Privacy Policy

1. Who we are

AiCue ("we", "us", "our") is operated by Sumcon. We are the data controller responsible for your personal data when you use AiCue at www.aicue.app.

2. Data we collect

Category	Examples	How collected
Account data	Email address, hashed password	You provide when registering
Billing data	Subscription status, billing history	Via Stripe (we never see card numbers)
Usage data	Prompts generated, AI platforms used, timestamps	Automatically when you use the Service
Technical data	IP address, browser type, session token	Automatically from your browser
Communications	Contact form messages	You provide when contacting us

We do not collect full card numbers, government IDs, or sensitive personal categories under GDPR Article 9. The text of your prompts is processed by the Anthropic API but not stored by us — we log only metadata (platform chosen, timestamp).

3. Why we collect your data

Account management — to create and maintain your account, authenticate you, and send transactional emails.
Service delivery — to process your subscription, top up your credits, and generate prompts.
Customer support — to respond to contact form messages.
Service improvement — aggregated, anonymised usage statistics.
Legal compliance — tax records, fraud prevention.

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

4. Legal basis for processing (GDPR)

Processing activity	Legal basis
Creating and managing your account	Contract performance (Art. 6(1)(b))
Processing subscription payments	Contract performance (Art. 6(1)(b))
Sending transactional emails	Contract performance (Art. 6(1)(b))
Responding to support requests	Legitimate interests (Art. 6(1)(f))
Aggregated analytics	Legitimate interests (Art. 6(1)(f))
Legal and tax obligations	Legal obligation (Art. 6(1)(c))

5. Who we share your data with

Stripe — payment processing. Stripe handles all card data. See stripe.com/privacy.
Anthropic — AI generation. Your input text is sent to the Anthropic API. See anthropic.com/privacy.
Railway — our hosting provider. See railway.app/legal/privacy.

We do not sell, rent or trade your personal data to any third party.

6. How long we keep your data

Account data — kept while your account is active, plus 30 days after deletion.
Billing records — kept 7 years as required by Swedish accounting law (Bokföringslagen).
Usage logs — rolling 90-day window, then deleted automatically.
Contact messages — kept 2 years, then deleted.
Password reset and verification tokens — expire after 1 hour / 24 hours and deleted after use.

7. Your rights under GDPR

As a data subject in the EU/EEA, you have the rights of: access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection, and withdrawal of consent. To exercise any right, use our contact form. We respond within 30 days. You may also lodge a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, imy.se).

8. Cookies

We use a single session cookie to keep you logged in. It is strictly necessary for the Service, not used for advertising or cross-site tracking, and deleted when you sign out or after 7 days. We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.

9. Security

Passwords are hashed using bcrypt (cost factor 12) — we never store plain-text passwords.
All communication is encrypted in transit via HTTPS/TLS.
Payment card data is handled entirely by Stripe — we never see card numbers.
API keys are stored as environment variables, never in source code.

10. Contact

Questions about this policy? Use our contact form. We aim to respond within 5 business days. This policy was last reviewed on 1 January 2025.