Privacy Policy

Last updated: March 2026

1. Data Controller

Selim Hegler
Email: info@subaiya.com

Data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

A Data Protection Officer is not required and has not been appointed (Art. 37 GDPR — fewer than 20 persons regularly engaged in automated processing of personal data).

2. What Data We Collect

2.1 When Visiting Our Website

When you access our website, the following data is automatically collected by the server (server log files):

• IP address (anonymized)
• Date and time of request
• Requested page / URL
• Browser type and version
• Operating system

This data is collected to ensure the operation of the service and for error analysis. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Log files are automatically deleted after 14 days.

2.2 When Registering for the Beta

When you register for the beta, we collect:

• Name
• Email address
• Password (stored exclusively as an encrypted, irreversible hash. Your plain-text password is never stored or transmitted.)
• Time of registration

This data is used exclusively to provide beta access and to communicate with you. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and your consent (Art. 6(1)(a) GDPR).

2.3 When Signing In with Google

If you choose to sign in with Google OAuth 2.0, we receive the following data from Google:

• Name
• Email address
• Google account ID

We do not receive or store your Google password. Google processes your data as an independent data controller under its own Privacy Policy. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.4 API Proxy Operation

Subaiya operates as a security layer between your AI client and the AI provider API. The following applies:

• Your API key is encrypted at rest and passed through to your AI provider. Keys are stored only in encrypted form on the server.
• Your prompts and responses are not stored
• Only metadata is collected for the audit log (action type, timestamp, result)
• Audit data is kept locally on the server and is not shared with third parties
• Dashboard sessions are stored in a server-side session file (containing only session ID, user ID, and expiry — no conversation data) and are automatically deleted after 24 hours or on logout.

3. Cookies

This website uses only technically necessary cookies:

• subaiya_session: Authentication cookie for the Dashboard. Set upon login and automatically expires after 24 hours. Properties: HttpOnly, Secure, SameSite=Lax. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
• subaiya_oauth_state: CSRF protection cookie used during the Google OAuth login flow. Automatically expires after 10 minutes. Properties: HttpOnly, Secure, SameSite=Lax. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security).
• subaiya_csrf: CSRF protection token for Dashboard actions. Generated on login, expires with the session (24 hours). Properties: Secure, SameSite=Lax (readable by JavaScript for double-submit pattern). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security).

No tracking cookies, analytics cookies, or advertising cookies are used (no Google Analytics, no Facebook Pixel, no ad networks).

4. Sharing with Third Parties

Your data is not sold or used for advertising purposes. Data is only shared with:

• Anthropic / OpenAI (API requests using your own API key)
• Google (only if you use Google OAuth to sign in — Google receives confirmation that you authenticated, but we do not share any additional data with Google)
• Our hosting provider (Hetzner Online GmbH, Germany) as part of server operation
• Our email provider (Resend, Inc. / Amazon SES, EU region eu-west-1) for sending emails

All data processors are subject to the GDPR or an adequate level of data protection. Resend/AWS are covered by the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and additionally bound by EU Standard Contractual Clauses (SCCs) and a Data Processing Agreement (DPA).

Note on AI providers: When you use Subaiya, your API requests are forwarded to Anthropic (USA) or OpenAI (USA) using your own API key. Subaiya does not store any prompts, responses, or conversation content — it only applies security rules in transit. The data transfer to your AI provider is initiated by you and governed by your own agreement with that provider. Both Anthropic and OpenAI are covered by the EU-US Data Privacy Framework.

5. Data Retention

• Server log files: 14 days
• Registration data: Until account deletion or end of beta phase
• Audit data: Duration of active use, then 30 days
• After account deletion: All personal data is permanently and immediately deleted. There is no recovery period. Backups on all servers (including geographically separate backup servers within the EU) are purged simultaneously.

6. Your Rights

You have the right to:

• Access your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Withdraw consent at any time (Art. 7(3) GDPR)

You can delete your account at any time through the self-service option in your Dashboard. For all other requests, please contact info@subaiya.com.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

8. SSL Encryption

This website uses SSL encryption for security purposes. An encrypted connection is indicated by "https://" in your browser's address bar.