Privacy Policy

1 Information We Collect

We collect information in the following ways:

Information you provide directly:

• Account registration data: email address and password (stored as a salted hash — we never store your plaintext password)
• Content you submit: chat messages, prompts, and documents uploaded for RAG search
• Payment information: processed entirely by our payment providers (Stripe, Cryptomus) — we never see or store your full card or bank details

Information collected automatically:

• Session identifiers stored in secure, HTTP-only cookies
• Basic server logs: timestamps, IP addresses, HTTP method and path, and response status codes
• Token usage: how many credits are consumed per request, to accurately maintain your balance

2 How We Use Information

We use the information we collect to:

• Provide, operate, and improve the BundleAI service
• Authenticate users and maintain account security
• Process payments and maintain accurate token credit balances
• Respond to support requests and troubleshoot issues
• Detect and prevent fraud, abuse, and violations of our Terms of Service
• Send transactional notifications (e.g., password resets, payment confirmations)

We do not sell your personal data to third parties. We do not use your chat content to train AI models. Your conversations are processed in real time to generate responses and are not retained beyond what is technically necessary for session continuity.

3 Data Storage

Your account data, session memory, and uploaded documents are stored in a SQLite database hosted on our servers. We implement the following safeguards:

• Passwords are hashed using a strong one-way algorithm (scrypt or bcrypt) before storage
• Session tokens are cryptographically random and stored in HTTP-only cookies
• Server access is restricted to authorized personnel only
• We perform regular backups to prevent data loss

4 Cookies

BundleAI uses only essential cookies required for the service to function. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

• Session cookie: A secure, HTTP-only cookie that identifies your authenticated session. It expires when you log out or after a period of inactivity.
• No tracking cookies: We do not set cookies for cross-site tracking, behavioral advertising, or third-party analytics.

Because we only use strictly necessary cookies, no cookie consent banner is required. You can delete cookies through your browser settings at any time, but doing so will log you out of your account.

5 Third-Party Services

BundleAI integrates with the following third-party services. Each has its own privacy policy governing how they handle data:

When you use the Web Search (Tools) feature, your query may be sent to a search API provider to retrieve results. Search queries are not associated with your account in logs retained by third-party providers beyond their standard usage policies.

6 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained for the lifetime of your account. Deleted within 30 days of a verified account deletion request.
• Chat history: Stored per session. You can clear session data at any time from settings.
• Uploaded documents: Retained until you delete them or close your account.
• Server logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
• Payment records: Retained for 7 years as required by financial regulations.

7 Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate or incomplete data
• Deletion: Request deletion of your account and associated personal data
• Portability: Request your data in a machine-readable format
• Objection: Object to certain types of processing of your data

To exercise any of these rights, contact us via the details in Section 10. We will respond to verifiable requests within 30 days. Note that some data may need to be retained for legal or legitimate business purposes even after a deletion request.

8 Security

We implement reasonable technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• HTTPS encryption for all data in transit
• One-way password hashing — even BundleAI staff cannot read your password
• HTTP-only session cookies to prevent client-side script access
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Restricted server access with authentication requirements

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to us responsibly rather than publicly disclosing it.

9 Children's Privacy

BundleAI is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can delete that information.

If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take steps to delete that information as quickly as possible.

10 Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all privacy inquiries within 30 days. For urgent security matters, please indicate "URGENT" in your subject line.