Privacy Policy

Last updated: June 2026

1. What we collect

• Account data: email address and display name. We do not store passwords — authentication uses one-time codes (OTP) sent by email.
• Conversation data: messages you send and AI responses, stored so the service can function.
• Usage data: token counts and costs per request, for billing and analytics.
• Payment data: transaction records (package, points, amount). Payment card data is handled exclusively by Lemon Squeezy — we never see or store it.

2. How we use it

• Provide the AI assistant service
• Manage your points balance and purchases
• Send transactional emails (OTP codes, receipts, low-balance alerts)
• Debug and improve the service

3. Third-party processors

We share data with the following processors to operate the service. Each processes only the data necessary for their function:

• OpenRouter — AI routing gateway. Your queries are forwarded to AI model providers including Anthropic (Claude), OpenAI (GPT), Google (Gemini), xAI (Grok), Mistral, DeepSeek, Nvidia, Xiaomi, and Qwen. Each provider has their own privacy policy. We do not send your email or account details alongside queries unless you include them in your message.
• Resend — Transactional email delivery (OTP codes, receipts, alerts). Receives your email address and email content. EU data processed under standard contractual clauses.
• PostHog — Product analytics. Receives anonymized usage events (page views, feature usage) only if you accept analytics via the cookie banner. Data stored on PostHog EU Cloud (Frankfurt). No advertising use.
• Lemon Squeezy — Payment processing and Merchant of Record. Handles your payment card data for credit purchases. We never see or store your card details.
• Hetzner Online GmbH — Infrastructure. Our server is located in Germany (EU). Account data and conversation history are stored on Hetzner hardware under German data protection law.

4. Authentication

We authenticate users with one-time codes sent by email — no passwords are created or stored. Session tokens are stored in secure, httpOnly cookies (not accessible from JavaScript) and expire after 30 days of inactivity.

5. Data retention

• Conversations: retained until you delete them or close your account
• Account data: retained until you request deletion
• Transaction records: retained for 7 years for legal/accounting purposes

6. Your rights

You can delete your conversations at any time from the app. To request full account deletion or a data export, email hello@hybridfusion.eu. We'll respond within 30 days. EU residents also have the right to lodge a complaint with their national data protection authority.

7. Security

Data is stored on a dedicated server in Germany (Hetzner). We use HTTPS for all connections. Session tokens use secure httpOnly cookies. No sensitive data is logged.

8. Cookies and analytics

We use a secure httpOnly cookie to maintain your login session. We only load analytics (PostHog EU) after you explicitly accept via the cookie banner. You can withdraw consent at any time by clearing your browser storage.

9. Contact

Privacy questions: hello@hybridfusion.eu