Privacy Policy

Privacy rules for Chat.AI

Last updated: June 1, 2026. This policy explains what data Chat.AI stores, what is processed only for ephemeral chat, and how account data is protected.

Related document: Terms of Service

1. Data we collect

We store account data such as your email address, name, password hash, product-access tags, encrypted API keys, support tickets, and security records linked to your account.

Chat prompts and replies are processed for the active response. By default, recent chats and projects are saved on your device only, not in the VPS database.

If you enable optional history sync, the app encrypts chat and project history on your device before upload. The server stores only ciphertext, sync metadata, and key-derivation settings it cannot use to read the contents.

2. Local history and optional sync

Local history is stored in the app or browser storage on the device you are using. Removing local browser/app data can remove that local copy.

Encrypted sync is opt-in. Disabling sync removes server-side encrypted history blobs, while local device copies remain on devices until you remove them there.

If you forget or reset your password without migrating synced history, already-synced history cannot be recovered because the old encryption key is not stored by Chat.AI.

3. Who can access chat content

Ordinary staff tools are not designed to expose user chat contents. When encrypted sync is enabled, staff may see operational metadata such as blob counts, but not plaintext messages or projects.

However, no internet-connected system can promise absolute security. Unauthorized intrusion, infrastructure compromise, software defects, legal requests, or connected service incidents can still create risk.

4. Third-party processors

To operate the service, some data is processed by third parties.

  • AI response services receive prompts and model requests needed to generate responses.
  • AI response services may also provide API-key usage and credit snapshots.
  • Email delivery and routing services handle activation, receipts, and support mail.
  • Hosting, security, and storage services may process traffic and stored data as part of operating the app.

5. How we protect data

Sensitive access keys are kept server-side, password values are stored only as hashes, the app runs behind HTTPS and layered network protections, and internal staff actions are separated into role-based dashboard tools instead of exposing raw secrets to users.

6. Retention and deletion

API keys, support records, and related product data remain attached to your current product access until you request account closure, inactivity rules are added, or the account is otherwise removed under the Terms of Service.

Manual account closure currently starts a 7-day grace period for the current product. When that timer ends, this product's sessions, API keys, support records, feedback, preferences, linked access records, optional encrypted sync blobs, and credit snapshots are deleted. Local device history must be removed on each device.

7. Contact

Privacy or account questions can be sent to support@gratobeun.com.