Privacy Policy
Last Updated: November 26, 2025
Effective Date: November 26, 2025
Important Notice: AI Service
BinaryLoom Chat (chat.binaryloom.io) is an AI-powered chat application. When you use our service, your messages are processed by third-party AI providers (OpenAI, Anthropic, Mistral). This policy explains how your data is collected, used, and shared.
1. Who We Are
BinaryLoom is operated by Jason Holt Digital LLC, a limited liability company registered in Delaware, USA.
- Data Controller: Jason Holt
- Contact: [email protected]
- Service URL: chat.binaryloom.io
2. Data We Collect
2.1 Information You Provide
Email address, password (encrypted), display name. If you use social login (Google, GitHub, or Discord), we receive only your basic profile information from those services as described below.
When you sign in with a third-party provider, we access only the minimum data required for authentication:
- Google: Name, email address, profile picture (scopes: openid, email, profile)
- GitHub: Username, email address, profile picture (scope: read:user, user:email)
- Discord: Username, email address, avatar (scopes: identify, email)
We do not access your contacts, files, or any other data from these services. OAuth tokens are used solely for authentication and are not stored long-term.
All messages you send to AI models, including text, uploaded files (images, documents, audio), and AI responses.
Custom AI agents you create, shared conversations, and any configurations you save.
2.2 Information Collected Automatically
Which AI models you use, token consumption, feature usage (speech-to-text, file uploads), and session activity.
IP address (for security/bot protection), browser type, device information, and session identifiers.
Server logs are maintained for usage tracking, abuse monitoring, security analysis, and service improvement. Logs may include request metadata, error information, and activity patterns.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide AI chat service | Contract performance |
| Process file uploads and generate responses | Contract performance |
| Account management and authentication | Contract performance |
| Bot protection and security (Cloudflare Turnstile) | Legitimate interest |
| Send password reset emails | Contract performance |
| Track token usage for service limits | Contract performance |
| Improve service quality | Legitimate interest |
4. Data Sharing with Third Parties
Important: AI Provider Data Processing
When you send messages or upload files, this content is transmitted to third-party AI providers for processing. These providers may temporarily store your data according to their policies.
Azure AI Foundry: Your Data is Protected
All AI models in BinaryLoom Chat are accessed through Microsoft Azure AI Foundry, not consumer AI services. This is an important distinction:
No Model Training: Your prompts and completions are NOT used to train, retrain, or improve Microsoft or OpenAI foundation models (GPT-4o, GPT-5, Claude, etc.).
Data Stays Private: Your data is not available to other customers, not available to OpenAI, and is not used to improve Microsoft or third-party products or services.
Abuse Monitoring (30-day retention): By default, Azure stores prompts and completions securely for up to 30 days to detect and mitigate abuse. This data is used for security purposes only, not training. Managed enterprise customers can apply for modified abuse monitoring (note: this exemption is typically only available to customers with a Microsoft account team).
Different from Consumer ChatGPT: Azure AI Foundry does NOT interact with OpenAI's consumer services (ChatGPT, OpenAI API). Consumer ChatGPT may use your data for training unless you opt out—Azure OpenAI is explicitly excluded from this.
Official Microsoft Documentation:
4.1 AI Model Providers
Processes chat messages and images for GPT-5.1, GPT-5 Pro models.
Data Location: Sweden (EU) | Training: Your data is NOT used for model training | Retention: 30 days for abuse monitoring
Processes chat messages and images for Claude Sonnet, Haiku, and Opus models.
Data Location: Sweden (EU) | Training: Your data is NOT used for model training | Retention: Zero data retention
Processes chat messages for Mistral Medium model and document OCR.
Data Location: Sweden (EU) | Training: Your data is NOT used for model training | GDPR compliant
Processes text for embeddings (document search) and result reranking.
Data Location: Sweden (EU) | Purpose: Search functionality only
4.2 Infrastructure Providers
- Microsoft Azure: Primary infrastructure - hosting, AI services, file storage (Sweden Central)
- MongoDB Atlas: Database storage (Sweden)
- Cloudflare: Bot protection via Turnstile (processes IP, browser fingerprint)
- Resend: Email delivery for password resets (US, with EU Standard Contractual Clauses)
4.3 Authentication Providers (Optional)
If you choose social login, we receive basic profile information from:
- GitHub: Username, email, avatar
- Google: Name, email, profile picture
We Do NOT:
- - Sell your personal data to any third party
- - Share your data for advertising purposes
- - Use your conversations for our own AI training
- - Allow third parties to use your data for their own marketing
5. Data Storage and Location
All primary data is stored in the European Union (Sweden Central region):
- User accounts and conversations: MongoDB Atlas (Sweden)
- Uploaded files: Azure Blob Storage (Sweden)
- Search indexes: Self-hosted Meilisearch (Sweden)
Email delivery (Resend) processes data in the US under EU Standard Contractual Clauses to ensure GDPR compliance.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Chat conversations | Until you delete them or delete your account |
| Uploaded files | Until you delete them or delete your account |
| Usage/token statistics | 12 months, then anonymized |
| Security logs | 90 days |
When you delete your account, all personal data is removed within 30 days. Backup systems are purged within 90 days.
7. Your Rights Under GDPR
As a user in the EU, you have the following rights:
Request a copy of all personal data we hold about you
Correct any inaccurate personal data
Request deletion of your personal data ("right to be forgotten")
Receive your data in a machine-readable format
Object to processing based on legitimate interests
Limit how we use your data in certain circumstances
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies and Tracking
We use only strictly necessary cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Authentication | 15 minutes |
| Refresh token | Maintain login state | 7 days |
Cloudflare Turnstile: Used for bot protection. Does not use cookies but processes IP address and browser fingerprint for security purposes only.
We do not use any analytics, advertising, or tracking cookies.
9. Data Security
We implement appropriate security measures to protect your data:
- - All data encrypted in transit (TLS/HTTPS)
- - Database encryption at rest
- - Passwords hashed with industry-standard algorithms
- - Private network access for infrastructure components
- - Regular security updates and monitoring
While we take reasonable precautions, no system is 100% secure. Please see our Terms of Service for important disclaimers regarding this experimental service.
10. Children's Privacy
Our service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- - Posting the new policy on this page with an updated "Last Updated" date
- - Displaying a notice in the application for significant changes
Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact and Complaints
For privacy-related questions, concerns, or to exercise your rights:
You also have the right to lodge a complaint with your local data protection authority. For users in Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY): www.imy.se