← Back to Hall of Mirrors

Privacy Policy

Hall of Mirrors: The Tesseract · Last updated: 18 July 2026

This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have. It is written to be read, not to be survived. If anything here is unclear, please ask.

1. Who we are

Hall of Mirrors: The Tesseract is operated by Krasimir Stoyanov Kolev, trading as Allistar Center, a self-employed sole trader registered in Cyprus. We are the data controller for the personal data described in this policy.

Contact for any privacy matter, including deletion requests: allistarcenter@gmail.com

2. What we collect

Information you give us

Information generated by using the service

Information collected automatically

3. Why we process it, and on what legal basis

PurposeLegal basis
Creating and running your accountPerformance of a contract
Generating and storing your reportsPerformance of a contract
Processing paymentsPerformance of a contract; legal obligation (tax records)
Sending service emails (confirmation, password reset)Performance of a contract
Preventing abuse and fraud (IP records)Legitimate interests
Responding to your messagesLegitimate interests
We do not use your intentions or reports for anything other than serving you. We do not use them to train AI models, to build products, to generate examples, or for research. We do not sell data. We do not run advertising or behavioural tracking of any kind.

4. Who we share it with

We use a small number of service providers to operate the product. They process data on our behalf, under contract, and may not use it for their own purposes.

ProviderWhat they receiveWhy
AnthropicYour intention text and any attached imageTo generate the report using Claude AI models
CloudflareAll site traffic; your text for generating embeddings; uploaded imagesHosting, security, AI embeddings, image storage
SupabaseAccount details, reports, atoms, balances, avatarsDatabase, authentication and file storage
StripeYour name, email and card details, entered directly on Stripe's own checkout pagePayment processing. We never see or store your card details.
ResendYour email address and message contentSending emails
GoogleSign-in data if you use Google sign-in; your IP address when fonts loadOptional sign-in; web fonts

Some of these providers are based outside the European Economic Area, principally in the United States. Where that is the case, transfers are made under the European Commission's Standard Contractual Clauses or an equivalent approved safeguard.

5. How long we keep it

DataRetention
Account detailsUntil you delete your account
Intentions, reports, agent outputs, atoms, embeddingsUntil you delete your account or ask us to delete specific reports
Images and avatarsUntil you delete your account
Payment and Mirror ledger recordsRetained as required by Cypriot tax law, currently six years, then deleted
IP records used for abuse prevention90 days
Contact form messagesUntil the matter is resolved and no longer needed
When you delete your account, we delete your reports. Your intentions, reports, agent outputs, atoms and images are removed along with your account. We do not keep an anonymised copy. The only exception is financial records we are legally required to retain for tax purposes, which contain transaction details but not the content of your reports.

6. Your rights

Under the GDPR you have the right to:

To exercise any of these rights, email allistarcenter@gmail.com. We will respond within one month.

There is currently no button in the interface to delete your account or an individual report. Deletion is handled manually on request, and we do it promptly. If you are ever unsatisfied with how we have handled your data, you have the right to complain to the Office of the Commissioner for Personal Data Protection in Cyprus (dataprotection.gov.cy).

7. Cookies and local storage

We do not use advertising cookies, analytics cookies, or any behavioural tracking.

8. Security

Data is stored with access controls that restrict each account to its own data. Payments are handled entirely by Stripe; we never receive card details. No system is perfectly secure, but we do not log your intentions, do not expose them to other users, and keep the number of systems that touch them as small as possible.

9. Children

This service is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

10. Changes to this policy

If we change this policy in a way that materially affects you, we will notify registered users by email. The date at the top of this page always reflects the current version.