Privacy Policy

Pages.chat (“we”, “us”) operates this service. We're the data controller for the personal information described below. You can reach us at hello@annupkapur.com.

When you use Pages.chat, we collect:

• Account details — your name and email address. If you sign in with Google, your Google profile image and the OAuth identifiers Google sends us.
• Authentication metadata — sign-in timestamps, session tokens (stored as cookies), and the IP address each session was created from.
• Documents and chat history — every PDF you upload, the embeddings we derive from it, and every question and answer in your conversations.
• Billing details — Stripe customer ID, subscription state, invoice records. We never see or store your card number or CVC; Stripe handles that.
• Service logs — per-request metadata (timestamps, IP, user agent, API call latency, token counts, errors) used to operate and improve the service.

We use the information above to:

• create and authenticate your account;
• provide the service — store your documents, embed them, run retrieval, generate answers;
• charge you and send invoices for paid plans;
• send transactional emails (account recovery, billing notices, important changes to the service);
• monitor usage to keep the service reliable, prevent abuse, and manage costs;
• comply with legal obligations.

We don't use your documents or chat history to train AI models. We don't sell your personal information.

Under UK and EU data-protection law, we rely on the following lawful bases:

• Performance of a contract for the bulk of processing — providing the service you signed up for.
• Legitimate interests for security monitoring, anti-abuse, and product analytics, balanced against your privacy.
• Legal obligation for tax and accounting records.
• Consent where required (e.g. some marketing emails) — you can withdraw at any time.

We use a small number of sub-processors to run the service. Each sees only the data needed to do its job, and is bound by its own contracts and certifications:

• Stripe — payment processing. Receives your name, email, and (during checkout) your card details, which we never see.
• OpenAI— chat completions and embeddings. Receives the text of your documents and questions. Per OpenAI's API terms, this input isn't used to train their models.
• Hetzner Object Storage — stores the raw PDF files you upload, on infrastructure located in the EU.
• Resend — sends transactional emails on our behalf.
• Google — only if you choose to sign in with Google. Google receives the standard OAuth handshake.
• Hosting provider — the server we run on (Hetzner) sees data as it transits through. No long-term storage of personal data outside the sources above.

We'll also share information if required by law or court order, or to protect our rights, our users, or the public.

We use a small number of cookies, all essential:

• A session cookie set by our auth system so you stay logged in.
• Cookies set by Stripe during checkout for fraud prevention.

We don't use advertising or third-party analytics cookies.

We keep your data for as long as your account is active. When you delete your account from Settings, we remove your documents, chat history, sign-in credentials, and replace your name and email with marker values. We may retain a minimal record (e.g. invoice numbers, anonymised event logs) where required for tax, accounting, or fraud-prevention purposes.

Some of our sub-processors are based outside the UK / EEA (notably OpenAI in the United States). Where personal data leaves the UK / EEA, we rely on the UK International Data Transfer Addendum or Standard Contractual Clauses, plus the provider's own security and certifications, to keep your data protected.

If you're in the UK or EU, you have the right to:

• access the personal data we hold about you;
• correct anything that's wrong;
• delete your data (you can do most of this yourself from Settings; for anything else, email us);
• receive a portable copy of the data you've given us;
• object to or restrict certain types of processing;
• complain to your data-protection authority (in the UK, that's the ICO at ico.org.uk).

Pages.chat isn't intended for children under 16. We don't knowingly collect personal data from anyone under 16; if you believe we have, please contact us and we'll delete it.

We host on managed European infrastructure, encrypt traffic in transit (HTTPS), store secrets and credentials with standard hashing/encryption practices, and limit employee/agent access to production systems. No system is perfectly secure — if you spot a vulnerability, please disclose it to us at hello@annupkapur.com.

We'll update this page when our practices change, and we'll let you know by email or in-app notice if the change is material.

For anything privacy-related, email hello@annupkapur.com.