Privacy Policy

Last updated: March 27, 2026

Our Commitments

Privacy is not a feature — it is the foundation of Chat Recall. Every design decision filters through one question: "Would we trust this with our own conversation history?" These commitments are non-negotiable:

  1. We never read your conversations. Our servers process data for indexing. No human reviews content. No content is used for analytics, training, or any purpose beyond serving it back to you.
  2. We never train on your data. Not ours, not a third party's. Your conversations are not training data.
  3. We never sell your data. No data brokers, no ad networks, no "anonymized" data sales.
  4. We minimize data sharing. We share the minimum data necessary with service providers: Stripe receives your email for billing, Vercel hosts the web dashboard, and AWS hosts the API and database. None of these providers have access to your conversation content.
  5. You can delete everything, anytime. One-click account deletion removes all conversations, user data, and metadata. Deletion is real — not "marked as deleted," actually purged.
  6. You can export everything, anytime. Download your full archive as JSON. No lock-in.
  7. Encryption at rest. All conversation data encrypted at rest via AWS RDS encryption (AES-256). Data in transit encrypted via TLS.

No Tiered Privacy

Every user — trial or paid — gets identical privacy protections. There is no "premium security" tier. Trust is binary.

1. What We Collect

We collect the following data:

  • Account information: Email address, name, and avatar from your OAuth provider (GitHub or Google)
  • Conversation data: AI conversation history that you explicitly upload
  • Usage counters: Per-user counters such as total conversations and messages, stored for dashboard display
  • Billing information: Processed by Stripe. We do not store credit card numbers

2. How We Store Your Data

Your data is stored in Amazon Web Services (AWS) infrastructure, in an RDS PostgreSQL database with AES-256 encryption at rest and TLS encryption in transit. Automated backups are encrypted. Data stays in the AWS region where it is stored — no cross-border transfers.

3. Data Isolation

All database queries are filtered by your user ID. There is no API endpoint or query path that can access another user's data. Multi-tenant isolation is enforced at the application layer: API middleware injects your user ID from the authenticated session, and every query includes user-scoped filtering.

4. Data Retention

We retain your data according to the following policy:

  • Active trial or subscription: All data retained with full access.
  • Trial expired or subscription cancelled: Data retained for 30 days. Access is suspended, but your data is safe. Subscribe (or resubscribe) within 30 days to restore full access.
  • 30+ days after expiry or cancellation: All data is permanently deleted — conversations, threads, messages, search index, and user record.
  • Manual account deletion: Immediate permanent deletion of all data.

We send email notifications at key points: when your trial expires, when you enter the 30-day grace period, and when deletion occurs. We do not hoard data from users who are not using the product.

5. Third-Party Services

We use the following third-party services:

  • GitHub & Google: OAuth authentication only. We receive your email, name, and avatar
  • Stripe: Payment processing. Stripe handles all payment data under their own privacy policy
  • AWS: Cloud infrastructure for API hosting and data storage
  • Vercel: Frontend hosting for the web dashboard
  • Cloudflare: DNS provider

6. Your Rights (GDPR & CCPA)

You have the right to:

  • Access: View all data we hold about you via your dashboard
  • Export: Download your full conversation archive as JSON at any time
  • Delete: Permanently delete all your data immediately via account settings
  • Rectification: Update your account information through settings

Manual deletion requests are processed immediately. All conversation data and account information are permanently deleted from the database. Encrypted database backups are retained for up to 7 days for disaster recovery, after which they are automatically purged. A data processing agreement is available on request for EU users.

7. Cookies

We use essential cookies only for authentication (session tokens). We do not use tracking cookies or third-party analytics cookies.

8. Changes to This Policy

We will notify you of material changes via email. The "Last updated" date at the top reflects the most recent revision.

9. Age Requirement

You must be at least 13 years old to use Chat Recall. If you are under 16 and in the European Economic Area, you must have parental consent.

10. Contact

For privacy questions or data requests, contact us at privacy@chatrecall.ai.