Privacy Policy

If you live in the European Economic Area (EEA), Switzerland, or the UK, GnistAI is the controller responsible for processing your Personal Data, as described in this Privacy Policy.

We collect personal data relating to you ("Personal Data") in the following ways:

Personal Data You Provide:

• Account Information: When you create an account for the Gnist Platform, we collect a unique email and some profile details (e.g., display name, time-related preferences). We may also receive authentication data from third-party login providers (e.g., Google or Auth0).
• User Content: Any text, audio, or images you share, such as:
  • Messages or voice recordings to or from the AI Agents.
  • Images or screenshots you upload for the AI Agents to interpret or respond to.
• Communication Information: If you contact us (e.g., by email), we may collect your contact details and the contents of your message.
• Other Information You Provide: For instance, information shared in surveys, feedback forms, or support requests.

Personal Data We Receive from Your Use of the Services:

• Log Data: Information your device automatically provides, such as IP address, browser type, and timestamps.
• Usage Data: Details of how you interact with the GnistAI application, including visited pages, session length, features used, and device/OS specifics.
• Device Information: Device name, operating system, browser, and unique identifiers.
• General Location Information: Information indicating your general geographic area, such as country or jurisdiction, derived primarily from your IP address.
• Precise Location Information: Exact location data collected through GPS (if enabled), Wi-Fi networks, and contextual clues from your interactions with AI Agents.
• Cookies and Similar Technologies: We use cookies and related technologies to provide our Services, remember preferences, and improve your experience. This includes implementing the Reddit Ad Tracking Pixel, which helps us measure the effectiveness of our ads on Reddit by collecting aggregated data about user interactions on our site. The Reddit Pixel does not provide us with personally identifiable information, but it allows us to see how users who arrived via Reddit ads interact with our Services.

AI Agent Appearances: The GnistAI application offers AI Agents with either default appearances or custom uploaded images. While we use generative AI for creating these appearances, all image generation is strictly controlled through predefined parameters (such as clothing type, expressions, and color schemes). This ensures that no unauthorized or personal data can be leaked through the image generation process, as all inputs are validated against a fixed set of allowed values.

We may use Personal Data for the following purposes:

• To provide, analyze, and maintain our Services, for example generating AI Agent responses in the GnistAI application.
• To improve and develop our Services, including refining AI Agents and creating new features.
• To communicate with you, for example sending you updates or announcements.
• To prevent fraud, illegal activity, or misuse of our Services, and to protect our systems.
• To comply with legal obligations and protect the rights, privacy, safety, or property of Gnist, our users, or third parties.

We may aggregate or de-identify Personal Data so that it no longer identifies you, and use that information for the above purposes, such as analyzing how the GnistAI application is used. We will maintain de-identified data without attempting to re-identify it, unless required by law.

Please note that AI Agents can produce content that is sometimes factually inaccurate or incomplete. While we strive to ensure that the GnistAI application provides helpful assistance, you should not rely on its output for critically important matters.

We may disclose your Personal Data in the following circumstances:

• Vendors and service providers: We rely on third parties to deliver core functionality (e.g., hosting, AI model processing). They process data strictly per our instructions.
• Business transfers: If GnistAI undergoes a merger, acquisition, bankruptcy, or similar event, Personal Data may be transferred as part of that process.
• Government authorities or other third parties: To comply with legal obligations or protect against fraud, abuse, or security risks.
• Third-party services and integrations: We use third-party services to provide core functionality (e.g., Telegram messaging, web browsing, web search, and productivity tools like Google Calendar). When you use these features, your data may be processed by these services according to their privacy policies.

In addition to the disclosures listed in Section 4, we rely on a variety of external and internal tools, platforms, and APIs to operate Gnist. We share only the minimal necessary Personal Data with these third parties and require them to process data in line with our instructions and applicable law.

5.1 External service providers

These are third-party APIs or platforms we use to deliver certain features:

• OpenAI API – Moderation, Chat Completion, Image Generation, Function Calling
• Anthropic API – Chat Completion, Function Calling
• Infermatic AI – Chat Completion
• Replicate – Chat Completion, Image generation
• Civitai API – Image generation
• Stability AI API – Image generation
• Google Tasks API – Full access to manage user tasks
• Google Calendar API – Read/limited write access to user calendars
• YouTube API – Video information retrieval
• Spotify API – Music recommendations and playback info
• YR Weather API – Weather data
• Reddit RSS, Hacker News RSS – News feeds
• Brave Search API – Web search queries
• ElvenLabs API – Advanced text-to-speech
• Telegram API – Telegram notifications and integration
• Mailgun API – Email sending
• Auth0, Google OAuth 2.0 – Authentication and user management
• Stripe API – Payment processing
• Reddit Ads – Advertising analytics and ad-performance tracking from Reddit

5.2 External infrastructure providers

We rely on the following hosting and network providers:

• DigitalOcean – Application and database hosting, DNS
• Hetzner – VM hosting
• Tailscale – VPN service
• RunPod – Local AI model hosting
• ProISP – DNS hosting

5.3 Internally hosted software

We operate some core services on our own infrastructure:

• PostHog – User analytics
• Playwright – Fetching web content
• Redis – Caching and queue management
• PostgreSQL – Primary database
• Docker – Container orchestration

5.4 Externally hosted software

Some software or development tools are hosted by third parties:

• OpenAI ChatGPT, Anthropic Claude – AI text generation
• GitHub Copilot – Coding assistance
• GitLab – CI/CD, feature flags, issue tracking
• Google Workspace – Email, calendar, Drive, etc.
• Auth0 – Login and identity services
• Stripe – Payment processing

5.5 Major gnist modules that affect privacy

• Chat & voice: Processes text/audio input (moderation, summarization, transcription).
• Agent memory & Retrieval-Augmented Generation (RAG):Stores user-shared data, personal notes, and agent "memories."
• Tooling: Tracks user metrics (if desired), tasks, calendars, and queries external APIs (news, music, etc.).
• User tracking: Location updates and current user activities, so that AI Agents can provide contextually relevant responses.
• Agent appearance: Generates AI Agents' visual appearances from predefined modular components. Only user-submitted images or textual descriptions are sent for generation.

