← Back to Puffin AI

Privacy Policy

Effective: April 4, 2026 · Last updated: April 4, 2026

1. Data Controller & Contact Information

Puffin AI is operated by Puffin Technologies, registered in India. For questions about this privacy policy or your personal data, contact us at: contact@puffintech.io

2. What Data We Collect

We practice data minimization — we only collect data that is strictly necessary for the service to function.

Account Data (registered users only)

Email address, display name, and a securely hashed password. Collected when you voluntarily create an account. We also store a timestamp of when you gave consent.

Chat Messages

The questions you ask and the AI-generated responses. Stored to provide conversation history. You can delete your conversations at any time from the chat sidebar.

Authentication Tokens (sessionStorage)

A JSON Web Token (JWT) is stored in your browser's local storage to maintain your login session. This is not a tracking cookie — it is purely for authentication. This disclosure is made pursuant to the EU ePrivacy Directive (2002/58/EC) Art. 5.3, which covers "similar technologies" to cookies including localStorage.

✅ What We Do NOT Collect

  • IP addresses (not stored at the application level)
  • Browser fingerprints or user agents
  • Cookies or tracking pixels
  • Location data
  • Usage analytics or behavioral tracking

3. Purpose of Data Collection

DataPurposeLegal Basis
Email & PasswordAccount authenticationConsent (voluntary registration)
Display NamePersonalization in the UIConsent (voluntary registration)
Chat MessagesGenerating AI responses & conversation historyConsent (you actively submit queries)

4. How Your Data Is Processed

  • Chat messages are sent to Google Gemini 3.1 Flash Lite API (Google Cloud, United States) to generate AI responses. Google does not use Gemini API customer data to train its models when using the paid API tier.
  • Your data is stored in a PostgreSQL database hosted on Google Cloud Platform (GCP) in the United States. GCP provides encryption at rest by default using AES-256.
  • All data in transit is encrypted using HTTPS/TLS 1.3. All data at rest is encrypted using AES-256 via Google Cloud's default encryption.
  • Puffin AI does not use your conversations to train, fine-tune, or improve any AI models.

Sub-Processors (GDPR Art. 28)

ProviderPurposeLocation
Google Cloud PlatformDatabase hosting, compute (Cloud Run)United States
Google Gemini APIAI response generationUnited States

5. Data Retention

  • Account data is retained while your account is active. It is permanently deleted upon account deletion.
  • Chat messages are retained while your account is active. You can delete individual conversations at any time. All messages are deleted upon account deletion.
  • Anonymous (non-logged-in) chats are retained for 90 days and then automatically purged by our daily cleanup process.
  • Security intelligence data (vulnerability records, threat indicators, advisories) is not personal data and is retained indefinitely to maintain the knowledge base.

6. Your Rights

Under the India Digital Personal Data Protection Act (DPDP Act, 2023), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you. Use the GET /api/auth/export endpoint or email us.
Right to Correction: Update your profile information directly in the app or request corrections via email.
Right to Erasure: Delete your entire account and all associated data permanently. You can also delete individual conversations from the chat sidebar.
Right to Data Portability: Export all your data in JSON format via the GET /api/auth/export endpoint.
Right to Withdraw Consent: You may stop using the service at any time and request deletion of your account and all associated data.

To exercise any of these rights, email contact@puffintech.io. We will respond within 30 days.

7. Cross-Border Data Transfers

Your data is processed and stored in the United States via Google Cloud Platform. For transfers from the EU/EEA, we rely on:

  • Google Cloud's Data Processing Addendum (DPA) which incorporates EU Standard Contractual Clauses (SCCs)
  • Google's participation in the EU-US Data Privacy Framework (DPF)

For transfers from India, we comply with DPDP Act §16 and will update this policy when the Indian government publishes its list of approved transfer destinations.

8. US State Privacy Laws

Puffin Technologies does not sell, rent, or trade your personal information to third parties. We do not share your personal data for cross-context behavioral advertising.

This section applies to residents of US states with comprehensive privacy laws, including but not limited to:

  • California — CCPA/CPRA §1798.120, §1798.135
  • Virginia — VCDPA §59.1-578
  • Colorado — CPA §6-1-1306
  • Connecticut — CTDPA §42-520
  • Utah — UCPA §13-61-302
  • Texas — TDPSA §541.101
  • Oregon, Montana, and others as enacted

Under these laws, you have the right to: access your data, delete your data, opt out of the sale of personal information (we do not sell data), and non-discrimination for exercising your rights. Use the sidebar export/delete buttons or email us to exercise these rights.

9. Grievance Redressal

If you have a complaint about how your data is handled, contact us at contact@puffintech.io. If your complaint is not resolved satisfactorily, you may escalate it to:

  • India: The Data Protection Board of India
  • EU: Your local Data Protection Authority (DPA)
  • UK: The Information Commissioner's Office (ICO) — ico.org.uk
  • US: The Federal Trade Commission (FTC) or your state Attorney General

10. Infrastructure Logs

Our hosting provider (Google Cloud Platform) automatically collects standard server access logs (IP address, timestamps, HTTP request details) as part of its infrastructure operations. These logs are managed by Google Cloud under their Data Processing Addendum and are not processed or stored by Puffin AI's application.

11. Children & Age Restriction

Puffin AI is not intended for use by individuals under the age of 18. We enforce this through an age confirmation checkbox during registration.

We do not knowingly collect personal data from children. In compliance with India DPDP Act §9 (parental consent for minors), US COPPA (Children 's Online Privacy Protection Act for under-13), and GDPR Art. 8 (conditions for child's consent):

  • If we discover a user is under 18, we will delete their account and all associated data immediately.
  • If you believe a child has provided us with personal data, contact us immediately at contact@puffintech.io.

12. Data Breach Notification

In the event of a personal data breach that risks the rights and freedoms of our users, we commit to the following notification timelines:

JurisdictionAuthorityTimeline
EU / UKRelevant DPA / ICOWithin 72 hours (GDPR Art. 33)
IndiaData Protection Board + affected usersWithout unreasonable delay (DPDP §8)
CaliforniaAttorney General (if >500 residents)Expeditiously (CCPA §1798.150)
Other US statesState AG + affected usersPer applicable state law

Affected individuals will be notified via email with details of: the nature of the breach, data affected, steps taken, and recommended protective measures.

13. Security Practices

In compliance with the Information Technology Act 2000 §43A and the Sensitive Personal Data or Information (SPDI) Rules 2011, Rule 8, we implement the following reasonable security practices:

  • Passwords hashed with BCrypt (never stored in plaintext)
  • All data transmitted over HTTPS/TLS
  • JWT secrets managed via Google Secret Manager in production
  • Database connections encrypted (PostgreSQL SSL)
  • Application hosted on Google Cloud Run with automatic security patching
  • No sensitive data logged at the application level

14. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the Puffin AI interface. The "Last updated" date at the top of this page reflects the most recent revision.

This policy complies with the India Digital Personal Data Protection Act (DPDP Act, 2023), the Information Technology Act 2000 & SPDI Rules 2011, the EU General Data Protection Regulation (GDPR), the UK GDPR (Data Protection Act 2018), the California Consumer Privacy Act (CCPA/CPRA), and applicable US state privacy laws.

यह नीति हिंदी में अनुरोध पर उपलब्ध है — कृपया contact@puffintech.io पर संपर्क करें।

Terms of Service · AI Transparency · Back to Puffin AI