Privacy policy for SummaryfAI

1. Introduction

Welcome to SummaryfAI. Your privacy and the security of your data are our highest priorities. This privacy policy explains what data we collect, how we use and protect it, and what rights you have concerning your personal data. Our operations are designed to comply with the General Data Protection Regulation (GDPR) and the principles of transparency and oversight from the AI Act.

The SummaryfAI application is intended for adults. We do not knowingly collect data from minors, and the registration process requires users to confirm they meet the age requirements.

2. Who is responsible for your data

The data controller for your personal data is Michał Kamiński, email: contact@michalsk.com

3. What information we collect and why

We only collect data that is essential for providing our services, ensuring security, and improving our application.

a. Data you provide to us:

Account information: During registration, we ask for your email address and a password. Your email is used for authentication, communication (including sending notifications when your summaries are ready), and password resets. Your password is a hashed value, and we never have access to it in its plain text form.
User-uploaded content: You submit documents in PDF format for processing. You are solely responsible for the content of these documents. As stated in our terms of service, you agree not to upload files containing personally identifiable information (PII) of third parties or other sensitive information that you are not authorized to process.
Preferences and settings: We store your choices regarding application settings, such as your preferred interface theme (light/dark) and your consent to receive email notifications.

b. Data generated while using the service:

Generated summaries: We store the summary files generated for you in markdown (.md) and audio (.mp3) formats so that you can access them from your dashboard.
Quality ratings: We record your ratings (like/dislike) for the summaries we generate. This data, in an aggregated and anonymized form, helps us analyze and improve the quality of our AI models.
Task metadata: For each processing job, we store information such as the original filename, creation date, task status (e.g., pending, completed, failed), and any error messages.

We process your data based on the following legal grounds:

To fulfill a contract (Article 6(1)(b) of the GDPR): Processing your account data, uploaded PDFs, and generating summaries is necessary to provide the service you have requested from us.
Your consent (Article 6(1)(a) of the GDPR): We obtain your explicit consent to our terms of service and this privacy policy during registration. You also have the choice to provide or withdraw consent for email notifications in your account settings.
Our legitimate interest (Article 6(1)(f) of the GDPR): We have a legitimate interest in analyzing aggregated quality ratings to improve our algorithms and monitoring system logs to ensure security and debug issues.

5. Your data and our use of artificial intelligence (AI Act compliance)

SummaryfAI uses advanced artificial intelligence models to generate text and audio summaries. We are committed to making this process transparent for you:

Purpose of AI processing: Our AI systems (including DeepResearch technology) process the content of your uploaded documents for the sole purpose of creating a concise text summary and a script for audio narration, in line with the application’s functionality.
No user profiling: We do not use AI to analyze you as a person, create profiles, make automated decisions about you, or for any purpose other than transforming the text you provide.
Human oversight and quality: The built-in rating system (like/dislike) is our key mechanism for human oversight of the AI’s performance. Your feedback helps us monitor and refine our models.
Data minimization: The AI models only access the document content during the active processing phase. Upon completion, the original PDF file is immediately and permanently deleted.

6. Data security and retention

We take the security of your data very seriously.

Encryption: All communication between your browser and our servers is encrypted using the HTTPS/TLS protocol.
Data isolation: We use Row Level Security (RLS) in our PostgreSQL database, which ensures that you can only access your own data. Even in the event of an application logic error, the database provides an additional layer of protection against unauthorized access.
Data minimization principle:
- Original PDF files are permanently deleted from our servers immediately after the summary generation process is complete, regardless of whether it succeeded or failed.
- We only store the data necessary for your account to function and for you to access your generated materials.
Retention period:
- Your account data is stored as long as you have an active account with us.
- Your generated summary files (.md and .mp3) are available in your account until you choose to delete them or delete your entire account. In the MVP, we do not implement an automatic data retention policy.

7. Use of cookies {#cookies}

SummaryfAI uses cookies to provide essential functionality. Understanding how we use cookies is important for your privacy.

What are cookies?

Cookies are small text files that are stored on your device when you visit a website. They allow websites to recognize your device and remember information about your visit.

What cookies do we use?

We use strictly necessary cookies only. These cookies are essential for the application to function and cannot be disabled:

Authentication cookies (Supabase): These cookies are managed by our authentication provider (Supabase) and store your session information. They allow you to:
- Log in to your account
- Stay logged in as you navigate the application
- Access your dashboard and settings
- Securely perform actions that require authentication

Technical details:

Cookie names: sb-*-auth-token (where * is our Supabase project identifier)
Purpose: User authentication and session management
Duration: Session cookies (deleted when you close your browser) and persistent cookies (for “remember me” functionality)
Storage: Cookies are stored both in your browser’s cookie storage and in localStorage for redundancy

Why are these cookies necessary?

Without these cookies, the application cannot function. They are strictly necessary under GDPR Article 6(1)(b) (necessary for contract performance) because:

They are essential for providing the service you requested
They enable core functionality (login, session persistence)
They protect your account security
There is no alternative technical solution that would allow the service to work without them

We do not use:

Analytics or tracking cookies
Advertising cookies
Social media cookies
Third-party tracking technologies

Under GDPR, consent is not required for strictly necessary cookies. According to Recital 30 of the ePrivacy Directive and GDPR Article 6(1)(b), cookies that are essential for providing a service explicitly requested by the user do not require consent.

However, we believe in transparency, which is why we inform you about our cookie usage through this policy and a notice banner on first visit.

Your choices

Since these cookies are strictly necessary:

You cannot disable them through our application settings
If you disable cookies in your browser settings, you will not be able to use SummaryfAI
You can delete cookies through your browser settings, but this will log you out

Managing cookies in your browser

You can control and/or delete cookies through your browser settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions → Manage and delete cookies

Note: Disabling or deleting cookies will prevent you from logging in and using the application.

We do not sell your personal data. We only share it with third parties when it is necessary to provide our services. Our key technology partners include:

Supabase: Provides our backend infrastructure, including the PostgreSQL database and authentication system.
Cloudflare: Provides hosting services for our main application.
Mikr.us (VPS): Provides the VPS server where our AI microservice runs and where generated summary files are stored.
[Resend / SendGrid]: Used to send transactional emails (e.g., notifications about completed summaries).
OpenAI The platform providing access to the AI models used in the text analysis and summarization process.

All of these entities are required to adhere to security and privacy standards consistent with GDPR.

You have full control over your personal data. You have the following rights:

The right to access your data: You can view all of your data (profile, list of summaries) at any time after logging into your account.
The right to rectify your data: You can update your email address and password in the account settings section.
The right to erasure (“right to be forgotten”): In your account settings, you will find an option to permanently delete your account. This action is irreversible and will result in the deletion of all your data, including your profile and generated files, from our servers.
The right to restrict processing: You can restrict the processing of your data, for example, by disabling email notifications in your settings.
The right to data portability: You have the ability to download all the summaries you have generated in .md and .mp3 formats.
The right to lodge a complaint: If you believe your data is being processed unlawfully, you have the right to lodge a complaint with a supervisory authority.

10. Changes to this privacy policy

We reserve the right to make changes to this privacy policy. We will inform you of any significant changes by email or through a notification within the application. Your continued use of the service after changes are introduced will constitute your acceptance of those changes.

11. Contact us

If you have any questions or concerns about your privacy, please contact us at: contact@michalsk.com.