Privacy Policy

Plain-English summary

• We store your account email, optional avatar, and an encrypted copy of your AI provider API key.
• We store your chat conversations on our servers so they sync across devices.
• We do not sell, share, or use your conversations to train models.
• We do not read pages on payment, banking, gambling, or adult sites — these are blocked client-side.
• You can delete your account and all data at any time from Settings.

What we collect

Account data — email, name, profile picture (from Google or what you provide on email signup), and an account creation timestamp.

API keys — encrypted with AES-256 server-side using a key you do not control. The raw key is never logged or stored in plaintext.

Conversations — every message you send to Sidebot, every AI reply, and the metadata of any tool calls (which page was read, which selector was clicked). Stored on Neon (PostgreSQL on AWS, EU/US regions).

Page content — when you ask Sidebot to read a page, the page's text + interactive elements are sent to your chosen AI provider and stored as part of the conversation history. Screenshots are uploaded only when explicitly attached or when DOM content is too sparse to be useful.

Usage metrics — count of messages per day, token totals per month (for plan-limit enforcement), browser type, app version.

What we do NOT collect — your browsing history outside Sidebot sessions, mouse movements, keystrokes outside the chat input, or page content from blocked-domain sites.

Third parties we share data with

AI providers — when you chat, your message + relevant page context is sent to the provider you've chosen (Google Gemini, OpenAI, or Anthropic) under their privacy policies. We pass data through; we don't relay it elsewhere.

Stripe — for Pro plan billing. Stripe sees your email, name, and payment method. We never see card numbers.

Cloudflare & Neon — our infrastructure providers. They process data under standard data-processing agreements.

We do not run any third-party ad networks, analytics SDKs, or tracking pixels.

Sharing public conversations

When you click "Share" on a conversation, we generate a random token-based link. Anyone with that link can view the conversation. Personally-identifiable info (emails, phone numbers, card-like sequences, IBAN) is auto-redacted from the public view. Screenshots are stripped. You can revoke a share link any time from the Share dialog.

Your rights (GDPR / KVKK)

• Access — email hello@sidebot.io for a full export of your data.
• Deletion — Settings → Account actions → Sign Out + Delete (or email us). All conversations, API keys, and the user record are erased within 30 days.
• Correction — change your name or email any time in Settings.
• Portability — exports come as JSON.

Security

API keys are encrypted with AES-256-GCM. All traffic is HTTPS. JWT-based session tokens. We follow standard security practices (least privilege, encrypted at rest, regular dependency updates). If you believe you've found a vulnerability, please email security@sidebot.io.

Contact

Questions about this policy: hello@sidebot.io