Privacy Policy

Last updated: 12 June 2026

This notice explains how Simone Marrocco ("we", the Controller) processes personal data when you use UnlockGPT (the "App" or the "Service"), an AI-powered productivity assistant that integrates with your email accounts, calendars, document storage, and other services to provide intelligent task automation.

Our guiding principle is simple: your data is yours. It is encrypted so that we cannot read it, you can delete it at any time, and the only thing we collect about your usage is anonymous-by-design statistics (such as token counts) that never include the content of your conversations. For a plain-language explanation of how this works, see How We Protect Your Data.

1. Controller and Contact

Controller: Simone Marrocco

VAT: IT02799690223

Country: Italy

Contact email: [email protected]

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national laws.

2. Where Your Data Is Stored

All data is stored exclusively within the European Union:

  • MongoDB Atlas (Europe): User accounts, chat metadata, connected account information, uploaded document content (encrypted), and usage statistics.
  • Google Cloud (Europe): Application servers and temporary file processing.

Your chat messages and uploaded documents are encrypted using AES-256-GCM with a per-user encryption key derived from a passphrase you set (PBKDF2, 600,000 iterations, performed in your browser). The encryption key is derived client-side and never stored on our servers — we keep only a one-way bcrypt hash of your passphrase to verify it, which cannot be reversed into the passphrase or the key. This means that even we cannot read your messages or documents.

Encryption with your personal key covers: your messages, the AI's responses, the results and arguments of every tool the AI uses (email contents, file contents, calendar data it retrieves), the AI's reasoning traces, and chat previews. Only minimal operational metadata remains unencrypted so the App can function: chat titles, timestamps, message counts, tool names, and token usage statistics.

OAuth tokens for your connected accounts (Google, Microsoft, Dropbox) are likewise encrypted at rest with AES-256-GCM using a separate server-side key that is stored outside the database. We never receive or store your account passwords.

3. What We Log (and What We Don't)

We do NOT log, store, or have access to:

  • The content of your chat messages (encrypted with your personal key)
  • The text you send to or receive from the AI
  • The content of your emails, calendar events, or files
  • The inputs and outputs of the tools the AI uses on your behalf, or the AI's reasoning traces (all encrypted with your personal key)
  • Your encryption passphrase or derived key

We DO log for service improvement and platform analytics:

  • Token usage statistics: For each AI request we record numeric counters only — input tokens, output tokens, cached tokens — plus the model name used. These are pure numbers used for billing, capacity planning, and cost optimization; they contain no text.
  • Feature usage: Which features you use (e.g., file uploads) and which tools the AI invoked by name (e.g., "email search") — not what you say, upload, search, or find
  • Connected account types: Which services you connect (Gmail, Outlook, etc.) — not your email content
  • Error logs: Technical errors for debugging (anonymised where possible)
  • Performance metrics: Response times, time-to-first-token, API latency, and success/error rates for service optimization

Our administrators see this data only as aggregate dashboards (total requests, token volumes, response times, error rates). By design, no message content, prompt text, or AI output is ever written to these logs — so neither administrators nor anyone else can read your conversations through them.

These usage logs are stored in a dedicated collection, separate from your messages, and are retained independently of them: deleting a chat or a message does not delete the corresponding usage records, deleting your account anonymizes them, and all usage logs are deleted automatically after 36 months (see Section 8). Because they contain only numbers and technical identifiers — never content — they cannot be used to reconstruct anything you wrote.

This data is used solely to improve the Service, understand usage patterns, and ensure reliable operation. It is never sold or shared with third parties for advertising purposes, and it is never used to train AI models.

4. Categories of Data We Process

Depending on how you use the Service, we may process:

Account data: Email address, name (if provided), authentication tokens for connected services (encrypted).

User-provided content: Prompts, files, images you upload — all encrypted at rest with your personal key.

Technical/usage data: Access logs, IP address, device identifiers, user agent, timestamps, error events, performance metrics.

Billing data: (if you subscribe to paid plans) Data necessary to issue invoices and manage payments. Payments are processed by authorized payment service providers. We do not store full card numbers.

We do not intentionally collect special categories of data (Art. 9 GDPR). Please avoid entering unnecessary sensitive information.

5. AI Provider: Fireworks AI

To generate AI responses, your prompts are sent to Fireworks AI, our AI infrastructure provider. Fireworks AI provides strong privacy guarantees:

  • Zero Data Retention by default: Prompts and outputs exist only in volatile memory for the duration of the request and are not logged to persistent storage.
  • No model training: Your data is never used to train AI models without explicit opt-in.
  • Compliance: SOC 2 Type II, HIPAA, and GDPR compliant.
  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).

