Privacy Policy
Last updated: April 2026
Beta service
FanChat is in beta. The service is provided for testing purposes. This privacy policy will be updated upon official launch.
Data collected
FanChat only collects data necessary for the service to function:
- -OAuth identity: name, email, profile picture (via Google)
- -Characters created: name, description, system prompt, settings, generated images
- -Conversations: messages exchanged with characters are stored in the database so you can find them (multi-sessions)
- -API keys: encrypted with AES-256 before storage (never readable in plain text)
- -Preferences: theme, preferred voice, favorites
- -Technical data: anonymous error logs for service stability
What we do not do with your data
- vYour conversations are never reused to train AI models
- vYour conversations are never analyzed, read, or exploited by FanChat
- vYour data is never sold, rented, or shared with third parties for commercial purposes
- vNo advertising profiling is performed
- vNo third-party tracking cookies are used
Your conversations exist solely for your personal use: to reread, export, or delete them.
API key storage and encryption
Your API keys are encrypted with AES-256-GCM before being stored in the MongoDB database. The encryption key is maintained in a server environment variable, never in the database.
Keys are only decrypted server-side when an LLM request is triggered, then immediately released from memory.
Files uploaded in chat
Files (images, PDFs, text documents) sent in chat are processed in memory on the server, scanned for security (malware detection), then sent to the LLM. They are never stored on disk or in the database. No trace of the files is kept after processing.
Data deletion
You can delete at any time:
- -Your conversations (individually or all)
- -Your characters
- -Your API keys
- -Your entire account (all associated data is permanently deleted)
Deletion is final and irreversible. You can also contact us by email for any deletion request.
Subprocessors
- VercelApplication hosting and deployment - Privacy policy
- MongoDB AtlasDatabase (accounts, characters, conversations, encrypted keys) - Privacy policy
- Amazon S3Character image storage only - Privacy policy
LLM providers (OpenAI, Anthropic, Google, etc.) are chosen and configured by the user. FanChat is not responsible for how these providers process your data.
Cookies
FanChat only uses strictly necessary cookies:
- access_token / refresh_token : secure JWT authentication (httpOnly), expire after 1h and 7 days respectively
- Preferences : theme (dark/light), stored in localStorage (not a cookie)
No advertising, analytics, or third-party tracking cookies are used.
GDPR rights
In accordance with the General Data Protection Regulation (GDPR), you have the following rights:
- vRight of access: obtain a copy of your personal data
- vRight of rectification: correct inaccurate information
- vRight to erasure: delete your account and all your data
- vRight to portability: export your conversations (JSON, Markdown, PDF)
- vRight to object: object to certain processing
To exercise these rights: wearefanchat@gmail.com. Response within 30 days.
Changes
This policy will be updated upon the release of the final version of FanChat. Significant changes will be notified to you. The last update date is indicated at the top of the page.