Last updated: 12 June 2026
This notice explains how Simone Marrocco ("we", the Controller) processes personal data when you use UnlockGPT (the "App" or the "Service"), an AI-powered productivity assistant that integrates with your email accounts, calendars, document storage, and other services to provide intelligent task automation.
Our guiding principle is simple: your data is yours. It is encrypted so that we cannot read it, you can delete it at any time, and the only thing we collect about your usage is anonymous-by-design statistics (such as token counts) that never include the content of your conversations. For a plain-language explanation of how this works, see How We Protect Your Data.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national laws.
All data is stored exclusively within the European Union:
Your chat messages and uploaded documents are encrypted using AES-256-GCM with a per-user encryption key derived from a passphrase you set (PBKDF2, 600,000 iterations, performed in your browser). The encryption key is derived client-side and never stored on our servers — we keep only a one-way bcrypt hash of your passphrase to verify it, which cannot be reversed into the passphrase or the key. This means that even we cannot read your messages or documents.
Encryption with your personal key covers: your messages, the AI's responses, the results and arguments of every tool the AI uses (email contents, file contents, calendar data it retrieves), the AI's reasoning traces, and chat previews. Only minimal operational metadata remains unencrypted so the App can function: chat titles, timestamps, message counts, tool names, and token usage statistics.
OAuth tokens for your connected accounts (Google, Microsoft, Dropbox) are likewise encrypted at rest with AES-256-GCM using a separate server-side key that is stored outside the database. We never receive or store your account passwords.
We do NOT log, store, or have access to:
We DO log for service improvement and platform analytics:
Our administrators see this data only as aggregate dashboards (total requests, token volumes, response times, error rates). By design, no message content, prompt text, or AI output is ever written to these logs — so neither administrators nor anyone else can read your conversations through them.
These usage logs are stored in a dedicated collection, separate from your messages, and are retained independently of them: deleting a chat or a message does not delete the corresponding usage records, deleting your account anonymizes them, and all usage logs are deleted automatically after 36 months (see Section 8). Because they contain only numbers and technical identifiers — never content — they cannot be used to reconstruct anything you wrote.
This data is used solely to improve the Service, understand usage patterns, and ensure reliable operation. It is never sold or shared with third parties for advertising purposes, and it is never used to train AI models.
Depending on how you use the Service, we may process:
Account data: Email address, name (if provided), authentication tokens for connected services (encrypted).
User-provided content: Prompts, files, images you upload — all encrypted at rest with your personal key.
Technical/usage data: Access logs, IP address, device identifiers, user agent, timestamps, error events, performance metrics.
Billing data: (if you subscribe to paid plans) Data necessary to issue invoices and manage payments. Payments are processed by authorized payment service providers. We do not store full card numbers.
We do not intentionally collect special categories of data (Art. 9 GDPR). Please avoid entering unnecessary sensitive information.
To generate AI responses, your prompts are sent to Fireworks AI, our AI infrastructure provider. Fireworks AI provides strong privacy guarantees:
For more information, see:
UnlockGPT has achieved CASA Tier 2 certification (Cloud Application Security Assessment), validated by TAC Security using the ESOF AppSec ADA framework.
CASA is built upon OWASP's Application Security Verification Standard (ASVS) and provides trusted assurance assessments for applications handling sensitive data.
We process data for:
Providing the Service (contract, Art. 6(1)(b) GDPR): sending prompts to AI models, returning outputs, maintaining your account, and providing support.
Security, abuse prevention, and reliability (legitimate interest, Art. 6(1)(f)): monitor anomalies, defend the Service from misuse or attacks, prevent fraud.
Product improvement and analytics (legitimate interest, Art. 6(1)(f)): aggregated analysis of feature usage and token consumption to improve the service — never the content of your messages.
Legal compliance (legal obligation, Art. 6(1)(c)): tax and accounting duties, and responding to lawful requests.
We retain data only for as long as necessary:
Deletion is self-service. You can delete any individual chat (which immediately removes the chat, all its messages, and its task lists from our production database) or delete your entire account, which removes your chats, messages, tasks, uploaded files, document search indexes, connected-account tokens, and profile in a single cascading operation. Residual copies may persist temporarily in the automated backups of our infrastructure providers before expiring on their standard rolling cycles; in any case, we complete deletion within 30 days, except for the anonymized usage logs described above and where retention is required by law (e.g., billing records). Deleted conversations remain encrypted with your personal key in any such residual copy, so they stay unreadable even before the backup expires.
We may share data with the following categories of recipients:
AI provider (Fireworks AI): Processes your prompts to generate responses. Zero data retention by default.
Platform integrations: Google, Microsoft, Dropbox — only when you explicitly connect your accounts and initiate actions.
Infrastructure providers: MongoDB Atlas (Europe), Google Cloud (Europe) for hosting and database services.
Payment processors: Authorized payment service providers for subscription management.
We do not sell your personal data. We require recipients acting as processors to follow our documented instructions and to implement appropriate safeguards (Art. 28 GDPR).
All primary data storage is within the EU/EEA (MongoDB Atlas Europe, Google Cloud Europe). Fireworks AI may process data in the United States; transfers are covered by EU Standard Contractual Clauses and supplementary technical measures. Information on specific transfers is available on request.
Under GDPR, you have the right to:
To exercise your rights, contact: [email protected]
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante) at www.garanteprivacy.it.
The Service is not intended for children under 14 (per Italian law). If you believe a minor has provided personal data without valid consent, contact us to request removal.
We do not carry out solely automated decisions producing legal or similarly significant effects. AI-generated outputs are tools to assist you, not automated decisions about you.
We may update this notice to reflect legal or technical changes. Updates will be published on this page with the new effective date. Continued use after changes take effect constitutes acceptance of the updated notice.
For privacy questions or requests: [email protected]
Simone Marrocco — VAT IT02799690223 — Italy