For more information, see:

6. Security Certification

UnlockGPT has achieved CASA Tier 2 certification (Cloud Application Security Assessment), validated by TAC Security using the ESOF AppSec ADA framework.

  • ESOF Cyber Score: 9.4 / 10 (Low risk)
  • Assessment date: October 2025
  • No critical or high-severity vulnerabilities identified

CASA is built upon OWASP's Application Security Verification Standard (ASVS) and provides trusted assurance assessments for applications handling sensitive data.

7. Purposes and Legal Bases

We process data for:

Providing the Service (contract, Art. 6(1)(b) GDPR): sending prompts to AI models, returning outputs, maintaining your account, and providing support.

Security, abuse prevention, and reliability (legitimate interest, Art. 6(1)(f)): monitor anomalies, defend the Service from misuse or attacks, prevent fraud.

Product improvement and analytics (legitimate interest, Art. 6(1)(f)): aggregated analysis of feature usage and token consumption to improve the service — never the content of your messages.

Legal compliance (legal obligation, Art. 6(1)(c)): tax and accounting duties, and responding to lawful requests.

8. Data Retention

We retain data only for as long as necessary:

  • Chat messages: Retained until you delete them or your account. Encrypted and inaccessible without your passphrase.
  • Usage logs and statistics (token counts, model names, response times, tool names, success/error status — never content): Retained for up to 36 months, after which they are deleted automatically. They are not deleted when you delete individual chats or messages — we rely on them for capacity planning, cost control, security, abuse prevention, and product improvement — but when you delete your account they are immediately anonymized: the internal account identifier is removed from every record, so they can no longer be attributed to you or anyone else.
  • Connected-account tokens: Disconnecting an account in the App immediately and permanently deletes the stored encrypted token from our database. To also revoke the underlying authorization at the source, use the security settings of your Google, Microsoft, or Dropbox account. If a provider reports a connection as broken (for example, because you revoked it provider-side), we deactivate it and the defunct token is removed when you delete your account.
  • Account data: Retained for the duration of your account plus any legally required retention period.
  • Billing records: Retained as required by Italian tax law (typically 10 years).

Deletion is self-service. You can delete any individual chat (which immediately removes the chat, all its messages, and its task lists from our production database) or delete your entire account, which removes your chats, messages, tasks, uploaded files, document search indexes, connected-account tokens, and profile in a single cascading operation. Residual copies may persist temporarily in the automated backups of our infrastructure providers before expiring on their standard rolling cycles; in any case, we complete deletion within 30 days, except for the anonymized usage logs described above and where retention is required by law (e.g., billing records). Deleted conversations remain encrypted with your personal key in any such residual copy, so they stay unreadable even before the backup expires.

9. Recipients and Disclosures

We may share data with the following categories of recipients:

AI provider (Fireworks AI): Processes your prompts to generate responses. Zero data retention by default.

Platform integrations: Google, Microsoft, Dropbox — only when you explicitly connect your accounts and initiate actions.

Infrastructure providers: MongoDB Atlas (Europe), Google Cloud (Europe) for hosting and database services.

Payment processors: Authorized payment service providers for subscription management.

We do not sell your personal data. We require recipients acting as processors to follow our documented instructions and to implement appropriate safeguards (Art. 28 GDPR).

10. International Data Transfers

All primary data storage is within the EU/EEA (MongoDB Atlas Europe, Google Cloud Europe). Fireworks AI may process data in the United States; transfers are covered by EU Standard Contractual Clauses and supplementary technical measures. Information on specific transfers is available on request.

11. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten"). You can also do this yourself at any time by deleting individual chats or your entire account from the App (see Section 8 for what is removed and what is retained).
  • Restriction: Limit how we process your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Object: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent.

To exercise your rights, contact: [email protected]

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante) at www.garanteprivacy.it.

12. Children

The Service is not intended for children under 14 (per Italian law). If you believe a minor has provided personal data without valid consent, contact us to request removal.

13. Automated Decision-Making

We do not carry out solely automated decisions producing legal or similarly significant effects. AI-generated outputs are tools to assist you, not automated decisions about you.

14. Changes to This Notice

We may update this notice to reflect legal or technical changes. Updates will be published on this page with the new effective date. Continued use after changes take effect constitutes acceptance of the updated notice.

Contact

For privacy questions or requests: [email protected]
Simone Marrocco — VAT IT02799690223 — Italy