Your Privacy Matters: Gwenai is designed with privacy at its core. We store all your data locally on your device - we only keep minimal account information needed for your subscription.
1. INTRODUCTION
This Privacy Policy explains how Constevol ("we", "us", "our") collects, uses, and protects your personal information when you use Gwenai ("Service"). If you fall within the scope of the GDPR, you'll need to provide your lawful bases for processing personal data.
Gwenai is committed to protecting your privacy through:
- Local-first approach: All your content and AI interactions are stored locally on your device
- Minimal data collection: We only collect what's essential for account management
- Transparent practices: Clear disclosure of what data we handle
2. DATA CONTROLLER
Data Controller: Constevol
Email: contact@gwenai.io
Country: Sweden
3. WHAT DATA WE COLLECT
🔒 What We DON'T Collect
- Your AI conversations or prompts
- Files you work with in Gwenai
- System commands you approve or reject
- Any content generated by the AI
- Usage analytics or tracking data
3.1 Account Information We Collect
| Data Type | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account identification, communication, password recovery | Contract performance |
| Hashed password | Account security and authentication | Contract performance |
| Subscription information | Billing, service provision, subscription management | Contract performance |
| OAuth ID (if applicable) | Third-party authentication (Google, GitHub, etc.) | Consent |
| Payment metadata | Transaction processing (handled by Stripe) | Contract performance |
3.2 Automatically Collected Data
We collect minimal technical information necessary for service operation:
- Login timestamps: For security and account management
- IP address: Temporarily logged for security purposes only
- Device type: To ensure software compatibility
4. LEGAL BASIS FOR PROCESSING
Under the GDPR, you need to have a legal basis for all the data processing you carry out. Our legal bases are:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide Gwenai services
- Legitimate Interest (Article 6(1)(f)): Security monitoring and fraud prevention
- Consent (Article 6(1)(a)): OAuth authentication and marketing communications (opt-in only)
5. HOW WE USE YOUR DATA
Your users should know about the people with whom you'll be sharing personal data. We use your personal data exclusively for:
- Creating and managing your Gwenai account
- Processing subscription payments via Stripe
- Providing customer support
- Sending important service notifications
- Ensuring account security
We do NOT:
- Sell your data to third parties
- Use your data for advertising
- Share your data for marketing purposes
- Analyze your AI usage patterns
6. DATA SHARING AND THIRD PARTIES
We share your data only with essential service providers:
6.1 Payment Processing
- Stripe: Processes payments securely. View Stripe's Privacy Policy
- We never store your full credit card information
6.2 Infrastructure Providers
- Cloud hosting: For secure account data storage
- All providers are GDPR-compliant with appropriate data processing agreements
6.3 Legal Requirements
We may disclose your data if required by law or to:
- Comply with legal obligations
- Protect our rights or property
- Prevent fraud or security threats
7. DATA STORAGE AND SECURITY
7.1 Where Your Data is Stored
- Account data: Stored in secure, GDPR-compliant data centers
- Local data: All AI interactions and content remain on your device only
- Backups: Encrypted and stored
7.2 Security Measures
- Encryption in transit (TLS) and at rest (AES-256)
- Hashed and salted passwords
- Regular security audits and updates
- Access controls and monitoring
8. DATA RETENTION
You have a right to keep personal data, but according to the GDPR, this time period is "for no longer than is necessary for the purposes for which the personal data are processed."
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Payment records | 7 years | Legal/tax requirements |
| Support communications | 3 years | Customer service |
| Security logs | 1 year | Security and fraud prevention |
9. YOUR RIGHTS UNDER GDPR
As a data subject, you have the following rights:
9.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you.
9.2 Right to Rectification (Article 16)
Correct any inaccurate or incomplete personal data.
9.3 Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
9.4 Right to Restrict Processing (Article 18)
Limit how we use your personal data.
9.5 Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
9.6 Right to Object (Article 21)
Object to processing based on legitimate interests.
9.7 Right to Withdraw Consent
Withdraw consent for processing at any time.
To exercise your rights:
Email: contact@gwenai.io
Subject: "Privacy Rights Request"
We will respond within 30 days.
10. CHILDREN'S PRIVACY
Where information society services are offered directly to a child under the age of 13, and the lawful basis of processing their personal data is consent, such consent must be obtained from or authorised by the individual with parental responsibility over the child.
Gwenai is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected such information, we will delete it immediately.
11. INTERNATIONAL DATA TRANSFERS
If you transfer data you've collected internationally, use a template that allows you to insert a business transfer clause into your privacy policy.
Your personal data is primarily stored within the EU. When we transfer data outside the EU:
- We use Standard Contractual Clauses (SCCs) approved by the European Commission
- We ensure adequate safeguards are in place
- Transfers are limited to essential service operations only
12. PRIVACY POLICY CHANGES
You should review and revise your privacy policy document at least once a year to reflect changes in business operations, laws, and technology.
We may update this Privacy Policy to reflect:
- Changes in our data practices
- Legal or regulatory requirements
- New features or services
We will notify you of material changes via:
- Email notification (30 days advance notice)
- Website banner
13. COMPLAINTS AND CONTACT
If you have concerns about how we handle your personal data:
Contact Us First:
Constevol Privacy Team
Email: contact@gwenai.io
Regulatory Authority:
You have the right to lodge a complaint with:
Swedish Authority for Privacy Protection (IMY)
Website: imy.se
Email: imy@imy.se
14. BUSINESS TRANSFERS
Because SaaS businesses are bought and sold regularly, users have a right to know what happens to their personal data if a new company buys them out.
If Constevol is involved in a merger, acquisition, or sale of assets:
- We will provide notice before your personal data is transferred
- The new entity will be bound by this Privacy Policy
- You will have the right to delete your account before transfer