We encourage you to review the privacy policies of these third-party providers for more details on how they handle your data. For any questions, please email us at [email protected].

We retain your Personal Data only as long as necessary to provide our Services or for other legitimate reasons (resolving disputes, ensuring security, meeting legal obligations). Retention length depends on factors like:

• The purpose of the processing.
• The amount, nature, and sensitivity of the data.
• Potential risks from unauthorized use or disclosure.
• Legal requirements we must follow.

In the GnistAI application, you can configure for how long Agent "memories", messages, and summaries are retained. By default, we do not delete any data, because this ensures your AI Agents maintain meaningful context and continue to provide personalized interactions based on your shared history.

You may request all of your data deleted at any time. Upon full deletion, all personal content, AI agent interactions, credentials, preferences, and settings will be permanently removed after 14 days. We retain basic transaction records as required by applicable laws and for legitimate business purposes.

You have certain rights regarding your Personal Data, subject to applicable law, including the rights to:

• Access and obtain a copy of your Personal Data.
• Delete your Personal Data.
• Rectify or update inaccurate Personal Data.
• Transfer your Personal Data (data portability).
• Restrict or object to certain processing activities.
• Withdraw your consent where we rely on it.
• Lodge a complaint with your local data protection authority.

You can also object to direct marketing or processing based on legitimate interests in certain cases.

Most of these rights can be exercised directly within the GnistAI application (e.g., adjusting account settings or data retention, or removing content). If you require additional assistance, please contact us at [email protected].

The AI models we use generate responses by predicting word sequences, which can lead to inaccurate or confabulated information (known as hallucinations). While we provide relevant context to improve accuracy, the underlying limitation is inherent to current AI technology. Users should verify any factual claims rather than relying solely on AI-generated responses.

Our Services are available only to users who are 18 years or older. We do not knowingly collect data from minors. If you suspect that a minor under 18 is using Gnist, please contact us at [email protected].

We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Data from unauthorized access, disclosure, alteration, or destruction. Data in transit is encrypted (HTTPS, SSH, or WireGuard®). Only refresh tokens, access tokens, and passwords for external services are currently encrypted at rest; we plan to add broader encryption in the future. No system is completely secure, so you should take care with the information you share.

We are not responsible for circumvention of any privacy settings or security measures in the Services or on third-party systems.

Depending on the specific activity, we rely on one or more of the following legal bases to process your Personal Data:

We strive to host and process data within the EEA/EU. However, some third parties we rely on (e.g., OpenAI, Anthropic, Google) are located in the US or other jurisdictions that may not offer the same data protection laws as your home country. We rely on lawful transfer mechanisms, such as EU Standard Contractual Clauses, to protect Personal Data across borders. Gnist's own hosting is presently in the Netherlands and Finland, but may move to other EEA/EU countries as operational needs arise.

We may update this Privacy Policy from time to time. When we do, we will post the new version and effective date on this page. Where required by law, we will provide additional notice (e.g., via email or the GnistAI application).

If you have any questions or concerns not addressed here, you can reach us at [email protected] or by mail:

GnistAI AS
Postboks 3070 Elisenberg
0207 Oslo
Norway

GnistAI integrates with Google services to provide enhanced productivity and AI-powered assistance. Our use of Google user data is subject to Google's policies and the commitments outlined below.

1. How We Use Google User Data

GnistAI requests access to limited Google account information, such as Google Calendar events and Google Tasks, solely to provide user-facing features that help you organize your schedule and tasks. Specifically:

• Google Calendar: We read/write events (depending on your consent) so your GnistAI assistant can remind you of upcoming events and help schedule tasks. We only modify or delete events with your explicit action (e.g., when you ask the assistant to create or remove an event).
• Google Tasks: We manage your to-do lists by creating, retrieving, or updating tasks at your request. We do not share your tasks with any outside parties.
• Google Authentication: We use Google OAuth (via Auth0) for secure login, so you can sign in with your Google account without a separate password.

GnistAI does not access your Gmail or other Google data beyond these explicitly granted scopes. We do not use Google user data for advertising, profiling, or any other secondary purposes.

2. Compliance with Google API Services User Data Policy

GnistAI's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This means:

• We only use Google data for the user-facing features within GnistAI (e.g., showing your tasks/events or allowing you to add/edit them).
• We do not allow human access to your Google data except in rare circumstances where it may be needed to debug or secure the service, or when required by law. In such cases, only authorized personnel may access it under strict confidentiality.
• We do not sell or share your Google data with third parties. Any sharing is solely for core functionality with service providers bound by confidentiality (e.g., hosting).
• We do not use or transfer Google data for advertising purposes or for creating user profiles unrelated to the intended GnistAI features.

3. User Control and Revoking Access

You may revoke GnistAI's access to your Google account at any time by visiting your Google Account permissions page. You can also remove specific permissions (like Calendar or Tasks) within the GnistAI application or by contacting us at [email protected].

4. Data Security and Retention

We employ encryption in transit and access controls to protect your Google data. We retain only what is necessary to provide or improve the service, or as required by law. You can configure data deletion and request complete removal of your GnistAI account at any time.

5. Legal Attribution and Disclaimer

Google, Google Calendar, and Google Tasks are trademarks of Google LLC. Use of these trademarks does not imply any endorsement by Google.