Fecht Guru

Privacy Policy

Last Updated: December 27, 2025

Effective Date: December 27, 2025

1. Introduction

Welcome to fecht.guru ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI chatbot service. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and the EU AI Act.

2. Data Controller

The data controller for your personal data is fecht.guru. For privacy-related inquiries, please contact us via GitHub issues at github.com/RickardHF/hemaai.

3. Information We Collect

3.1 Authentication Data (via Google OAuth)

When you sign in, we collect:

  • Google User ID: Unique identifier from your Google account
  • Email Address: Your Google account email
  • Name: Your display name from Google
  • Profile Picture: Your Google profile image URL

Legal Basis: Consent (GDPR Article 6(1)(a)) and performance of contract (GDPR Article 6(1)(b))

3.2 Chat Interaction Data

When you use the chatbot, we process:

  • Messages: Your questions and prompts sent to AI models
  • AI Responses: Generated answers from our AI providers
  • Conversation Metadata: Conversation titles, timestamps, provider/model selection
  • Session Information: Temporary session data stored in JWT tokens (30-day expiry)

Legal Basis: Consent (GDPR Article 6(1)(a)) for conversation storage, and Performance of contract (GDPR Article 6(1)(b)) for session processing

Conversation Storage Options:

  • Without Persistence (Default): Chat messages exist only in your browser's memory during the active session. No messages are stored in our database. Messages are automatically cleared when you close the browser or start a new conversation.
  • With Persistence (Optional): If you explicitly consent via the GDPR dialog, conversations are stored in our secure PostgreSQL database (EU region). This enables:
    • Access to conversation history across sessions and devices
    • Searching and organizing past conversations
    • Exporting your data (GDPR Article 20 - Data Portability)

You Control Storage: Conversation persistence requires explicit opt-in consent. You can:

  • Enable or disable storage at any time in Settings
  • Delete individual conversations or all conversations
  • Export all your data in machine-readable format
  • Withdraw consent and disable storage permanently

Data Sent to AI Providers: When using cloud AI providers (OpenAI, Gemini), your messages are temporarily processed by their systems regardless of conversation persistence settings. See Section 5 for details.

3.3 Usage Analytics

We collect:

  • Rate Limit Tracking: Number of requests per user (for app-hosted OpenAI provider)
  • Provider Selection: Which AI provider you choose (stored in browser localStorage)
  • Model Selection: Which AI model you select (stored in browser localStorage)

Legal Basis: Legitimate interests (GDPR Article 6(1)(f)) - preventing abuse and managing service resources

3.4 Technical Data

We automatically collect:

  • IP Address: For security and rate limiting (not permanently stored)
  • Browser Type: For compatibility checks (WebGPU support detection)
  • Session Tokens: JWT tokens for authentication

4. How We Use Your Data

We use your personal data to:

  • Provide the Service: Authenticate you and generate AI responses
  • Rate Limiting: Enforce 40 requests/day limit for app-hosted providers
  • Security: Detect and prevent abuse, unauthorized access, and fraud
  • Service Improvement: Understand usage patterns to improve AI capabilities
  • Legal Compliance: Comply with EU AI Act transparency obligations

5. Third-Party Data Sharing

5.1 Google (Authentication)

We use Google OAuth for authentication. Your authentication data is processed by Google according to their Privacy Policy.

5.2 OpenAI (App-Hosted Provider)

When you use the app-hosted OpenAI provider, your messages are sent to OpenAI's servers in the United States. OpenAI processes your data according to their Privacy Policyand EU Privacy Policy.

Data Transfer: Data is transferred to the USA under EU-US Data Privacy Framework and Standard Contractual Clauses.

Data Retention by OpenAI: As of December 2025, OpenAI retains API data for 30 days for abuse monitoring, then permanently deletes it (unless required by law).

5.3 WebLLM (Local Provider)

When you use WebLLM, all AI processing happens locally in your browser. No chat data is sent to third-party AI providers (OpenAI, Google, etc.). Model files are downloaded once and cached in your browser.

Important: If you enable conversation history, your messages will be stored on our server (not with AI providers). This enables:

  • Access to conversations across devices
  • Conversation search and history
  • User-controlled deletion and export

Privacy Advantage: Your messages are never processed by third-party AI companies, even with server storage enabled.

5.4 Upstash Redis (Optional - Production Rate Limiting)

In production environments, we may use Upstash Redis (EU region) to store rate limit counters (user ID + count). No chat content is stored in Redis.

6. Data Retention

Data TypeRetention Period
Session Tokens (JWT)30 days (auto-expiry)
Chat Messages (No Persistence)Session-only (not stored)
Conversations (With Persistence)Until deleted by user or account deletion
Rate Limit Data24 hours (rolling window)
Authentication DataUntil account deletion or logout
Browser localStorageUntil manually cleared by user

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You can request a copy of your personal data we hold.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data.

7.3 Right to Erasure (Article 17)

You can request deletion of your account and data. To delete your data:

  • Conversations (if enabled): Use the delete button on individual conversations in the sidebar, or delete all conversations at once in Settings
  • Session data: Logging out automatically expires your session token within 30 days
  • Browser data: Clear your browser's localStorage and cache
  • Complete account deletion: Contact us via GitHub issues to permanently delete all data

7.4 Right to Restrict Processing (Article 18)

You can request limitation of how we process your data.

7.5 Right to Data Portability (Article 20)

You can request your data in a machine-readable format. If you have enabled conversation persistence, you can export all your conversations in JSON format using the "Export Data" feature in Settings. The export includes:

  • All conversation titles and metadata
  • All messages and AI responses
  • Timestamps and model information
  • Tool calls and function results

For authentication profile data, please contact us via GitHub issues.

7.6 Right to Object (Article 21)

You can object to processing based on legitimate interests.

7.7 Right to Withdraw Consent (Article 7)

You can withdraw consent at any time by logging out and ceasing use of the Service.

How to Exercise Your Rights

To exercise any of these rights, please contact us via GitHub issues at github.com/RickardHF/hemaai. We will respond within 30 days as required by GDPR Article 12.

8. Cookies and Local Storage

8.1 Essential Cookies

  • Session Cookie: NextAuth.js session token (HTTP-only, secure)
  • Purpose: Authentication and session management
  • Expiry: 30 days

8.2 Browser Local Storage

We store in your browser's localStorage:

  • selected_provider: Your chosen AI provider
  • selected_model: Your chosen AI model
  • ai_disclosure_dismissed: Whether you've dismissed the AI notice banner
  • persistence_enabled: Your conversation storage preference
  • persistence_consent_answered: Whether you've responded to the consent dialog

These are stored locally in your browser and not transmitted to our servers. You can clear them via your browser settings.

8.3 Analytics Cookies

We do NOT use:

  • Google Analytics
  • Facebook Pixel
  • Third-party advertising cookies
  • Tracking cookies

9. Data Security

We implement security measures including:

  • HTTPS Encryption: All data in transit is encrypted using TLS 1.3
  • Database Encryption: Conversations stored in PostgreSQL with encryption at rest (EU region)
  • Secure Session Tokens: JWT tokens with HTTP-only, secure, and SameSite flags
  • OAuth 2.0: Industry-standard authentication protocol
  • Rate Limiting: Protection against abuse and DDoS attacks
  • No Password Storage: We rely on Google OAuth (no passwords stored by us)
  • Access Control: User-specific data isolation (you can only access your own conversations)

10. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

11. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA):

  • OpenAI (USA): Protected by EU-US Data Privacy Framework and Standard Contractual Clauses
  • Google OAuth (Global): Certified under EU-US Data Privacy Framework

We ensure all international transfers comply with GDPR Chapter V requirements.

12. EU AI Act Compliance

In accordance with the EU Artificial Intelligence Act (Regulation 2024/1689), we provide transparency about our AI systems. For detailed information about AI models, capabilities, and limitations, see our AI Transparency page.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Supervisory Authority

You have the right to lodge a complaint with your national data protection authority if you believe we have violated your privacy rights. Contact information for EU data protection authorities can be found at edpb.europa.eu.

15. Contact Us

For privacy questions or to exercise your GDPR rights, please contact us via GitHub issues at github.com/RickardHF/hemaai.