Fecht Guru

Privacy Policy

Last Updated: April 6, 2026

Effective Date: December 27, 2025 (amended April 6, 2026)

1. Introduction

Welcome to fecht.guru, operated by Falck Studios AS ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI chatbot service. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (Personopplysningsloven), and the EU AI Act.

2. Data Controller

The data controller for your personal data is:

  • Company: Falck Studios AS
  • Organization Number: 837 347 602 (Brønnøysundregistrene)
  • Location: Norway

For privacy-related inquiries, please contact us at privacy@falckstudios.com.

3. Information We Collect

3.1 Authentication Data

We support multiple sign-in methods via Supabase Auth. Depending on how you sign in, we collect:

  • Email Address: Your email (required for all sign-in methods)
  • Password: A hashed password if you sign up with email/password (stored securely by Supabase Auth — we never access plaintext passwords)
  • Name: Your display name (from OAuth profile or provided at sign-up)
  • Profile Picture: Your profile image URL (if signing in via Google OAuth)
  • OAuth Provider ID: Unique identifier from Google (if signing in via Google)

Sign-in methods available:

  • Google OAuth
  • Email and password
  • Magic link (passwordless email verification)

Legal Basis: Performance of contract (GDPR Article 6(1)(b)) — authentication data is necessary to provide the Service.

When you use the chatbot, we process:

  • Messages: Your questions and prompts sent to AI models
  • AI Responses: Generated answers from our AI providers
  • Conversation Metadata: Conversation titles, timestamps, provider/model selection
  • Session Information: Temporary session data stored in JWT tokens (30-day expiry)

Legal Basis: Consent (GDPR Article 6(1)(a)) for optional conversation storage; Performance of contract (GDPR Article 6(1)(b)) for temporary session processing required to generate responses.

Conversation Storage Options:

  • Without Persistence (Default):Chat messages exist only in your browser's memory during the active session. No messages are stored in our database. Messages are automatically cleared when you close the browser or start a new conversation.
  • With Persistence (Optional): If you explicitly consent via the GDPR dialog, conversations are stored in our secure PostgreSQL database (EU region). This enables:
    • Access to conversation history across sessions and devices
    • Searching and organizing past conversations
    • Exporting your data (GDPR Article 20 - Data Portability)

You Control Storage: Conversation persistence requires explicit opt-in consent. You can:

  • Enable or disable storage at any time in Settings
  • Delete individual conversations or all conversations
  • Export all your data in machine-readable format
  • Withdraw consent and disable storage permanently

Data Sent to AI Providers: When using cloud AI providers (Azure AI Foundry), your messages are temporarily processed by their systems regardless of conversation persistence settings. See Section 5 for details.

3.3 Usage Analytics

We collect:

  • Rate Limit Tracking: Number of requests per user (for app-hosted Azure AI Foundry provider)
  • Provider Selection: Which AI provider you choose (stored in browser localStorage)
  • Model Selection: Which AI model you select (stored in browser localStorage)

Legal Basis: Legitimate interests (GDPR Article 6(1)(f)) - preventing abuse and managing service resources

3.4 Technical Data

We automatically collect:

  • IP Address: For security and rate limiting (not permanently stored)
  • Browser Type: For compatibility checks (WebGPU support detection)
  • Session Tokens: JWT tokens for authentication

4. How We Use Your Data

We use your personal data to:

  • Provide the Service: Authenticate you and generate AI responses
  • Rate Limiting: Enforce a daily usage budget for app-hosted providers (quota varies by model — more capable models consume more of your daily budget)
  • Security: Detect and prevent abuse, unauthorized access, and fraud
  • Legal Compliance: Comply with EU AI Act transparency obligations

5. Third-Party Data Sharing

5.1 Supabase (Authentication & Database)

We use Supabase for authentication and database hosting. Supabase processes your authentication data (email, hashed password, OAuth tokens) and stores your conversation data in their EU-region PostgreSQL database. See Supabase Privacy Policy.

If you sign in via Google OAuth, your authentication is additionally processed by Google according to their Privacy Policy.

5.2 Microsoft Azure AI Foundry (App-Hosted Provider)

When you use the app-hosted Azure AI Foundry provider, your messages are sent to Microsoft Azure servers in the European Union (Sweden Central region). Microsoft processes your data according to their Privacy Statement and Data Protection Addendum.

Data Residency: AI processing occurs within the EU (Sweden Central region). No chat data is transferred outside the EEA for AI inference.

Data Retention by Microsoft: Azure AI Foundry processes data in real-time for inference and does not retain prompt or completion data beyond the API request lifecycle, unless required by law. See the Microsoft DPA for details.

5.3 WebLLM (Local Provider)

When you use WebLLM, all AI processing happens locally in your browser. No chat data is sent to third-party AI providers (Microsoft, Google, etc.). Model files are downloaded once and cached in your browser.

Important: If you enable conversation history, your messages will be stored on our server (not with AI providers). This enables:

  • Access to conversations across devices
  • Conversation search and history
  • User-controlled deletion and export

Privacy Advantage: Your messages are never processed by third-party AI companies, even with server storage enabled.

5.4 Upstash Redis (Optional - Production Rate Limiting)

In production environments, we may use Upstash Redis (EU region) to store rate limit counters (user ID + count). No chat content is stored in Redis.

