Privacy Policy

1. Data Controller

The data controller for this service is:

For any questions about this Privacy Policy or our data processing activities, please contact us at support@frits.ai. FRITS AI ApS is not required to formally appoint a Data Protection Officer under Art. 37 GDPR, but treats privacy questions as a first-priority matter and will respond promptly.

2. About the Service

GDPRchat is a general-purpose AI chatbot operated by FRITS AI ApS, a Danish company. All AI models, servers, and databases are located in the European Union. Our primary AI model is provided by Mistral AI (Paris, France), voice transcription is provided by Mistral’s Voxtral model, our servers and database are hosted by Hetzner Online GmbH (Germany), and image generation is provided by Black Forest Labs (Germany). The service includes a knowledge base of EU regulations and uses Brave Search for retrieving current information from the web. For payments we use Stripe, and if you choose to sign in via OAuth you can use Google or Microsoft — these three providers are US-based but covered by the EU-US Data Privacy Framework (see section 6). GDPRchat does not use any third-party analytics, tracking, or advertising services.

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect your name, email address, and a cryptographic hash of your password. If you sign up as part of an organisation, we also store the organisation name. If you choose to sign in via Google or Microsoft OAuth, we receive your name and email address from those providers — we do not receive or store your Google or Microsoft password.

3.2 Chat Data

We store the conversations and messages you create when using the chatbot, including any documents you upload. This data is necessary to provide the service and allow you to return to previous conversations.

3.3 Technical Data

We process your IP address only at authentication-related endpoints (sign-up, sign-in, password reset, invitation accept) for the purpose of rate limiting and abuse prevention. IP addresses used for rate limiting are held only in server memory for a maximum of 15 minutes and are never written to our database. Standard web-server access logs may retain request IPs for a limited operational period for security and diagnostics. We also process the Accept-Language header from your browser to provide the service in your preferred language.

3.4 Payment Data

Payment processing is handled entirely by Stripe, Inc. We do not receive, process, or store your credit card number, bank account details, or other financial payment instruments. We store only a Stripe customer identifier that allows us to link your account to your subscription.

3.5 Cookies and Local Storage

We do not use any tracking, analytics, or advertising cookies. Every cookie and every item we place in your browser’s localStorage is either strictly necessary for the service to function (authentication, security) or a preference or UI state tied to a service you have actively requested (language, theme, font size, and similar). Under Article 5(3) of the ePrivacy Directive and the European Data Protection Board’s Guidelines 2/2023 on the technical scope of Article 5(3), such storage is exempt from the consent requirement — which is why GDPRchat does not show a cookie consent banner. Showing one would imply that we ask your consent to track you, and we do not track you at all.

Cookies we set:

• NextAuth session cookies — a session token that keeps you logged in, together with a CSRF token, a PKCE verifier, and a callback-URL cookie used only during the sign-in flow. All strictly necessary for authentication and security.
• Language-detection cookie (gdprchat-locale) — an HTTP-only cookie set on protected routes after you sign in, derived from your browser’s Accept-Language header, so we can render the interface in your language.
• Language-choice cookie (gdprchat-user-locale) — set when you actively pick a language in the interface. Lets us remember your choice across devices and survives a localStorage clear.
• Administrator cookie — set only for site-administrator access (internal “god mode”). Never set for regular users.
• Payment-provider cookies — when you visit a checkout or billing page, Stripe sets its own cookies inside its payment iframe. These are strictly necessary for payment processing and fraud prevention and are controlled by Stripe (see stripe.com/privacy).

Data we store in your browser’s localStorage: None of this data is transmitted to our servers — it stays on your device and exists only to remember your preferences and UI state between visits. You can clear all of it at any time by clearing your browser’s site data.

• Appearance — theme (light/dark), accent-colour skin, font size, zen-mode font step, chat-display preferences, sidebar panel state.
• Chat behaviour — auto-zen toggle, chat-in-tabs toggle, image-quality preference.
• Language — the interface language you last used.
• Persona selection — which writing persona you last selected (id, display name, colour, greeting) and your persona star-filter preference, so the right persona is pre-selected when you return.
• Unsent draft — any text you have started typing but not yet sent in the composer, so you don’t lose it if you refresh. Stored locally only; never transmitted until you press send.
• Location consent and short-lived cache — if you turn on the location feature, your consent choice is remembered, and a coarse location (coordinates rounded to approximately 1 km precision) is cached locally for 30 minutes before being discarded. See section 3.7.
• PWA install-prompt state — whether you have seen or dismissed the “Install app” prompt, so we don’t nag you.

3.6 Voice Input

The voice-input feature is off by default and is only activated when you press the microphone button. When you do, your browser asks you for microphone permission (a native browser prompt, not controlled by us). If you grant permission, a short audio recording is captured on your device and sent to our servers, which forward it to Mistral AI (Paris, France) for speech-to-text transcription using the Voxtral model. Only the transcribed text is kept; the audio itself is discarded after transcription. We never record audio in the background and the microphone is never active unless you tap the button.

3.7 Location Data

The location feature is off by default. If you choose to enable precise location, your browser asks you for geolocation permission. If you grant it, your coordinates are rounded down to approximately 1 km precision (two decimal places of latitude and longitude) before anything is cached, so an exact home address cannot be derived from the data. The rounded coordinates are reverse-geocoded into a city and country by calling OpenStreetMap Nominatim directly from your browser — the OpenStreetMap Foundation (United Kingdom, covered by the UK adequacy decision) receives only the rounded coordinates and your IP address for that single request. The resulting city-level location is cached in your browser’s localStorage for 30 minutes and then automatically discarded. You can withdraw location consent at any time in Settings, which immediately deletes the cache. If you decline precise location, we may still derive a country-level estimate from your connection’s IP address on the server side for features that need it (for example, tax and currency); no coordinates are involved.

4. Legal Bases for Processing

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR) — Processing your account data, chat messages, and uploaded documents is necessary to provide you with the chatbot service you have requested. This includes account creation, message processing, conversation storage, and subscription management.
• Legitimate interest (Art. 6(1)(f) GDPR) — We process IP addresses for security, rate limiting, and fraud prevention. Our legitimate interest is protecting the service and its users from abuse. We have conducted a balancing test and concluded that these interests are not overridden by your fundamental rights, given the limited nature of the data and the short retention period.
• Consent (Art. 6(1)(a) GDPR) — Where we rely on consent (for example, for optional cookies or future newsletter communications), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR) — We may retain certain transaction and invoicing records as required by Danish and EU tax law (Danish Bookkeeping Act, bogforingsloven).

5. Data Processors and Third-Party Services

We share personal data with the following third-party processors, each under a data processing agreement (Art. 28 GDPR):

• Mistral AI (Paris, France) — Our AI model provider. Your chat messages are sent to Mistral AI for processing and generating responses. Mistral AI is an EU-based company and processes data within the EU.
• Hetzner Online GmbH (Gunzenhausen, Germany) — Our infrastructure provider. All servers and databases are hosted in Hetzner data centres in Germany. All data at rest remains in the EU.
• Black Forest Labs (Germany) — Provides image generation capabilities. Image prompts are sent to their EU-based infrastructure for processing.
• Brave Search (US) — Used for web search queries. Calls are made from our servers, so Brave never sees your IP address or any user account identifier. The raw search query text is transmitted (which, depending on what you asked, may itself contain personal data). Brave Search is a privacy-focused engine that does not build user profiles.
• OpenStreetMap Foundation (United Kingdom, UK adequacy decision) — If you render a map in a conversation, map tiles are loaded directly from OpenStreetMap into your browser; if you enable the precise location feature, your rounded coordinates are also sent to OpenStreetMap Nominatim for reverse geocoding (see section 3.7). In both cases your IP address is visible to OpenStreetMap for that request only; no account data is shared.
• YouTube (Google LLC, US — EU-US Data Privacy Framework) — If a conversation contains a YouTube link, the video is embedded in privacy-enhanced (“nocookie”) mode. The player iframe loads from youtube-nocookie.com, which makes your IP address visible to Google for that request. No tracking cookies are set until you actually press play.
• Stripe, Inc. (US, EU-US Data Privacy Framework certified) — Handles payment processing. When you subscribe to a paid plan, your payment details are collected and processed directly by Stripe. Stripe is certified under the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection as recognised by the European Commission (Art. 45 GDPR).
• Google / Microsoft (US, EU-US Data Privacy Framework certified) — Only if you voluntarily choose to log in with Google or Microsoft OAuth. In that case, your name and email address are received from the chosen provider. Both are certified under the EU-US Data Privacy Framework.

