Privacy Policy

1. Controller and contact

Damir Andrijanic c/o Postflex PFX-202-985 Emsdettener Str. 10 48268 Greven Germany

VAT ID (USt-IdNr.): DE461042625

For privacy requests, contact info@filegpt.dev. Legal details are available in the Impressum.

2. Personal data we process

• Account data: email address, authentication identifiers, and account/session references.
• Customer Content: uploaded files (PDF, DOCX, TXT), extracted text, indexed chunks, embeddings, chat questions, and chat responses.
• Operational metadata: timestamps, status fields, request context, usage counters (including token counts), and security/rate-limit signals.
• Telemetry and logs: application errors, service diagnostics, and limited analytics data depending on deployment configuration.

3. Purposes and legal bases (Art. 6 GDPR)

• Service delivery (Art. 6(1)(b)): account management, file storage, indexing, retrieval, and AI answer generation.
• Security and abuse prevention (Art. 6(1)(f)): authentication, access controls, request validation, and rate limiting.
• Operations and reliability (Art. 6(1)(f)): error diagnostics, performance monitoring, and service integrity checks.
• Compliance obligations (Art. 6(1)(c)): where legal retention or legal defense obligations apply.

4. How AI processing works

To answer a question, the Service typically retrieves relevant chunks from your indexed documents and sends:

• your current query;
• relevant retrieved excerpts; and
• limited recent message history for context.

This data may be processed by external model providers for inference and embedding operations. We design the pipeline to reduce unnecessary transfer of unrelated content, but third-party providers may process submitted input according to their terms.

5. Recipients and subprocessors

Depending on configuration, we may use the following categories of subprocessors:

• Cloud hosting and runtime providers (application delivery and telemetry).
• Database, auth, and object storage providers (account, files, embeddings, and chat persistence).
• AI model providers (language generation, embeddings, and optional vision extraction).
• Rate-limiting/edge infrastructure for abuse prevention.

A dedicated list and contractual terms for business processing are available in the DPA.

6. International transfers

Data may be processed in the EU/EEA and, depending on provider infrastructure, in third countries. Where required, we rely on transfer safeguards such as EU Standard Contractual Clauses and supplementary measures.

7. Retention and deletion

• Uploaded files remain stored until deleted by you or account termination.
• Indexed chunks/embeddings are linked to files and removed when files are deleted.
• Chat messages and sessions remain until you delete them or close the account.
• Operational usage records are retained for service operation, billing, and security as needed.
• Some records may be retained longer where required by law or for legal defense.

8. Cookies and local storage

We use authentication/session cookies and local storage entries needed for account access and consent state. Depending on deployment configuration, we may also process limited analytics or telemetry data to monitor service reliability. We do not use marketing trackers in the current product implementation.

9. Your GDPR rights

Subject to applicable law, you have rights to access, rectification, erasure, restriction, portability, and objection.

To exercise rights, contact info@filegpt.dev. We may verify identity before acting on requests.

10. Complaints to supervisory authorities

You may lodge a complaint with your local supervisory authority in the EU/EEA. Information for Germany is available at bfdi.bund.de.

11. Business processing and security references

Business customers can rely on our Data Processing Agreement and our Security page for details on processor obligations and technical controls.