unfog Privacy Policy

Effective Date: 3.8.2025

Welcome to unfog ("we", "our", "us"). Your privacy is very important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the unfog mobile and web applications (collectively, the "App"). By using unfog you agree to the practices described below.

1. Who We Are

unfog is developed and operated by Timo Hegnauer. For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller of your personal information.

Contact Us
Email: info@unfog.ai

2. Information We Collect

Category	What We Collect	Purpose
Account Information	Email address (or sign‑in provider ID), hashed password, and optional profile data you choose to provide.	Create and secure your account, authenticate you, and provide core features.
Chat Content	Messages you send in the App. Before storage, every message is application‑level encrypted with a key unique to your account ("user‑key encryption"). The ciphertext is then stored in Supabase, which also applies encryption at rest. When you read or search a chat, the server retrieves the ciphertext, decrypts it temporarily in volatile memory using your user‑specific key, and re‑encrypts it before persisting again. ▼ OpenAI Processing: To generate AI responses we send only the plaintext message text—never your email, name, or other personal identifiers—to OpenAIʼs API for processing. Chats are not used by OpenAI for training and are deleted from OpenAI logs within 30 days.	Deliver chat and AI‑assistant functionality while preventing platform administrators from viewing your plaintext messages.
Event & Usage Data	Anonymous in‑app events (e.g., screens visited, feature taps), device type, OS version, crash logs, and coarse region (country). We do not log precise location or chat content.	Understand product usage, improve performance, and fix bugs.
Support Interactions	Information you provide when you contact support.	Respond to inquiries and resolve issues.

We do not knowingly collect information from children under 13 (or the relevant age of digital consent in your jurisdiction).

3. How We Use Your Information

Provide & maintain the service (legal basis: performance of a contract).
Deliver AI chat completions via OpenAI (legitimate interests & contract).
Analytics & product improvement using aggregated, pseudonymised event data (legitimate interests or consent where required).
Security & fraud prevention (legitimate interests).
Legal compliance (legal obligation).

4. Sharing and Disclosure

We do not sell or rent your personal data. We share it only as described:

Recipient	Role	Safeguards
Supabase Inc.	Managed database, authentication, object storage, and realtime infrastructure.	Data stored in the EU by default; encrypted in transit & at rest. Ciphertext uploaded after user‑key encryption.
OpenAI, L.L.C.	Generates AI responses. Only message text is transmitted, stripped of identifying metadata.	OpenAI processes the data as our sub‑processor under a Data Processing Addendum and EU Standard Contractual Clauses (SCCs).
Analytics Provider (e.g., PostHog Cloud EU)	Event tracking & crash analytics.	Data is pseudonymised; IP addresses truncated or removed.
Legal Authorities	Only if required to comply with law or to protect rights, safety, or property.	Assessed individually; we disclose only the data required under applicable law.

Note: Because chats are double‑encrypted (user‑key encryption + database encryption at rest), we cannot provide plaintext message content to third parties—even with administrative privileges—without your user‑specific key.

5. International Transfers

Some processors (e.g., OpenAI, Supabase) may store or access data from countries outside the European Economic Area ("EEA"). When we transfer data internationally, we rely on Standard Contractual Clauses or an adequacy decision under Art. 45 GDPR and implement additional safeguards where necessary.

6. Data Retention

Data Type	Retention Policy
Account data	Kept for the life of your account. Deleted immediately upon account deletion, except encrypted backups retained for up to 30 days.
Chat messages	Stored in ciphertext form. Deleted when you delete the message or your account. Backups purged within 30 days or rendered unreadable once your user‑key is destroyed.
Event & analytics data	Aggregated after 90 days; raw logs deleted within 180 days.
Support tickets	Retained for 24 months for audit and quality purposes.

7. Your Rights (GDPR & CCPA)

Subject to local law, you have the right to:

Access your personal data
Rectify inaccurate data
Delete your data ("right to be forgotten")
Restrict or object to processing
Data portability
Withdraw consent at any time (does not affect prior processing)
Lodge a complaint with a supervisory authority

Exercising your rights: email to info@unfog.ai.

8. Account Deletion

You may delete your account at any time in Settings → Delete Account or directly contact us at info@unfog.ai. We will then:

Remove all personal data from Supabase (auth profile, chat ciphertext, event logs).
Destroys your user‑specific encryption key, making any residual ciphertext unrecoverable.
Triggers deletion of linked analytics identifiers within 24 hours.
Purges encrypted backups containing your data within 30 days.

9. Security

Transport Layer Security (TLS) for all network traffic
Application‑level encryption with user‑specific keys (AES‑256‑GCM) for chat content
Encryption at rest (AES‑256) for databases and file storage
Keys stored separately from ciphertext and accessible only during active user sessions
Continuous monitoring and regular security audits
Least‑privilege and role‑based access controls for staff

10. Changes to This Policy

We may update this Privacy Policy to reflect technical or legal changes. We will notify you via in‑app banner or email at least 14 days before material changes take effect. Continued use of Unfog after the effective date constitutes acceptance.

11. Contact

If you have questions or concerns about privacy, please contact us:
Email: info@unfog.ai