6. International Data Transfers

The vast majority of your data is processed and stored exclusively within the European Union (Germany and France). Where data is transferred to the United States (Stripe, and optionally Google or Microsoft for OAuth), these transfers are protected by the EU-US Data Privacy Framework adequacy decision adopted by the European Commission on July 10, 2023, in accordance with Art. 45 GDPR. Should the DPF adequacy decision be invalidated or suspended, we rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR as an additional safeguard with each of these providers.

For transfers to the United Kingdom (OpenStreetMap Foundation), we rely on the European Commission’s UK adequacy decision of 28 June 2021.

We do not transfer personal data to any country outside the EU/EEA that lacks an adequate level of data protection, unless an appropriate safeguard under Chapter V of the GDPR is in place.

7. Data Retention

• Account data — Retained for as long as your account exists. When you delete your account, all account data is permanently deleted.
• Chat data — Retained until you delete individual conversations or delete your account, whichever comes first.
• Shared chat links — Expire and are deleted after 30 days.
• Tax and invoicing records — Retained for the period required by applicable Danish and EU law (currently 5 years under the Danish Bookkeeping Act).
• IP addresses — Held only in server memory for a maximum of 15 minutes while the anti-abuse rate-limit window is open, then discarded. Never written to our database. Standard web-server access logs may retain request IPs for a limited operational period for security and diagnostics.
• Voice audio — Audio you record for voice input is discarded immediately after speech-to-text transcription; only the resulting text is stored (as a chat message you then send).

8. Your Rights Under the GDPR

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data together with supplementary information.
• Right to rectification (Art. 16 GDPR) — You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure ("right to be forgotten") (Art. 17 GDPR) — You have the right to have your personal data deleted. You can delete individual conversations directly in the app, and you can delete your entire account — including all conversations, messages, documents, and usage records — from the Your Data Rights section of your Profile page. Account deletion is immediate, permanent, and includes automatic cancellation of any active subscription.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You can export all your data as a JSON file at any time from the Your Data Rights section of your Profile page — no need to contact us.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to object (Art. 21 GDPR) — You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet):
  Datatilsynet
  Carl Jacobsens Vej 35
  2500 Valby, Denmark
  Email: dt@datatilsynet.dk
  Website: www.datatilsynet.dk

To exercise any of these rights, please contact us at support@frits.ai. We will respond to your request within one month, as required by Art. 12(3) GDPR. In complex cases, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for the delay.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Art. 32 GDPR. These measures include:

• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest on our database servers
• Password hashing using bcrypt with cryptographic salting
• EU-only hosting with no data stored outside the European Union
• Rate limiting and IP-based abuse prevention
• Built-in PII (Personally Identifiable Information) filter that detects sensitive data — including names, emails, phone numbers, national ID numbers, IBANs, and passport numbers across all 27 EU member states — before your message is sent to the AI. When enabled, detected PII is highlighted and the message is blocked from transmission. This filter runs entirely on your device; the detected data is never sent to our servers
• Input sanitisation to prevent cross-site scripting (XSS) and injection attacks
• AI safety measures designed to reduce the risk of the chatbot disclosing internal configuration, other users' data, or generating content that violates privacy rights
• Shared chat links that strip all user identity information (name, email, user ID) from the shared content

10. No Analytics, No Tracking, No Advertising

GDPRchat does not use any third-party analytics services (such as Google Analytics), does not deploy tracking pixels or fingerprinting technologies, does not serve advertisements, and does not engage in profiling or automated decision-making as defined in Art. 22 GDPR. We do not sell, rent, or share your personal data with third parties for marketing purposes.

11. Children's Privacy

GDPRchat is a general-purpose service available to users of all ages. Where consent is the legal basis for processing, we rely on Art. 8 GDPR regarding conditions applicable to a child's consent in relation to information society services. In Denmark, the digital age of consent is 13 years. If you are resident in another EU or EEA country, a different minimum age may apply (generally between 13 and 16, depending on national law); users below the applicable age in their country of residence require parental or guardian consent to create an account.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify registered users by email or by a prominent notice in the service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us: