Privacy Policy

1. Data controller

The data controller responsible for personal data processed through Community Assistant is LucyTo Trade s.r.o.. For privacy questions, data access, correction, or deletion requests, contact us at support@tryfenrik.com.

2. What we collect

• Account data: the email address you sign in with and basic account metadata (account creation date, last sign-in, email-verification timestamp).
• Workspace and content data: conversations you import or paste, messages and their hierarchy, project knowledge, AI-generated outputs we store (summaries, translations, explanations, importance and needs-attention flags), and the replies you save or approve.
• Reddit OAuth data (only when you choose to connect a Reddit account): the OAuth access and refresh tokens issued by Reddit, your Reddit account id, your current Reddit username, the granted scopes, and the public threads you explicitly import. We never read your DMs or unrelated Reddit activity, and we do not post on Reddit without an explicit action from you. You can disconnect Reddit at any time from workspace settings.
• Billing metadata: when you subscribe, we store your Stripe customer id, subscription status, current billing period, and AI-credit usage counters. Card details are collected and stored by Stripe — they never touch our servers.
• Support messages: any email you send to our support address and our reply, retained so we can handle follow-ups.
• Technical and operational logs: request errors, AI provider usage records (token counts, timestamps, status, error codes), abuse signals (rate- limit hits, security events), and the IP address / user-agent stored against your session row for diagnostic purposes. Logs do NOT include the body of your conversations or AI-generated outputs — see our internal logging policy.

3. Why we process this data (purposes)

• Provide the Service: store your workspace, run AI features (summaries, translations, explanations, reply suggestions), and import conversations you choose to connect.
• Authenticate you: issue and validate magic-link sign-ins and maintain your session.
• Bill paid plans: create and manage your Stripe customer and subscription, enforce monthly AI-credit limits.
• Keep the Service safe and reliable: detect abuse, fight spam and bots, debug failures, monitor security events.
• Respond to support requests and legal obligations.

4. Legal bases (GDPR)

Where the EU/UK GDPR applies, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — to deliver the Service you signed up for, including authentication, workspace storage, AI features, and billing.
• Legitimate interests (Art. 6(1)(f)) — to keep the Service secure and prevent abuse (rate limiting, bot mitigation via Cloudflare Turnstile, error monitoring with Sentry, signature verification of webhooks). Our interest is balanced against your right to a safe service.
• Legal obligation (Art. 6(1)(c)) — when we must retain billing records or respond to lawful requests.
• Consent (Art. 6(1)(a)) — for any optional integration you explicitly connect (e.g. Reddit OAuth). You can withdraw consent at any time by disconnecting the integration in workspace settings.

5. How we use AI providers

To power features like understanding comments, generating summaries, and drafting replies, we send the relevant conversation content and your project knowledge to third-party AI providers (such as OpenAI and Anthropic). Those providers process the content to return a response and are bound by their own data-processing terms.

We do not use your conversations to train our own models, and we configure our requests so that — where supported by the provider — your content is not used to train their models either. AI outputs can be inaccurate; you are responsible for reviewing anything you publish.

6. Processors and subprocessors

We rely on the following service providers to operate the Service. They process personal data only on our instructions and under their own data-processing terms:

• Vercel — application hosting, edge and serverless runtime, CDN.
• Neon (or our then-current Postgres provider) — managed Postgres database hosting application data.
• Stripe — payment processing, customer and subscription management, invoices.
• Resend — transactional email delivery (magic-link sign-in emails and operational notices).
• OpenAI and Anthropic — AI model providers used by Service features that you invoke (summaries, explanations, translations, reply generation, rewrite).
• Cloudflare — Turnstile bot mitigation on the sign-in form (a security-only challenge that does not track users across sites).
• Sentry — error monitoring. Configured with PII off: we do not send query strings, request bodies, headers, or cookies.
• Reddit — only when you explicitly connect a Reddit account; used to fetch the threads you import and to post replies you explicitly approve.
• Domain and DNS provider — to operate the Service's public domain.

7. International data transfers

Some of the providers above operate outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the EEA/UK, we rely on mechanisms such as the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, which the relevant providers maintain as part of their public data-processing terms.

8. Retention

We retain your account, workspace, and content for as long as your account is active. Indicative retention windows:

• Account and workspace data: kept while your account exists; deleted on request.
• Magic-link tokens: deleted shortly after they expire or are consumed (within 30 days at the outside).
• Session rows: deleted when you sign out or when they expire.
• Operational logs and AI-provider error logs: retained for a limited period (typically up to 90 days) for debugging, security, and abuse-prevention purposes.
• Billing records: retained for as long as required by applicable tax and accounting law (commonly up to 10 years), even after account deletion.

When you delete your account, we remove your content and personal data, except where retention is required for legal, security, or billing reasons.

9. Cookies and similar storage

Community Assistant uses ONLY strictly necessary cookies and similar storage. We do not run analytics, advertising, or cross-site tracking, and we do not load any analytics/marketing cookies. Because we do not place non-essential cookies, no cookie consent banner is shown. The strictly necessary items we do use:

• ca_session — a first-party HTTP-only, secure, SameSite=Lax cookie that keeps you signed in after a magic-link verification. Required for authentication. Cleared on sign-out.
• Cloudflare Turnstile — when you submit the sign-in form, Cloudflare may set short-lived cookies or storage on challenges.cloudflare.com to verify you are not a bot. This is a security mechanism, not analytics, and is required to protect the sign-in endpoint.

We do not use local storage, session storage, or third- party tracking cookies. If we introduce optional cookies in the future (for example, product analytics), we will add a consent flow before they load.

10. Who we share data with

• AI providers (OpenAI, Anthropic) — for generating responses, summaries, translations, and explanations of conversation content you submit.
• Stripe — for billing and subscription management.
• Reddit — when you explicitly authorize a Reddit OAuth connection and import a thread. We only call Reddit's API to fetch the threads you import and to post replies you have approved.
• Resend — to deliver sign-in magic links and operational notices.

We do not sell your personal data. We do not share your content with advertisers. We do not use your content to train our own AI models.

11. Your rights

Depending on your jurisdiction (notably under the EU/UK GDPR), you may have the right to:

• access the personal data we hold about you,
• correct inaccurate data,
• request deletion of your data,
• restrict or object to certain processing,
• data portability,
• withdraw consent for optional processing (e.g. Reddit integration) at any time, and
• lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at support@tryfenrik.com. We may need to verify the request from the email address on the account.

12. Account deletion and data export

To delete your account or request a copy of the data we hold about you, email support@tryfenrik.com from the email address tied to your account. We will confirm and process the request within a reasonable period, subject to the retention rules above.

13. Children

The Service is not intended for users under the age of legal majority in their jurisdiction. We do not knowingly collect data from such users.

14. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated by email or in-product notice.