Privacy Policy

Last updated 2026-04-29 · Operated by Aurolabs AB · Compliant with GDPR (EU 2016/679) and EU AI Act (EU 2024/1689)

This Privacy Policy explains what personal data Aurolabs AB collects when you use pssst.fyi (the "Service"), why we collect it, who we share it with, how long we keep it, and what rights you have. If anything is unclear, write to us — see contact below.

1. Who we are (the controller)

The data controller responsible for your personal data is:

Aurolabs AB
Org. nr: 559523-4989
Stockholm, Sweden
Email: privacy@aurolabs.ai

We do not have a designated Data Protection Officer (DPO) at this time — for any data-protection request use the privacy email above and we will respond within 30 days.

2. What we collect, why, and on what legal basis

Under GDPR Articles 13/14, here is the full picture:

Data	Why we collect it	Legal basis (GDPR Art. 6)	Retention
Email address	To deliver watchletters, sign you in, and contact you about your subscription.	Contract performance (6.1.b)	Until account deletion + 30 days for backups.
Topic descriptions you write	To monitor those topics and generate briefs for you.	Contract performance (6.1.b)	Until you delete the topic or the account.
Sign-in tokens & session IDs	To authenticate you. Stored hashed (SHA-256); raw tokens never persisted.	Contract performance (6.1.b)	Tokens 1 hour; sign-in codes 10 minutes; sessions 30 days.
IP address & user-agent (at sign-in)	Security: detect anomalous logins, rate-limit abuse.	Legitimate interest (6.1.f) — fraud prevention	30 days, then deleted with the session.
Stripe customer ID & subscription ID (for paid tiers)	To bill you and reflect your tier in the Service.	Contract performance (6.1.b)	Until cancellation + statutory accounting period (Swedish Bookkeeping Act: 7 years for invoice-related records).
Payment details (card / IBAN)	Processed by Stripe — we never see or store card numbers. We only receive a customer reference.	Stripe is a separate controller for payment processing.	Stripe's policy applies.
Watchletter delivery history (timestamps, topic IDs)	To know what we already sent so we don't repeat content.	Contract performance (6.1.b)	Until account deletion.

We do not collect: name, address, phone number, browsing history outside pssst, marketing-tracking cookies, or any special-category data (health, race, political opinions, etc.).

3. AI processing — how briefs are generated

In compliance with Article 50 of the EU AI Act, we want you to understand exactly what happens to your data when we generate a brief:

Topic title and summary you wrote are sent to OpenAI (a US company offering services within the EU under the EU-U.S. Data Privacy Framework) so a large language model can search the web and synthesise a brief.
Your email address is not sent to OpenAI.
OpenAI processes the request and returns the brief and source URLs to us. We then assemble the watchletter and send it via our email provider.
OpenAI does not use API content to train its models by default (per OpenAI's API data-usage policy at the time of writing).
The output is generated by an AI model. Outputs may be inaccurate, incomplete, or biased. Always verify critical information against the cited sources before relying on it.

4. Who we share data with (sub-processors)

We use the following third parties to operate the Service. Each processes a narrow slice of your data on our instructions, under a Data Processing Agreement (DPA):

Provider	Purpose	Data shared	Where
OpenAI, L.L.C.	LLM-generated briefs, topic splitting	Topic title + summary, free-text input	USA (EU-U.S. DPF certified)
Stripe Payments Europe Ltd.	Subscription billing	Email, payment method (handled by Stripe)	EU + USA
Resend (Bounce Inc.)	Outgoing email delivery	Email address, watchletter content	USA (Standard Contractual Clauses)
Hosting provider	Server infrastructure	All data at rest in our database	EU

For transfers to the USA we rely on the EU-U.S. Data Privacy Framework or, where a provider isn't certified, on Standard Contractual Clauses (Commission Decision 2021/914) plus appropriate supplementary measures.

We do not sell your data. We do not share it with advertisers, data brokers, or analytics platforms.

5. Cookies & similar technologies

pssst.fyi uses one cookie: a session cookie called pssst_sid that keeps you signed in. It is HttpOnly, SameSite=Lax, Secure (in production), and 30 days long. We do not use tracking cookies, advertising cookies, or analytics scripts that set cookies.

6. How long we keep your data

Active account: we keep your data for as long as your account is active.
Account deletion: when you delete your account from the dashboard, we delete topics, sessions, and authentication tokens immediately. Backups are rotated within 30 days.
Stripe-related records: Swedish accounting law (Bokföringslagen) requires us to retain invoice-related records for 7 years from the end of the calendar year. This applies only to billing data linked to Stripe.
Inactive accounts: if you don't sign in or receive a watchletter for 24 months we'll send a reminder; if there's no response within 60 days we delete the account.

7. Your rights under GDPR

You have the following rights with respect to your personal data:

Access (Art. 15) — request a copy of the data we hold about you.
Rectification (Art. 16) — correct inaccurate data. Most fields you can edit yourself in the dashboard.
Erasure (Art. 17) — delete your account and data. Available in the dashboard's danger zone, or by emailing us.
Restriction (Art. 18) — temporarily limit processing while a dispute is resolved.
Portability (Art. 20) — request your data in a machine-readable format. We provide this as JSON on email request.
Objection (Art. 21) — object to processing based on legitimate interests.
Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint — with the Swedish Authority for Privacy Protection (IMY) or with your local data-protection authority.

To exercise any of these rights write to privacy@aurolabs.ai. We respond within 30 days as required by GDPR.

8. Automated decision-making

We do not make decisions about you that have legal or similarly significant effects using purely automated means (GDPR Art. 22). The AI generates content, but it does not decide whether to grant or deny you anything.

9. Security

We take your data's security seriously:

Sign-in tokens and codes are stored only as SHA-256 hashes — even we can't read them.
Sessions are HttpOnly cookies with strict same-site policy.
All traffic is HTTPS-only in production.
Database is hosted in the EU. Backups are encrypted at rest.
Payment data never touches our servers — Stripe handles that end to end.

If we ever experience a breach affecting your data we will notify you and the Swedish data-protection authority within 72 hours, as required under GDPR Art. 33–34.

10. Children

pssst is not directed at children under 16 and we do not knowingly collect data from anyone under that age. If you believe a child has signed up, write to us and we'll delete the account.

11. Changes to this Policy

If we materially change this Policy we will notify active users by email at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance.

12. Contact

Aurolabs AB
Org. nr: 559523-4989
Stockholm, Sweden
Privacy questions / GDPR requests: privacy@aurolabs.ai
General contact: hello@aurolabs.ai

← Back to pssst · Terms: /terms