Back to home

Privacy Policy

Last updated: February 2026

1. Data Controller

The data controller responsible for data processing on this website is:

SayPeter

Operated by: Jordi [Full legal entity to be determined]

Email: [email protected]

If you have questions about data protection, please contact us at [email protected].

2. What Data We Collect

We collect the minimum data necessary to provide and improve our service:

Account data

Your name and email address, provided during registration (including via Google OAuth). Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Payment data

Payment information (credit card details, billing address) is collected and processed exclusively by Stripe, our payment processor. We only receive a confirmation of payment status, your Stripe customer ID, and subscription state. We do not store your full card number. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Usage data

Login timestamps, IP addresses, and basic service interaction logs (e.g., VM provisioning status). This data is used to operate, secure, and improve the service. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service security and improvement).

3. What We Do NOT Collect (Zero-Knowledge Architecture)

SayPeter is built on a zero-knowledge architecture. Each customer gets their own dedicated virtual machine. We explicitly do not have access to, collect, or store:

  • Your AI conversations - all chat messages stay on your private VM and are sent directly from your VM to your chosen AI provider.
  • Your API keys - API keys for Anthropic, OpenAI, or Google are entered on your VM and stored only on your VM. They never pass through our infrastructure.
  • Your files and data on the VM - any files, documents, or data you create or store on your server are inaccessible to us.

We cannot read, access, or recover data from your VM, even for support purposes.

4. Third-Party Processors

Stripe (Payment Processing)

We use Stripe, Inc. to process payments. Stripe processes your payment data under their own privacy policy. See: stripe.com/privacy

Hetzner (Infrastructure Provider)

Your dedicated VM and our platform infrastructure are hosted by Hetzner Online GmbH in data centres in Germany. See: hetzner.com/legal/privacy-policy

Tailscale (Network Management)

We use Tailscale for secure network management between our platform and customer VMs. See: tailscale.com/privacy-policy

AI Providers (Via Your Own Keys)

Your VM communicates directly with AI providers (Anthropic, OpenAI, Google) using your own API keys. These connections are made from your VM, not from our systems. We are not a party to the data processing between you and these providers.

5. Cookies

We use only essential cookies required for the functioning of the service:

  • Session cookie - maintains your logged-in session.
  • CSRF token - protects against cross-site request forgery attacks.
  • Stripe cookies - set by Stripe during the checkout process to prevent fraud.

We do not use analytics cookies, advertising cookies, or tracking pixels.

6. Data Retention

  • Account data - retained for as long as your account is active. Upon deletion, personal data is erased within 30 days.
  • VM data - upon cancellation, your dedicated VM is preserved for 30 days to allow data export. After 30 days, the VM is permanently destroyed.
  • Payment records - retained as required by applicable tax and commercial law.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority.

9. International Data Transfers

Your data is primarily processed within the European Union (Hetzner, Germany). Where data is transferred to third countries, we ensure adequate safeguards:

  • Stripe (USA) - EU-US Data Privacy Framework; EU Standard Contractual Clauses.
  • Tailscale (USA) - EU Standard Contractual Clauses.
  • AI providers - data transfers occur directly from your VM using your own API keys, under your control.

10. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice on our website.

11. Contact

For data protection inquiries and to exercise your rights:

Email: [email protected]