Privacy Policy

1. Data Controller

The data controller for this service is:

For any questions about this Privacy Policy or our data processing activities, please contact our Data Protection Officer at support@frits.ai.

2. About the Service

GDPRchat is a general-purpose AI chatbot operated by FRITS AI ApS, a Danish company. The service is 100% hosted in the European Union and uses only EU-based AI technology. Our primary AI model is provided by Mistral AI (Paris, France). The service includes a knowledge base of EU regulations and uses Brave Search for retrieving current information from the web.

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect your name, email address, and a cryptographic hash of your password. If you sign up as part of an organisation, we also store the organisation name. If you choose to sign in via Google or Microsoft OAuth, we receive your name and email address from those providers — we do not receive or store your Google or Microsoft password.

3.2 Chat Data

We store the conversations and messages you create when using the chatbot, including any documents you upload. This data is necessary to provide the service and allow you to return to previous conversations.

3.3 Technical Data

We collect your IP address for the purpose of rate limiting and abuse prevention. For anonymous (non-logged-in) users, IP addresses are stored in anonymous session records that automatically expire after 7 days. We also process the Accept-Language header from your browser to provide the service in your preferred language.

3.4 Payment Data

Payment processing is handled entirely by Stripe, Inc. We do not receive, process, or store your credit card number, bank account details, or other financial payment instruments. We store only a Stripe customer identifier that allows us to link your account to your subscription.

3.5 Cookies and Local Storage

We do not use any tracking, analytics, or advertising cookies. All cookies and local storage we use are either strictly necessary for the service to function or store preferences you explicitly set. Under Article 5(3) of the ePrivacy Directive, these are exempt from consent requirements, which is why we do not show a cookie consent banner.

We use the following cookies:

• Session cookie — a NextAuth JWT token that keeps you logged in. This is a strictly necessary cookie required for the service to function.
• Anonymous trial cookie — used to provide the free trial experience to non-logged-in users.
• Locale cookie — stores your language preference so we can serve the interface in your language. Only set when you actively change your language.
• Admin cookie — used only for site administration access (god-mode).

We also use browser localStorage to store your non-personal preferences: theme (light/dark), font size, language preference, accent colour, and image quality preference. These are only set when you actively change a setting. This data never leaves your browser and is not transmitted to our servers.

4. Legal Bases for Processing

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR) — Processing your account data, chat messages, and uploaded documents is necessary to provide you with the chatbot service you have requested. This includes account creation, message processing, conversation storage, and subscription management.
• Legitimate interest (Art. 6(1)(f) GDPR) — We process IP addresses and anonymous session data for security, rate limiting, and fraud prevention. Our legitimate interest is protecting the service and its users from abuse. We have conducted a balancing test and concluded that these interests are not overridden by your fundamental rights, given the limited nature of the data and the short retention period (7 days for anonymous sessions).
• Consent (Art. 6(1)(a) GDPR) — Where we rely on consent (for example, for optional cookies or future newsletter communications), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR) — We may retain certain transaction and invoicing records as required by Danish and EU tax law (Danish Bookkeeping Act, bogforingsloven).

5. Data Processors and Third-Party Services

We share personal data with the following third-party processors, each under a data processing agreement (Art. 28 GDPR):

• Mistral AI (Paris, France) — Our AI model provider. Your chat messages are sent to Mistral AI for processing and generating responses. Mistral AI is an EU-based company and processes data within the EU.
• Hetzner Online GmbH (Gunzenhausen, Germany) — Our infrastructure provider. All servers and databases are hosted in Hetzner data centres in Germany. All data at rest remains in the EU.
• Black Forest Labs (Germany) — Provides image generation capabilities. Image prompts are sent to their EU-based infrastructure for processing.
• Brave Search (US) — Used for web search queries. Only search query text is transmitted; no personal data, user identifiers, or IP addresses are shared with Brave. Search queries are not linked to user accounts.
• Stripe, Inc. (US, EU-US Data Privacy Framework certified) — Handles payment processing. When you subscribe to a paid plan, your payment details are collected and processed directly by Stripe. Stripe is certified under the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection as recognised by the European Commission (Art. 45 GDPR).
• Google / Microsoft (US, EU-US Data Privacy Framework certified) — Only if you voluntarily choose to log in with Google or Microsoft OAuth. In that case, your name and email address are received from the chosen provider. Both are certified under the EU-US Data Privacy Framework.

6. International Data Transfers

The vast majority of your data is processed and stored exclusively within the European Union (Germany and France). Where data is transferred to the United States (Stripe, and optionally Google or Microsoft for OAuth), these transfers are protected by the EU-US Data Privacy Framework adequacy decision adopted by the European Commission on July 10, 2023, in accordance with Art. 45 GDPR.

We do not transfer personal data to any country outside the EU/EEA that lacks an adequate level of data protection, unless an appropriate safeguard under Chapter V of the GDPR is in place.

7. Data Retention

• Account data — Retained for as long as your account exists. When you delete your account, all account data is permanently deleted.
• Chat data — Retained until you delete individual conversations or delete your account, whichever comes first.
• Anonymous sessions — Automatically expire and are deleted after 7 days.
• Shared chat links — Expire and are deleted after 30 days.
• Tax and invoicing records — Retained for the period required by applicable Danish and EU law (currently 5 years under the Danish Bookkeeping Act).

8. Your Rights Under the GDPR

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data together with supplementary information.
• Right to rectification (Art. 16 GDPR) — You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure ("right to be forgotten") (Art. 17 GDPR) — You have the right to have your personal data deleted. You can delete your conversations directly in the app, and you can request full account deletion by contacting us.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to object (Art. 21 GDPR) — You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet):
  Datatilsynet
  Carl Jacobsens Vej 35
  2500 Valby, Denmark
  Email: dt@datatilsynet.dk
  Website: www.datatilsynet.dk

To exercise any of these rights, please contact us at support@frits.ai. We will respond to your request within one month, as required by Art. 12(3) GDPR. In complex cases, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for the delay.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Art. 32 GDPR. These measures include:

• Encryption of data in transit (TLS/HTTPS)
• Password hashing using industry-standard cryptographic algorithms
• EU-only hosting with no data stored outside the European Union
• Rate limiting and abuse prevention mechanisms
• Regular review of data processing activities and access controls

10. No Analytics, No Tracking, No Advertising

GDPRchat does not use any third-party analytics services (such as Google Analytics), does not deploy tracking pixels or fingerprinting technologies, does not serve advertisements, and does not engage in profiling or automated decision-making as defined in Art. 22 GDPR. We do not sell, rent, or share your personal data with third parties for marketing purposes.

11. Children's Privacy

GDPRchat is a general-purpose service available to users of all ages. Where consent is the legal basis for processing, we rely on Art. 8 GDPR regarding conditions applicable to a child's consent in relation to information society services. In Denmark, the digital age of consent is 13 years. Users under this age require parental or guardian consent to create an account.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify registered users by email or by a prominent notice in the service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us: