Privacy Policy

Last updated: 7 May 2026

This notice explains how Simone Marrocco ("we", the Controller) processes personal data when you use UnlockGPT (the "App" or the "Service"), an AI-powered productivity assistant that integrates with your email accounts, calendars, document storage, and other services to provide intelligent task automation.

1. Controller and Contact

Controller: Simone Marrocco

VAT: IT02799690223

Country: Italy

Contact email: [email protected]

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national laws.

2. Where Your Data Is Stored

All data is stored exclusively within the European Union:

  • MongoDB Atlas (Europe): User accounts, chat metadata, connected account information, and usage statistics.
  • Qdrant Cloud (Europe): Vector embeddings for document search (RAG). Only embeddings are stored — not the original text content.
  • Google Cloud (Europe): Application servers and temporary file processing.

Your chat messages and uploaded documents are encrypted using AES-256-GCM with a per-user encryption key derived from a passphrase you set. The encryption key is derived client-side and never stored on our servers. This means that even we cannot read your messages or documents.

3. What We Log (and What We Don't)

We do NOT log, store, or have access to:

  • The content of your chat messages (encrypted with your personal key)
  • The text you send to or receive from the AI
  • The content of your emails, calendar events, or files
  • Your encryption passphrase or derived key

We DO log for service improvement and platform analytics:

  • Token usage statistics: How many AI tokens are consumed per request (for billing and capacity planning)
  • Feature usage: Which features you use (e.g., voice mode, file uploads) — not what you say or upload
  • Connected account types: Which services you connect (Gmail, Outlook, etc.) — not your email content
  • Error logs: Technical errors for debugging (anonymised where possible)
  • Performance metrics: Response times, API latency for service optimization

This data is used solely to improve the Service, understand usage patterns, and ensure reliable operation. It is never sold or shared with third parties for advertising purposes.

4. Categories of Data We Process

Depending on how you use the Service, we may process:

Account data: Email address, name (if provided), authentication tokens for connected services (encrypted).

User-provided content: Prompts, files, images you upload — all encrypted at rest with your personal key.

Technical/usage data: Access logs, IP address, device identifiers, user agent, timestamps, error events, performance metrics.

Billing data: (if you subscribe to paid plans) Data necessary to issue invoices and manage payments. Payments are processed by authorized payment service providers. We do not store full card numbers.

We do not intentionally collect special categories of data (Art. 9 GDPR). Please avoid entering unnecessary sensitive information.

5. AI Provider: Fireworks AI

To generate AI responses, your prompts are sent to Fireworks AI, our AI infrastructure provider. Fireworks AI provides strong privacy guarantees:

  • Zero Data Retention by default: Prompts and outputs exist only in volatile memory for the duration of the request and are not logged to persistent storage.
  • No model training: Your data is never used to train AI models without explicit opt-in.
  • Compliance: SOC 2 Type II, HIPAA, and GDPR compliant.
  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).

For more information, see:

6. Security Certification

UnlockGPT has achieved CASA Tier 2 certification (Cloud Application Security Assessment), validated by TAC Security using the ESOF AppSec ADA framework.

  • ESOF Cyber Score: 9.4 / 10 (Low risk)
  • Assessment date: October 2025
  • No critical or high-severity vulnerabilities identified

CASA is built upon OWASP's Application Security Verification Standard (ASVS) and provides trusted assurance assessments for applications handling sensitive data.

7. Purposes and Legal Bases

We process data for:

Providing the Service (contract, Art. 6(1)(b) GDPR): sending prompts to AI models, returning outputs, maintaining your account, and providing support.

Security, abuse prevention, and reliability (legitimate interest, Art. 6(1)(f)): monitor anomalies, defend the Service from misuse or attacks, prevent fraud.

Product improvement and analytics (legitimate interest, Art. 6(1)(f)): aggregated analysis of feature usage and token consumption to improve the service — never the content of your messages.

Legal compliance (legal obligation, Art. 6(1)(c)): tax and accounting duties, and responding to lawful requests.

8. Data Retention

We retain data only for as long as necessary:

  • Chat messages: Retained until you delete them or your account. Encrypted and inaccessible without your passphrase.
  • Usage statistics: Retained for up to 24 months for service improvement.
  • Account data: Retained for the duration of your account plus any legally required retention period.
  • Billing records: Retained as required by Italian tax law (typically 10 years).

When you delete your account, we aim to delete your personal information within 30 days, except where retention is required by law.

9. Recipients and Disclosures

We may share data with the following categories of recipients:

AI provider (Fireworks AI): Processes your prompts to generate responses. Zero data retention by default.

Platform integrations: Google, Microsoft, Dropbox — only when you explicitly connect your accounts and initiate actions.

Infrastructure providers: MongoDB Atlas (Europe), Qdrant Cloud (Europe), Google Cloud (Europe) for hosting and database services.

Payment processors: Authorized payment service providers for subscription management.

We do not sell your personal data. We require recipients acting as processors to follow our documented instructions and to implement appropriate safeguards (Art. 28 GDPR).

10. International Data Transfers

All primary data storage is within the EU/EEA (MongoDB Atlas Europe, Qdrant Cloud Europe, Google Cloud Europe). Fireworks AI may process data in the United States; transfers are covered by EU Standard Contractual Clauses and supplementary technical measures. Information on specific transfers is available on request.

11. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Limit how we process your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Object: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent.

To exercise your rights, contact: [email protected]

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante) at www.garanteprivacy.it.

12. Children

The Service is not intended for children under 14 (per Italian law). If you believe a minor has provided personal data without valid consent, contact us to request removal.

13. Automated Decision-Making

We do not carry out solely automated decisions producing legal or similarly significant effects. AI-generated outputs are tools to assist you, not automated decisions about you.

14. Changes to This Notice

We may update this notice to reflect legal or technical changes. Updates will be published on this page with the new effective date. Continued use after changes take effect constitutes acceptance of the updated notice.

Contact

For privacy questions or requests: [email protected]
Simone Marrocco — VAT IT02799690223 — Italy