Privacy Policy for Tensor.chat

1. Data Controller

The data controller responsible for processing your personal data is:

Michael Persch

c/o COCENTER

Koppoldstr. 1

86551 Aichach

E-Mail: hig5hleader@gmx.de

2. What Data We Collect

We collect and process the following categories of personal data:

• Account Data: When you register, we collect your name, email address, and a securely hashed version of your password. If you register via OAuth (Google, Facebook, or Microsoft), we receive your name, email address, and profile picture from the respective provider.
• Phone Number: To prevent abuse and duplicate accounts, we require phone verification via SMS. Your phone number is stored on our servers and used solely for account verification.
• Chat Data: Your conversations, messages, uploaded files, and images are stored on our servers. This includes message content, timestamps, and AI responses.
• Usage Data: We track API credit usage per user to enforce fair use limits. This includes the number of requests and associated costs but not the content of your messages.
• Technical Data: IP addresses, browser type, operating system, and session information are collected for security, authentication, and service operation. Server logs are retained for a maximum of 7 days.
• Session Cookies: We use a single session cookie (tensor_session) to maintain your login state. This cookie is HttpOnly, Secure, and SameSite=Lax. It expires after 24 hours (or 7 days with "Remember Me"). We do not use tracking cookies, analytics cookies, or advertising cookies.

3. How Your Data Is Processed

Server-Side Storage: Your chat history, uploaded files, and account information are stored on servers located in Germany. This enables features like cross-device access, search across conversations, and persistent conversation memory.

AI Processing: When you send a message, it is processed on our servers and then forwarded to an AI model provider for response generation. Requests are routed through our infrastructure provider in Frankfurt, Germany.

SMS Verification: Phone verification codes are sent via GTX Messaging (Message Mobile GmbH, Cologne, Germany). GTX receives your phone number solely for the purpose of delivering the SMS verification code. Verification codes expire after 10 minutes.

Image Processing: Uploaded images are processed on our servers and classified by AI models to generate text descriptions for search and context purposes.

Password-Protected Content: You can protect individual chats and folders with passwords. Passwords are securely hashed on our servers. We never store plaintext passwords.

4. Legal Basis for Processing

Under the GDPR, we process your data on the following legal bases:

• Contract Performance (Art. 6(1)(b) GDPR): Processing your messages, storing your chat data, and providing AI responses is necessary to perform the service you requested.
• Consent (Art. 6(1)(a) GDPR): Before your first message, you consent to the processing of your data by AI providers. You can withdraw consent at any time by deleting your account.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process phone numbers to prevent abuse and duplicate accounts. We process technical data for security and service operation. We process usage data to enforce fair use limits.

5. Data Sharing

We share your data with the following categories of recipients:

• AI Model Providers: Your message content is forwarded to an AI provider for response generation. All requests are routed through EU infrastructure. See Section 10 for a list of providers.
• GTX Messaging (Germany): Your phone number is transmitted to GTX for SMS delivery during verification.
• OAuth Providers: If you use social login, the respective provider (Google, Facebook, or Microsoft) processes your authentication data under their own privacy policy.
• Hosting Provider: Our servers are hosted by Uberspace (Jonas Pasche, Germany). They provide the infrastructure but do not access your data.
• Legal Requirements: We may disclose data if required by law or court order.

6. Data Location

All your data is stored and processed exclusively within the European Union:

• Server infrastructure: Germany.
• AI processing: Requests are routed through our infrastructure in Frankfurt, Germany.
• SMS verification: GTX Messaging, Germany.

We do not transfer personal data to countries outside the European Economic Area (EEA). In the event that this changes in the future, we will update this policy and ensure appropriate safeguards are in place.

7. Data Retention

• Account Data: Stored until you delete your account.
• Chat Data & Files: Stored until you delete individual chats or your entire account.
• Phone Number: Stored as long as your account exists.
• Session Data: Expires after 24 hours (or 7 days with "Remember Me").
• Server Logs: Retained for a maximum of 7 days.
• SMS Verification Codes: Expire after 10 minutes.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including transport encryption (TLS), secure password hashing, cryptographically random session tokens, and server-side access controls. All data is stored on servers in Germany, subject to German and EU data protection laws.

However, no system is completely secure. We cannot guarantee the security of data once it is processed by third-party providers.

9. Your Rights Under GDPR

You have the following rights:

• Right to Access (Art. 15): You can request information about what personal data we store. You can also export all your chat data at any time using the Export function.
• Right to Rectification (Art. 16): You can correct inaccurate data through your account settings or by contacting us.
• Right to Erasure (Art. 17): You can delete individual chats, folders, or your entire account at any time.
• Right to Restriction of Processing (Art. 18): You can request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): You can export your data in JSON format using the Export function.
• Right to Object (Art. 21): You can object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): You can withdraw consent by deleting your account or by contacting us.
• Right to Lodge a Complaint (Art. 77): You can lodge a complaint with the Hessischer Beauftragter für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden, Germany.

To exercise your rights, contact us at hig5hleader@gmx.de.

10. Third-Party Services

Your requests are routed to AI providers for response generation. Our primary routing provider is Requesty (EU, Frankfurt), which forwards requests to the appropriate AI model. For redundancy, we may also route requests directly through providers' EU infrastructure. All data is routed through EU infrastructure.

The following providers may process your messages:

Requesty (Routing Provider)

Requesty routes your AI requests through EU infrastructure in Frankfurt, Germany. Requesty does not store your message content.

• Requesty Privacy Policy

Google Cloud (Vertex AI)

Google Gemini and Anthropic Claude models, accessed via Google Vertex AI.

• Google Cloud (Vertex AI) Privacy Policy

OpenAI

OpenAI GPT models.

• OpenAI Privacy Policy

xAI

xAI Grok models.

• xAI Privacy Policy

Mistral AI

Mistral AI models.

• Mistral AI Privacy Policy

Amazon (AWS Bedrock)

Amazon Nova and NVIDIA Nemotron models, hosted on AWS Bedrock.

• Amazon (AWS Bedrock) Privacy Policy

GTX Messaging (SMS Verification)

GTX Messaging (Message Mobile GmbH, Cologne, Germany) delivers SMS verification codes. GTX receives your phone number solely for SMS delivery.

• GTX Messaging Privacy Policy

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date at the top of this page. For significant changes, we may notify you through the app or via email.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Michael Persch

c/o COCENTER

Koppoldstr. 1

86551 Aichach

E-Mail: hig5hleader@gmx.de