Privacy Policy

1. Introduction

Mykey.Chat ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our Service.

Our Privacy Philosophy: Mykey.Chat is built on the principle of user control. You bring your own API keys, and we act as a secure interface to facilitate your interactions with AI providers. We do not use your conversations or data to train AI models.

2. Information We Collect

2.1 Account Information

When you create an account via Clerk (our authentication provider), we collect:

• Email address
• Username and display name
• Profile picture (if provided)
• Authentication identifiers (user ID)

2.2 API Keys and Provider Configuration

We collect and store:

• API keys for third-party AI providers (OpenAI, Anthropic, xAI, Google, OpenRouter, custom providers)
• LinkUp API key (if you provide your own for web search)
• Provider configurations (base URLs, custom headers for custom providers)
• Model selections and preferences

Security: All API keys are encrypted at rest using AES-256 encryption and are only decrypted server-side when making authorized API requests on your behalf.

2.3 Conversation and Message Data

We store:

• Conversation history and messages
• User prompts and AI responses
• File uploads (images, PDFs, documents)
• Extracted text from uploaded files
• Web search queries and results
• Conversation metadata (timestamps, model used, branching history)

Purpose: This data is stored to provide core Service features including conversation history, real-time streaming, branching conversations, and file analysis. You can delete your conversations at any time.

2.4 Usage Data

We automatically collect:

• Web search usage counts (for billing and quota management)
• Subscription status and billing information (via Polar)
• Device information (user agent, browser type)
• Service interaction logs (for debugging and security)

2.5 Google OAuth Data (If Applicable)

If you sign in with Google, we receive:

• Your email address
• Your name and profile picture
• Basic profile information

Limited Use Disclosure: Mykey.Chat's use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements. We only use this data to authenticate you and provide the Service. We do not transfer this data to third parties except as required to provide the Service.

3. How We Use Your Information

We use collected information to:

• Provide the Service: Facilitate your interactions with AI providers, store conversations, enable file uploads, and execute web searches
• Authenticate and authorize: Verify your identity and manage your account
• Process API requests: Decrypt your API keys server-side and make authorized requests to third-party AI providers on your behalf
• Enable features: Provide conversation history, real-time streaming, branching, file analysis, and web search
• Billing and subscriptions: Manage your subscription, track usage quotas, and process payments via Polar
• Security and abuse prevention: Detect and prevent fraud, spam, and unauthorized access
• Service improvement: Debug issues, analyze usage patterns (aggregated and anonymized), and improve Service performance
• Customer support: Respond to your inquiries and provide assistance
• Legal compliance: Comply with applicable laws and regulations

We DO NOT:

• Use your conversations or data to train AI models
• Sell your personal data to third parties
• Share your API keys with anyone
• Read your conversations unless necessary for security, debugging, or legal compliance

4. How We Share Your Information

4.1 Third-Party AI Providers

When you use the Service, your prompts, files, and conversation context are transmitted to the AI providers you've configured (OpenAI, Anthropic, xAI, Google, OpenRouter, or custom providers). This is necessary to provide the core functionality of the Service. Each provider's privacy policy and terms apply to their processing of your data:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• xAI Privacy Policy
• Google Privacy Policy
• OpenRouter Privacy Policy

4.2 Service Providers

We share data with trusted service providers who help us operate the Service:

• Convex: Database and serverless backend (stores conversations, API keys, user data)
• Clerk: Authentication and user management
• UploadThing: File upload and storage
• Polar: Subscription billing and payment processing
• LinkUp: Web search functionality
• Vercel: Hosting and infrastructure

These providers are contractually obligated to protect your data and use it only to provide services to us.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Investigate security incidents

4.4 Business Transfers

If Mykey.Chat is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

• Account data: Retained until you delete your account
• Conversations: Retained until you manually delete them
• API keys: Retained (encrypted) until you delete them or close your account
• Usage logs: Retained for 90 days for security and debugging
• Billing records: Retained as required by law (typically 7 years)

When you delete data, we remove it from active systems within 30 days. Backups may retain data for up to 90 days for disaster recovery purposes.

6. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Delete your conversations, API keys, or entire account
• Portability: Export your conversation data
• Withdraw consent: Remove API keys or close your account at any time
• Object to processing: Object to certain data processing activities

To exercise these rights, contact us at b.elghazi1305@gmai.com or use the in-app settings.

For Google OAuth users: You can revoke Mykey.Chat's access to your Google account at any time via your Google Account permissions page.

7. Security

We implement industry-standard security measures to protect your data:

• Encryption: All API keys encrypted at rest with AES-256; data in transit protected by TLS/HTTPS
• Access controls: Row-level security ensures you can only access your own data
• Authentication: Secure authentication via Clerk with optional multi-factor authentication
• Server-side processing: API keys only decrypted in secure server actions, never exposed to client
• Regular security audits: We review and update security practices regularly

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies and Tracking

We use essential cookies and local storage for:

• Authentication and session management
• User preferences (theme, default settings)
• Service functionality and performance

We do not use third-party advertising or tracking cookies. You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

9. International Data Transfers

Mykey.Chat is hosted on Vercel and Convex infrastructure, which may process data in multiple countries. By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

10. Children's Privacy

The Service is not intended for users under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at b.elghazi1305@gmai.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last Updated" date at the top of this page indicates when changes were last made. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: b.elghazi1305@gmai.com
Support: b.elghazi1305@gmai.com

13. Additional Information for EU Users (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis: We process your data based on consent (API keys, optional features), contract performance (providing the Service), and legitimate interests (security, improvement)
• Data protection officer: Contact b.elghazi1305@gmai.com for GDPR-related inquiries
• Right to lodge a complaint: You may file a complaint with your local data protection authority
• Right to restriction: You may request restriction of processing in certain circumstances

14. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it's used
• Request deletion of your personal information
• Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at b.elghazi1305@gmai.com.