Last updated: March 25, 2026
At Tensor.chat, your privacy is important to us. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our service. This policy outlines your rights under the General Data Protection Regulation (GDPR) and the German Telecommunications Telemedia Data Protection Act (TTDSG).
1. Data Controller
The data controller responsible for processing your personal data is:
Michael Persch
c/o COCENTER
Koppoldstr. 1
86551 Aichach
E-Mail: hig5hleader@gmx.de
2. What Data We Collect
- Account Data: When you register, we collect your name, email address, and a securely hashed version of your password. If you register via OAuth (Google, Facebook, or Microsoft), we receive your name, email address, and profile picture from the respective provider.
- Phone Number: To prevent abuse and duplicate accounts, we require phone verification via SMS. Your phone number is stored on our servers and used solely for account verification.
- Chat Data: Your conversations, messages, uploaded files, and images are stored on our servers. This includes message content, timestamps, and AI responses.
- Usage Data: We track API credit usage per user to enforce fair use limits. This includes the number of requests and associated costs but not the content of your messages.
- Technical Data: IP addresses, browser type, operating system, and session information are collected for security, authentication, and service operation. Server logs are retained for a maximum of 7 days.
- Session Cookies: We use a single session cookie (
tensor_session) to maintain your login state. This cookie is HttpOnly, Secure, and SameSite=Lax. It expires after 24 hours (or 7 days with "Remember Me"). We do not use tracking cookies, analytics cookies, or advertising cookies.
3. How Your Data Is Processed
Server-Side Storage: Your chat history, uploaded files, and account information are stored on servers located in Germany. This enables features like cross-device access, search across conversations, and persistent conversation memory.
AI Processing: When you send a message, it is processed on our servers and then forwarded to an AI model provider for response generation. Requests are routed through our infrastructure provider in Frankfurt, Germany.
SMS Verification: Phone verification codes are sent via GTX Messaging (Message Mobile GmbH, Cologne, Germany). GTX receives your phone number solely for the purpose of delivering the SMS verification code. Verification codes expire after 10 minutes.
Image Processing: Uploaded images are processed on our servers and classified by AI models to generate text descriptions for search and context purposes.
Password-Protected Content: You can protect individual chats and folders with passwords. Passwords are securely hashed on our servers. We never store plaintext passwords.
4. Legal Basis for Processing
- Contract Performance (Art. 6(1)(b) GDPR): Processing your messages, storing your chat data, and providing AI responses is necessary to perform the service you requested.
- Consent (Art. 6(1)(a) GDPR): Before your first message, you consent to the processing of your data by AI providers. You can withdraw consent at any time by deleting your account.
- Legitimate Interests (Art. 6(1)(f) GDPR): We process phone numbers to prevent abuse and duplicate accounts. We process technical data for security and service operation. We process usage data to enforce fair use limits.
5. Data Sharing
- AI Model Providers: Your message content is forwarded to an AI provider for response generation. All requests are routed through EU infrastructure. See Section 10 for a list of providers.
- GTX Messaging (Germany): Your phone number is transmitted to GTX for SMS delivery during verification.
- OAuth Providers: If you use social login, the respective provider (Google, Facebook, or Microsoft) processes your authentication data under their own privacy policy.
- Hosting Provider: Our servers are hosted by Uberspace (Jonas Pasche, Germany). They provide the infrastructure but do not access your data.
- Legal Requirements: We may disclose data if required by law or court order.
6. Data Location
All your data is stored and processed exclusively within the European Union:
- Server infrastructure: Germany.
- AI processing: Requests are routed through our infrastructure in Frankfurt, Germany.
- SMS verification: GTX Messaging, Germany.
We do not transfer personal data to countries outside the European Economic Area (EEA). In the event that this changes in the future, we will update this policy and ensure appropriate safeguards are in place.
7. Data Retention
- Account Data: Stored until you delete your account.
- Chat Data & Files: Stored until you delete individual chats or your entire account.
- Phone Number: Stored as long as your account exists.
- Session Data: Expires after 24 hours (or 7 days with "Remember Me").
- Server Logs: Retained for a maximum of 7 days.
- SMS Verification Codes: Expire after 10 minutes.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including transport encryption (TLS), secure password hashing, cryptographically random session tokens, and server-side access controls. All data is stored on servers in Germany, subject to German and EU data protection laws.
However, no system is completely secure. We cannot guarantee the security of data once it is processed by third-party providers.
9. Your Rights Under GDPR
- Right to Access (Art. 15): You can request information about what personal data we store. You can also export all your chat data at any time using the Export function.
- Right to Rectification (Art. 16): You can correct inaccurate data through your account settings or by contacting us.
- Right to Erasure (Art. 17): You can delete individual chats, folders, or your entire account at any time.
- Right to Restriction of Processing (Art. 18): You can request that we restrict processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): You can export your data in JSON format using the Export function.
- Right to Object (Art. 21): You can object to processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): You can withdraw consent by deleting your account or by contacting us.
- Right to Lodge a Complaint (Art. 77): You can lodge a complaint with the Hessischer Beauftragter für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden, Germany.
To exercise your rights, contact us at hig5hleader@gmx.de.
10. Third-Party Services
Your requests are routed to AI providers for response generation. Our primary routing provider is Requesty (EU, Frankfurt), which forwards requests to the appropriate AI model. For redundancy, we may also route requests directly through providers' EU infrastructure. All data is routed through EU infrastructure.
The following providers may process your messages:
Requesty (Routing Provider)
Requesty routes your AI requests through EU infrastructure in Frankfurt, Germany. Requesty does not store your message content.
Google Cloud (Vertex AI)
Google Gemini and Anthropic Claude models, accessed via Google Vertex AI.
OpenAI
OpenAI GPT models.
xAI
xAI Grok models.
Mistral AI
Mistral AI models.
Amazon (AWS Bedrock)
Amazon Nova and NVIDIA Nemotron models, hosted on AWS Bedrock.
GTX Messaging (SMS Verification)
GTX Messaging (Message Mobile GmbH, Cologne, Germany) delivers SMS verification codes. GTX receives your phone number solely for SMS delivery.
11. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date at the top of this page. For significant changes, we may notify you through the app or via email.
12. Contact
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
Michael Persch
c/o COCENTER
Koppoldstr. 1
86551 Aichach
E-Mail: hig5hleader@gmx.de