naffe.ai

Privacy Policy

Last updated: 26 February 2026

1. Introduction

This Privacy Policy explains how naffe.ai ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our AI-powered platform at naffe.ai and pa.naffe.ai (the "Service").

naffe.ai is operated from Denmark, EU. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), applicable Danish data protection law, and the California Consumer Privacy Act (CCPA/CPRA) for US users.

This policy applies globally to all users of the Service, including the Personal Assistant (PA) platform where users connect third-party services such as Google Calendar, Gmail, and Stripe.

2. Data Controller

The data controller responsible for your personal data is:

naffe.ai

Denmark, EU

Email: privacy@naffe.ai

3. Data We Collect

3.1 Account Information

  • Email address
  • Name (if provided)
  • Authentication credentials (managed via our authentication provider)
  • Billing and subscription information

3.2 User Content

  • Prompts and instructions - the descriptions you provide to build software
  • Generated content - applications, dashboards, and tools the Service creates
  • Edit requests - modifications you request to your projects
  • Uploaded files - logos, documents, and reference images you attach

3.3 Connected Service Data

When you connect third-party services (see Section 6), we store encrypted OAuth tokens and access data from those services on your behalf.

3.4 Technical Data

  • IP address and approximate location
  • Browser type and version
  • Device information
  • Pages visited and usage patterns

4. How We Use Your Data

  • Provide the Service - generate, host, and maintain the software you request
  • Process AI requests - send your prompts to our AI provider to generate and edit projects
  • Connect your services - use your authorized tokens to interact with your connected accounts
  • Manage billing - track credit usage and process payments
  • Improve the Service - understand usage patterns and fix issues
  • Comply with legal obligations - meet regulatory and legal requirements

We do not sell your personal data.

We do not use your data for advertising or cross-context behavioral tracking.

5. Legal Basis for Processing (GDPR)

PurposeLegal Basis
Providing the ServicePerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Connecting third-party services via OAuthConsent (Art. 6(1)(a))
Sending prompts to AI providerPerformance of contract (Art. 6(1)(b))
Analytics and improvementLegitimate interest (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))

6. Connected Services and OAuth

Key principle: You connect your own accounts. We never ask for your passwords. All connections use industry-standard OAuth 2.0, where you authorize access directly with the service provider.

6.1 Services You Can Connect

You choose which services to connect. Currently supported:

  • Google Calendar - read and manage your calendar events and scheduling
  • Gmail - read, draft, and send emails on your behalf
  • Google Drive - access and manage your files and documents
  • Google Sheets - read and write spreadsheet data
  • Stripe - manage payments, subscriptions, and transaction data
  • Shopify - manage your store, products, and orders

6.2 What We Access

We only request the specific permissions (OAuth scopes) needed to perform the tasks you ask for. When you connect a service, the provider (e.g., Google) shows you exactly what permissions you are granting before you authorize.

We access data from your connected services only to fulfill your instructions within the platform. We do not scan, mine, or analyze your connected data for advertising, profiling, or any unrelated purpose.

6.3 Token Storage and Security

Your OAuth tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database. The encryption key is managed as an environment secret and is never stored alongside the tokens. Tokens are decrypted only at the moment they are needed to make an API call on your behalf.

6.4 Revoking Access

You can disconnect any service at any time. When you disconnect:

  • We immediately delete the stored OAuth tokens for that service
  • We can no longer access your data on that service
  • You can also revoke access directly from the provider (e.g., Google Account Permissions)

6.5 Google API Services - Limited Use Disclosure

naffe.ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we:

  • Only use Google user data to provide and improve the user-facing features you interact with
  • Do not transfer Google user data to third parties except as necessary to provide the Service, comply with law, or as part of a merger/acquisition with adequate protections
  • Do not use Google user data for serving advertisements
  • Do not allow humans to read Google user data unless you give affirmative consent, it is needed for security or legal purposes, or it is aggregated and anonymized for internal operations

7. AI Processing

naffe.ai uses Claude, an AI model developed by Anthropic, to generate and edit software based on your instructions.

  • Your prompt text is sent to the Anthropic API for processing
  • Relevant context about your project may be included
  • Under our agreement with Anthropic, API inputs and outputs are not used to train their models

Please avoid including sensitive personal data (such as national ID numbers, health information, or financial account numbers) in your prompts, as they are transmitted to a third-party AI provider.

8. Data Storage and Security

  • AES-256-GCM encryption for all stored OAuth tokens
  • HTTPS/TLS for all data in transit
  • Row-level security policies on our database
  • Environment-based secret management for encryption keys and API keys
  • Rate limiting on all API endpoints
  • No user-facing API keys - all third-party calls are proxied through our backend
  • Authentication managed through Supabase Auth with secure session handling

9. Third-Party Processors

ProviderPurposeLocation
SupabaseDatabase, authenticationEU (AWS)
VercelApplication hostingGlobal (US-based)
AnthropicAI processing (Claude API)United States
StripePayment processingUnited States
GoogleConnected services (Calendar, Gmail, Drive, Sheets)Global
ShopifyConnected service (e-commerce)Global (Canada-based)

All processors are contractually obligated to protect your data in accordance with applicable law.

10. Data Retention

  • Account data - retained while your account is active, deleted within 30 days of account deletion
  • Generated projects - retained while your account is active
  • OAuth tokens - deleted immediately when you disconnect a service or delete your account
  • Prompts and edit history - retained while your account is active for project continuity
  • Billing records - retained for up to 5 years as required by Danish accounting law
  • Server logs - retained for up to 90 days for debugging and security

11. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA), particularly in the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • EU-US Data Privacy Framework certification of the recipient
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission, where applicable

12. Your Rights

EU Users (GDPR)

  • Access - request a copy of the personal data we hold about you
  • Rectification - request correction of inaccurate data
  • Erasure - request deletion of your data ("right to be forgotten")
  • Restrict processing - request that we limit how we use your data
  • Data portability - receive your data in a structured, machine-readable format
  • Object - object to processing based on legitimate interests
  • Withdraw consent - withdraw consent at any time (e.g., disconnect OAuth services)

If we have not adequately addressed your concerns, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

US and California Users (CCPA/CPRA)

  • Know what personal information we collect and how it is used
  • Access and request deletion of your personal information
  • Request correction of inaccurate information
  • Opt out of sale or sharing (not applicable - we do not sell or share data)
  • Not be discriminated against for exercising your rights

13. Cookies

We use essential cookies strictly necessary for the Service to function, including session cookies for authentication. These do not require consent under the GDPR.

We do not use advertising cookies or tracking pixels. We do not use your data for targeted advertising.

14. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@naffe.ai and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service. The "Last updated" date at the top indicates the most recent revision.

16. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your data:

Email: privacy@naffe.ai

We will respond to all data subject requests within 30 days, as required by the GDPR.