How it works Pricing
Back to Home

Privacy Policy

Last updated: May 4, 2026 · Governed by GDPR and German law

1. Controller (Verantwortlicher)

Kritesh Shridhar
Ferdinand-Weiß-Str. 54, 79106 Freiburg im Breisgau, Germany
Email: kritesh@shridhar.de

2. Core Principle: Local-First Processing

SafAI is designed with privacy as its foundation. All PII detection and scrubbing occurs exclusively on your local device. Your original prompts — including any personal data they contain — are never transmitted to our servers, to OpenAI, or to any third party. Only anonymised (scrubbed) text leaves your device when you submit a prompt to ChatGPT.

We do not operate a cloud-based AI processing pipeline. We do not receive, store, or process the content of your conversations.

3. Data We Collect and Why

3.1 Account and Subscription Data

When you create an account or subscribe, we collect:

  • Email address
  • Subscription plan and status
  • Stripe customer and subscription ID (reference only — no card data)
  • Subscription start and end dates

Purpose: To manage your subscription, verify access, and provide customer support.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Retention: For the duration of your subscription plus 3 years for accounting and legal compliance obligations under § 147 AO (German Fiscal Code).

3.2 Feedback Data

When you submit feedback through the SafAI desktop app, we collect:

  • Your feedback message (free text you enter)
  • Your email address (automatically associated from your account to allow us to respond and to administer discount programs for feedback plan subscribers)
  • App version at time of submission

Purpose: Product improvement, responding to your feedback, and administering feedback-based subscription discounts.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — improving the product and fulfilling discount commitments; performance of a contract where a discount plan applies (Art. 6(1)(b) GDPR).

Retention: Up to 2 years, or until you request deletion.

Note: Please do not include sensitive personal data or third-party personal information in your feedback messages.

3.3 Data Stored Locally on Your Device

The SafAI desktop application stores account information (email, subscription plan, validity date) locally on your device in an application data directory. This data is used solely to display your account status within the app and validate your subscription. It is not accessible to us remotely and is not transmitted anywhere without your action.

3.4 SafAI Browser Extension (Chrome)

The optional SafAI extension for ChatGPT works only together with the SafAI desktop app. It does not process your prompts on its own.

  • Local connection only: The extension communicates with the SafAI app on your computer via 127.0.0.1 (localhost). It does not send chat or prompt content to SafAI servers.
  • ChatGPT pages: The extension runs only on chatgpt.com and chat.openai.com to offer scrubbing in the ChatGPT interface.
  • Account status: The extension may contact our Supabase project (EU, Frankfurt) to read whether your subscription is active — the same account data as the desktop app. No conversation content is transmitted.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for subscription verification; legitimate interests (Art. 6(1)(f) GDPR) for the local privacy function when you choose to use it.

4. Data We Do NOT Collect

  • The content of your AI prompts or conversations
  • The PII entities detected or scrubbed by the extension
  • Browsing history or visited URLs
  • Device identifiers or fingerprinting data
  • Payment card details (handled entirely and exclusively by Stripe)

5. Infrastructure and Sub-processors

Supabase (Database): Account and feedback data is stored in a Supabase PostgreSQL database hosted in the EU Central 1 (Frankfurt, Germany) AWS region. Data does not leave the EU. A Data Processing Agreement (DPA) is in place with Supabase under Art. 28 GDPR. Legal basis: Art. 6(1)(b) and (f) GDPR.

Stripe (Payments): Stripe processes all payment transactions independently. We receive only a subscription reference ID and your email address from Stripe webhooks. Stripe is PCI-DSS Level 1 certified and GDPR-compliant. Stripe's privacy policy governs payment data: stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR.

Cloudflare (Website Hosting and CDN): Our website is hosted via Cloudflare Pages. Cloudflare processes IP addresses in transit for security and performance. Cloudflare acts as a data processor under Art. 28 GDPR. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, available service). Cloudflare Analytics provides aggregate, cookieless, anonymised traffic statistics — no personal data is stored or shared.

No other third-party analytics, tracking pixels, advertising networks, or data brokers are used.

6. Cookies and Tracking

We use cookies and similar technologies to ensure the security and functionality of our website, and to analyze traffic to improve our service.

  • Essential Cookies: Required for site security, session management, and processing payments via Stripe. These cannot be disabled.
  • Google Analytics: With your consent, we use Google Analytics to collect aggregate, anonymized traffic data. We have enabled IP anonymization. You can manage your preferences via the cookie banner on our website.

7. International Data Transfers

All personal data is stored and processed within the European Union (Frankfurt, Germany). We do not transfer personal data to third countries outside the EEA. In the event any sub-processor introduces a non-EEA transfer, it will be governed by EU Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, and you will be informed.

8. Your Rights (Betroffenenrechte)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17 GDPR): Request deletion of your data, subject to overriding legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): Request that we limit how we use your data.
  • Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): Object at any time to processing based on our legitimate interests.
  • Right to withdraw consent: Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact: kritesh@shridhar.de. We will respond without undue delay and within one month as required by Art. 12 GDPR.

9. Right to Lodge a Complaint (Beschwerderecht)

You have the right to lodge a complaint with the competent supervisory authority at any time. The supervisory authority for Baden-Württemberg is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Tel: +49 711 615541-0
www.baden-wuerttemberg.datenschutz.de

This right exists without prejudice to any other administrative or judicial remedy.

11. Use of Company Logos (Professional Accounts)

If you sign up for a paid plan using a professional email address (e.g., yourname@company.com), we may display your company’s logo on our website to indicate that your organization uses SafAI. This is based on our legitimate interest in marketing (Art. 6(1)(f) GDPR). This does not apply to personal accounts using generic domains (e.g., @gmail.com).

Anonymity and Opt-out: We do not reveal your personal identity, name, or specific account details in connection with this logo. You have the right to object to this use at any time. To opt out, please email kritesh@shridhar.de and we will remove the logo within 5 business days.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our service or applicable law. Material changes will be communicated via the SafAI website. The date at the top of this page indicates the most recent revision. Continued use of SafAI after a material update constitutes acceptance of the revised policy.