Legal
Privacy Policy
How milkyway.chat collects, uses, stores, and protects your personal data, including AI processing and third-party providers.
Last updated: July 11, 2026
1. Who is responsible for your data?
The data controller for personal data processed through milkyway.chat (https://www.milkyway.chat) is milkyway.chat (“we”, “us”, “our”).
For privacy-related requests, contact us at privacy@milkyway.chat.
This Privacy Policy explains what we collect, why we collect it, how long we keep it, who we share it with, and what rights you have — in particular if you are located in the European Economic Area (EEA), United Kingdom, or Switzerland.
2. Scope
This policy applies to:
- Visitors of our website and marketing pages
- Registered users of the milkyway.chat application
- Subscribers (Pro or Lifetime plans)
It does not apply to third-party websites, AI model providers’ own policies, or services you access through your own API keys on the Lifetime plan (your relationship with those providers is governed by their terms).
3. Personal data we collect
Depending on how you use the service, we may process:
| Category | Examples |
|---|---|
| Account data | Email address, name, profile picture (via Google sign-in), user ID, plan type |
| Subscription & billing | Plan status, Stripe customer/subscription IDs, payment history metadata (we do not store full card numbers) |
| Chat & content | Messages, prompts, attachments (PDFs, images, files), generated outputs, chat titles, model selections |
| Usage & technical | IP address, browser/device type, timestamps, feature usage, error logs, request counts |
| API keys (Lifetime) | Provider API keys you voluntarily store to use your own accounts — stored encrypted/at rest per our security practices |
| Support & communications | Emails or messages you send to us |
Please do not submit special categories of personal data (e.g. health, biometric, political opinions) or confidential third-party data unless you have a lawful basis to do so. You are responsible for the content you upload and prompt.
4. Purposes and legal bases (GDPR)
If GDPR applies, we rely on the following legal bases (Art. 6 GDPR):
| Purpose | Legal basis |
|---|---|
| Provide the service (account, chat, storage, billing) | Contract performance (Art. 6(1)(b)) |
| Process payments via Stripe | Contract performance; legal obligation where applicable |
| Send service-related notices (e.g. billing, security) | Contract; legitimate interests (Art. 6(1)(f)) |
| Analytics & product improvement (e.g. usage metrics) | Legitimate interests, balanced against your rights; consent where required by law |
| Security, fraud prevention, abuse detection | Legitimate interests; legal obligation |
| Comply with law, enforce Terms, respond to authorities | Legal obligation (Art. 6(1)(c)); legitimate interests |
| Marketing communications (if any, separate from service emails) | Consent (Art. 6(1)(a)) where required |
5. AI processing and model providers
To generate responses, your prompts and relevant context (including attachments where supported) are transmitted to third-party AI providers such as OpenAI, Anthropic, Google, xAI, Groq, and/or OpenRouter, depending on the model you select and your plan.
- Pro plan: We route requests using our infrastructure and provider accounts subject to our agreements with those providers.
- Lifetime plan: Requests may be sent using API keys you provide; your use is also subject to each provider’s terms and privacy policy.
AI outputs may be inaccurate, incomplete, or inappropriate. Do not rely on outputs for medical, legal, financial, or safety-critical decisions without independent verification.
We do not use your chat content to train our own models. Third-party providers may process data according to their policies and API terms — review their documentation if this matters for your use case.
7. How long we keep data
- Account data: for as long as your account is active, then deleted or anonymized within a reasonable period after deletion request or prolonged inactivity, unless law requires longer retention.
- Chat content: stored to provide history and core features until you delete chats or your account, subject to backup retention cycles.
- Billing records: retained as required by tax and commercial law (often 6–10 years depending on jurisdiction).
- Logs: typically retained for a limited period (e.g. 30–90 days) unless needed for security investigations.
8. Recipients and processors
We use trusted service providers who process data on our behalf, including:
- Supabase — authentication, database, file storage
- Stripe — payment processing
- Vercel — hosting and infrastructure
- AI model providers — OpenAI, Anthropic, Google, xAI, Groq, OpenRouter (as applicable)
- Analytics providers — e.g. Vercel Analytics, DataFast
- Google — OAuth sign-in (if you choose “Continue with Google”)
We require processors to protect personal data under contractual safeguards (including Standard Contractual Clauses where required for international transfers).
We do not sell your personal data.
9. International transfers
Your data may be processed in countries outside your own, including the United States, where providers host infrastructure. When we transfer personal data from the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses and assess transfer risks as required by GDPR Chapter V.
10. Your rights
Depending on your location, you may have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Restrict or object to certain processing
- Data portability
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with a supervisory authority
EEA/UK users: You may contact your local data protection authority. In Germany, this is typically the authority of your state of residence (overview at bfdi.bund.de).
To exercise rights, email privacy@milkyway.chat. We may need to verify your identity. We respond within one month where GDPR applies, extendable by two months for complex requests.
11. Children
The service is not directed at children under 16 (or the minimum digital consent age in your country). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.
12. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), access controls, and secure hosting. No method of transmission or storage is 100% secure; you use the service at your own risk and should protect your account credentials.
13. Automated decision-making
AI-generated content is produced algorithmically based on your inputs. We do not make legal or similarly significant decisions about you solely by automated means without human involvement where prohibited by law.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be notified via email or in-app notice where appropriate.
15. Related documents
Use of the service is also governed by our Terms of Service. For questions about both documents, contact privacy@milkyway.chat. Governing jurisdiction for disputes is described in the Terms (Germany).
Questions? Contact privacy@milkyway.chat. Operator: milkyway.chat. Website: https://www.milkyway.chat.