Your Privacy Matters: Gwenai is designed with privacy at its core. We store all your data locally on your device - we only keep minimal account information needed for your subscription and use analytics to improve our service.
1. INTRODUCTION
This Privacy Policy explains how Constevol ("we", "us", "our") collects, uses, and protects your personal information when you use Gwenai ("Service"). If you fall within the scope of the GDPR, you'll need to provide your lawful bases for processing personal data.
Gwenai is committed to protecting your privacy through:
- Local-first approach: All your content and AI interactions are stored locally on your device
- Minimal data collection: We only collect what's essential for account management and service improvement
- Transparent practices: Clear disclosure of what data we handle
- Analytics for improvement: We use privacy-focused analytics to understand how to better serve you
2. DATA CONTROLLER
Data Controller: Constevol
Email: contact@gwenai.io
Country: Sweden
4. WHAT DATA WE COLLECT
🔒 What We DON'T Collect
- Your AI conversations or prompts
- Files you work with in Gwenai
- System commands you approve or reject
- Any content generated by the AI
- Personally identifiable information through analytics (beyond what's listed below)
4.1 Account Information We Collect
| Data Type | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account identification, communication, password recovery | Contract performance |
| Hashed password | Account security and authentication | Contract performance |
| Subscription information | Billing, service provision, subscription management | Contract performance |
| OAuth ID (if applicable) | Third-party authentication (Google, GitHub, etc.) | Consent |
| Payment metadata | Transaction processing (handled by Stripe) | Contract performance |
4.2 Automatically Collected Data
We collect minimal technical information necessary for service operation:
- Login timestamps: For security and account management
- IP address: Temporarily logged for security purposes only
- Device type: To ensure software compatibility
4.3 Analytics Data
Through our analytics tools (with your consent), we collect:
- Usage patterns: Which features are used most, navigation paths
- Performance data: Page load times, error rates
- Technical information: Browser type, screen resolution, operating system
- Geographic data: Country and city-level location (not precise location)
- User interactions: Clicks, scrolls, form submissions (anonymized)
5. LEGAL BASIS FOR PROCESSING
Under the GDPR, you need to have a legal basis for all the data processing you carry out. Our legal bases are:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide Gwenai services
- Legitimate Interest (Article 6(1)(f)): Security monitoring, fraud prevention, and essential analytics
- Consent (Article 6(1)(a)): OAuth authentication, marketing communications (opt-in only), and non-essential analytics cookies
6. HOW WE USE YOUR DATA
Your users should know about the people with whom you'll be sharing personal data. We use your personal data for:
- Creating and managing your Gwenai account
- Processing subscription payments via Stripe
- Providing customer support
- Sending important service notifications
- Ensuring account security
- Analyzing website usage to improve our service (with consent)
- Identifying technical issues and performance problems
- Understanding user behavior to enhance user experience
We do NOT:
- Sell your data to third parties
- Use your data for targeted advertising
- Share your personal data for marketing purposes
- Create detailed user profiles for commercial purposes
- Track you across other websites beyond our analytics scope
7. DATA SHARING AND THIRD PARTIES
We share your data only with essential service providers:
7.1 Payment Processing
- Stripe: Processes payments securely. View Stripe's Privacy Policy
- We never store your full credit card information
7.2 Analytics Services
- Google Analytics: Website and app usage analytics. Data is anonymized and aggregated. View Google's Privacy Policy
- Microsoft Clarity: User behavior analysis for UX improvement. Sensitive data is automatically masked. View Microsoft's Privacy Policy
7.3 Infrastructure Providers
- Cloud hosting: For secure account data storage
- All providers are GDPR-compliant with appropriate data processing agreements
7.4 Legal Requirements
We may disclose your data if required by law or to:
- Comply with legal obligations
- Protect our rights or property
- Prevent fraud or security threats
8. DATA STORAGE AND SECURITY
8.1 Where Your Data is Stored
- Account data: Stored in secure, GDPR-compliant data centers
- Local data: All AI interactions and content remain on your device only
- Analytics data: Stored with Google and Microsoft in their respective secure environments
- Backups: Encrypted and stored
8.2 Security Measures
- Encryption in transit (TLS) and at rest (AES-256)
- Hashed and salted passwords
- Regular security audits and updates
- Access controls and monitoring
- Cookie security measures (secure, SameSite attributes)
9. DATA RETENTION
You have a right to keep personal data, but according to the GDPR, this time period is "for no longer than is necessary for the purposes for which the personal data are processed."
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Payment records | 7 years | Legal/tax requirements |
| Support communications | 3 years | Customer service |
| Security logs | 1 year | Security and fraud prevention |
| Google Analytics data | 26 months | Service improvement analysis |
| Microsoft Clarity data | Up to 2 years | UX improvement analysis |
| Cookie data | Varies (30 days to 2 years) | Functionality and analytics |
10. YOUR RIGHTS UNDER GDPR
As a data subject, you have the following rights:
10.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you.
10.2 Right to Rectification (Article 16)
Correct any inaccurate or incomplete personal data.
10.3 Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
10.4 Right to Restrict Processing (Article 18)
Limit how we use your personal data.
10.5 Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
10.6 Right to Object (Article 21)
Object to processing based on legitimate interests.
10.7 Right to Withdraw Consent
Withdraw consent for processing at any time, including analytics cookies.
10.8 Cookie Management
You can manage your cookie preferences through:
- Our cookie consent banner (appears on first visit)
- Your browser settings
- Third-party opt-out tools (Google Analytics opt-out, etc.)
To exercise your rights:
Email: contact@gwenai.io
Subject: "Privacy Rights Request"
We will respond within 30 days.
11. CHILDREN'S PRIVACY
Where information society services are offered directly to a child under the age of 13, and the lawful basis of processing their personal data is consent, such consent must be obtained from or authorised by the individual with parental responsibility over the child.
Gwenai is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected such information, we will delete it immediately.
12. INTERNATIONAL DATA TRANSFERS
If you transfer data you've collected internationally, use a template that allows you to insert a business transfer clause into your privacy policy.
Your personal data is primarily stored within the EU. When we transfer data outside the EU:
- We use Standard Contractual Clauses (SCCs) approved by the European Commission
- We ensure adequate safeguards are in place
- Transfers are limited to essential service operations only
- Google Analytics and Microsoft Clarity may process data in the US under appropriate safeguards
13. PRIVACY POLICY CHANGES
You should review and revise your privacy policy document at least once a year to reflect changes in business operations, laws, and technology.
We may update this Privacy Policy to reflect:
- Changes in our data practices
- Legal or regulatory requirements
- New features or services
- Changes to our analytics tools
We will notify you of material changes via:
- Email notification (30 days advance notice)
- Website banner
- Updated cookie consent requests if needed
14. COMPLAINTS AND CONTACT
If you have concerns about how we handle your personal data:
Contact Us First:
Constevol Privacy Team
Email: contact@gwenai.io
Regulatory Authority:
You have the right to lodge a complaint with:
Swedish Authority for Privacy Protection (IMY)
Website: imy.se
Email: imy@imy.se
15. BUSINESS TRANSFERS
Because SaaS businesses are bought and sold regularly, users have a right to know what happens to their personal data if a new company buys them out.
If Constevol is involved in a merger, acquisition, or sale of assets:
- We will provide notice before your personal data is transferred
- The new entity will be bound by this Privacy Policy
- You will have the right to delete your account before transfer