5.5 Brave Search API (Optional - Web Search Feature)

When the web search feature is enabled in the chat interface, your search query text is forwarded to the Brave Search API, operated by Brave Software, Inc. (USA), to retrieve current web results.

What is sent: Only the search query text — no personal identifiers, account data, or conversation history are transmitted.

Data Transfer: Query data is transferred to the USA. Brave processes queries according to their Search Privacy Policy.

Availability: This feature is only active when a Brave Search API key is configured by the service operator. If you prefer not to use it, you can avoid triggering web searches in your queries, or use the WebLLM local provider which does not perform web searches.

6. Data Retention

Data TypeRetention Period
Session Tokens (JWT)30 days (auto-expiry)
Chat Messages (No Persistence)Session-only (not stored)
Conversations (With Persistence)Until deleted by user or account deletion
Rate Limit Data24 hours (rolling window)
Authentication DataUntil account deletion or logout
Browser localStorageUntil manually cleared by user

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You can request a copy of your personal data we hold.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data.

7.3 Right to Erasure (Article 17)

You can request deletion of your account and data. To delete your data:

  • Account & all data: Use the "Delete Account" option in Settings to permanently delete your account and all associated data immediately.
  • Conversations (if enabled): Use the delete button on individual conversations in the sidebar, or delete all conversations at once in Settings
  • Session data: Logging out automatically expires your session token within 30 days
  • Browser data: Clear your browser's localStorage and cache
  • If you cannot log in: Email privacy@falckstudios.com to request permanent deletion of all data

7.4 Right to Restrict Processing (Article 18)

You can request limitation of how we process your data.

7.5 Right to Data Portability (Article 20)

You can request your data in a machine-readable format. If you have enabled conversation persistence, you can export all your conversations in JSON format using the "Export Data" feature in Settings. The export includes:

  • All conversation titles and metadata
  • All messages and AI responses
  • Timestamps and model information
  • Tool calls and function results

For authentication profile data, please email privacy@falckstudios.com.

7.6 Right to Object (Article 21)

You can object to processing based on legitimate interests.

7.7 Right to Withdraw Consent (Article 7)

You can withdraw consent for optional features at any time without affecting your ability to use the Service. For example, you can disable conversation persistence in Settings at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please email privacy@falckstudios.com. We will respond within 30 days as required by GDPR Article 12.

8. Cookies and Local Storage

8.1 Essential Cookies

  • Session Cookie: Supabase Auth session token (HTTP-only, secure)
  • Purpose: Authentication and session management
  • Expiry: Session-based with automatic refresh

8.2 Browser Local Storage

We store in your browser's localStorage:

  • selected_provider: Your chosen AI provider
  • selected_model: Your chosen AI model
  • ai_disclosure_dismissed: Whether you've dismissed the AI notice banner
  • persistence_enabled: Your conversation storage preference
  • persistence_consent_answered: Whether you've responded to the consent dialog

These are stored locally in your browser and not transmitted to our servers. You can clear them via your browser settings.

8.3 Analytics Cookies

We do NOT use:

  • Google Analytics
  • Facebook Pixel
  • Third-party advertising cookies
  • Tracking cookies

9. Data Security

We implement security measures including:

  • HTTPS Encryption: All data in transit is encrypted using TLS 1.3
  • Database Encryption: Conversations stored in PostgreSQL with encryption at rest (EU region)
  • Secure Session Tokens: JWT tokens with HTTP-only, secure, and SameSite flags
  • OAuth 2.0: Industry-standard authentication protocol
  • Rate Limiting: Protection against abuse and DDoS attacks
  • Password Security: Passwords (for email/password sign-up) are hashed and managed by Supabase Auth — we never access or store plaintext passwords
  • Access Control: User-specific data isolation (you can only access your own conversations)

10. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

11. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA):

  • Microsoft Azure AI Foundry (EU): AI processing occurs in Sweden Central (EU). No cross-border transfer for AI inference.
  • Supabase (USA/EU): Database hosted in EU region; authentication services protected by Standard Contractual Clauses
  • Google OAuth (Global): Certified under EU-US Data Privacy Framework (only applicable if you sign in via Google)

We ensure all international transfers comply with GDPR Chapter V requirements.

12. EU AI Act Compliance

In accordance with the EU Artificial Intelligence Act (Regulation 2024/1689), we provide transparency about our AI systems. For detailed information about AI models, capabilities, and limitations, see our AI Transparency page.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes that affect how we process your personal data, we will notify you via the application interface (e.g., a banner or prompt) before the changes take effect. Where a change requires your consent under GDPR, we will request it explicitly. Non-material updates (e.g., clarifications, formatting) will be reflected by updating the "Last Updated" date.

14. Supervisory Authority

As Falck Studios AS is registered in Norway, the primary supervisory authority is the Norwegian Data Protection Authority (Datatilsynet). You have the right to lodge a complaint with Datatilsynet or your national data protection authority if you believe we have violated your privacy rights.

15. Sub-Processor Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with our sub-processors as required by GDPR Article 28. These are business-to-business agreements between Falck Studios AS and each sub-processor. The relevant sub-processor DPAs are available from their respective providers:

For questions about our data processing arrangements, please contact privacy@falckstudios.com.

16. Contact Us

For privacy questions or to exercise your GDPR rights, please contact Falck Studios AS: