Legal

Privacy Policy

How milkyway.chat collects, uses, stores, and protects your personal data, including AI processing and third-party providers.

Last updated: July 11, 2026

1. Who is responsible for your data?

The data controller for personal data processed through milkyway.chat (https://www.milkyway.chat) is milkyway.chat (“we”, “us”, “our”).

For privacy-related requests, contact us at privacy@milkyway.chat.

This Privacy Policy explains what we collect, why we collect it, how long we keep it, who we share it with, and what rights you have — in particular if you are located in the European Economic Area (EEA), United Kingdom, or Switzerland.

2. Scope

This policy applies to:

  • Visitors of our website and marketing pages
  • Registered users of the milkyway.chat application
  • Subscribers (Pro or Lifetime plans)

It does not apply to third-party websites, AI model providers’ own policies, or services you access through your own API keys on the Lifetime plan (your relationship with those providers is governed by their terms).

3. Personal data we collect

Depending on how you use the service, we may process:

CategoryExamples
Account dataEmail address, name, profile picture (via Google sign-in), user ID, plan type
Subscription & billingPlan status, Stripe customer/subscription IDs, payment history metadata (we do not store full card numbers)
Chat & contentMessages, prompts, attachments (PDFs, images, files), generated outputs, chat titles, model selections
Usage & technicalIP address, browser/device type, timestamps, feature usage, error logs, request counts
API keys (Lifetime)Provider API keys you voluntarily store to use your own accounts — stored encrypted/at rest per our security practices
Support & communicationsEmails or messages you send to us

Please do not submit special categories of personal data (e.g. health, biometric, political opinions) or confidential third-party data unless you have a lawful basis to do so. You are responsible for the content you upload and prompt.

4. Purposes and legal bases (GDPR)

If GDPR applies, we rely on the following legal bases (Art. 6 GDPR):

PurposeLegal basis
Provide the service (account, chat, storage, billing)Contract performance (Art. 6(1)(b))
Process payments via StripeContract performance; legal obligation where applicable
Send service-related notices (e.g. billing, security)Contract; legitimate interests (Art. 6(1)(f))
Analytics & product improvement (e.g. usage metrics)Legitimate interests, balanced against your rights; consent where required by law
Security, fraud prevention, abuse detectionLegitimate interests; legal obligation
Comply with law, enforce Terms, respond to authoritiesLegal obligation (Art. 6(1)(c)); legitimate interests
Marketing communications (if any, separate from service emails)Consent (Art. 6(1)(a)) where required

5. AI processing and model providers

To generate responses, your prompts and relevant context (including attachments where supported) are transmitted to third-party AI providers such as OpenAI, Anthropic, Google, xAI, Groq, and/or OpenRouter, depending on the model you select and your plan.

  • Pro plan: We route requests using our infrastructure and provider accounts subject to our agreements with those providers.
  • Lifetime plan: Requests may be sent using API keys you provide; your use is also subject to each provider’s terms and privacy policy.

AI outputs may be inaccurate, incomplete, or inappropriate. Do not rely on outputs for medical, legal, financial, or safety-critical decisions without independent verification.

We do not use your chat content to train our own models. Third-party providers may process data according to their policies and API terms — review their documentation if this matters for your use case.

6. Cookies, local storage, and analytics

We use:

  • Essential cookies / storage — authentication session (e.g. via Supabase), security, and core functionality. These are necessary for the service.
  • Analytics — we may use privacy-oriented analytics (e.g. Vercel Analytics, DataFast) to understand usage. Where required by law, we will request consent before non-essential tracking.
  • Local storage — preferences such as theme or locally cached settings.

You can control cookies through your browser settings. Blocking essential cookies may prevent you from using the service.

7. How long we keep data

  • Account data: for as long as your account is active, then deleted or anonymized within a reasonable period after deletion request or prolonged inactivity, unless law requires longer retention.
  • Chat content: stored to provide history and core features until you delete chats or your account, subject to backup retention cycles.
  • Billing records: retained as required by tax and commercial law (often 6–10 years depending on jurisdiction).
  • Logs: typically retained for a limited period (e.g. 30–90 days) unless needed for security investigations.

8. Recipients and processors

We use trusted service providers who process data on our behalf, including:

  • Supabase — authentication, database, file storage
  • Stripe — payment processing
  • Vercel — hosting and infrastructure
  • AI model providers — OpenAI, Anthropic, Google, xAI, Groq, OpenRouter (as applicable)
  • Analytics providers — e.g. Vercel Analytics, DataFast
  • Google — OAuth sign-in (if you choose “Continue with Google”)

We require processors to protect personal data under contractual safeguards (including Standard Contractual Clauses where required for international transfers).

We do not sell your personal data.

9. International transfers

Your data may be processed in countries outside your own, including the United States, where providers host infrastructure. When we transfer personal data from the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses and assess transfer risks as required by GDPR Chapter V.

10. Your rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to certain processing
  • Data portability
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Lodge a complaint with a supervisory authority

EEA/UK users: You may contact your local data protection authority. In Germany, this is typically the authority of your state of residence (overview at bfdi.bund.de).

To exercise rights, email privacy@milkyway.chat. We may need to verify your identity. We respond within one month where GDPR applies, extendable by two months for complex requests.

11. Children

The service is not directed at children under 16 (or the minimum digital consent age in your country). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

12. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), access controls, and secure hosting. No method of transmission or storage is 100% secure; you use the service at your own risk and should protect your account credentials.

13. Automated decision-making

AI-generated content is produced algorithmically based on your inputs. We do not make legal or similarly significant decisions about you solely by automated means without human involvement where prohibited by law.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be notified via email or in-app notice where appropriate.

Questions? Contact privacy@milkyway.chat. Operator: milkyway.chat. Website: https://www.milkyway.chat.