requests, or to designate yourself as requiring formal DPO correspondence, email:

support@llm-dx.io

Please include enough information for us to identify the relevant account (typically the email address you signed in with). For erasure requests, self-serve from Account menu → Delete account.

Sign in first; we will acknowledge within minutes and respond within 30 days.

← Back to app