Privacy Policy

OpenCloudBot ("we", "us", or the "Service") is a personal, non-commercial AI chat project created for technical demonstration, parody, and satire. This Privacy Policy explains what information is involved when you use the Service and how it is handled. We have designed the Service to collect as little personal information as reasonably possible.

This policy is written with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the EU ePrivacy ("cookie") rules in mind, and applies to visitors in the European Economic Area (EEA) and the United Kingdom as well as everyone else.

1. Who We Are (Data Controller)

OpenCloudBot is operated by an individual as a personal, non-profit hobby project (the "operator"). For the purposes of the GDPR, the operator is the data controller for the limited processing described here. You can contact the operator at [email protected] or through the "Contact Us" link on our homepage.

2. Accounts Are Optional

You can use the core of OpenCloudBot without registering, signing in, or providing a name, email address, or any other identifying information. We do not maintain marketing lists.

If you choose to create an account, we deliberately collect as little as possible. We ask only for a username and a password — no email address and no other personal details. See section 2a for exactly what is stored.

2a. Account Data (If You Register)

When you create an account, we store the following in a Cloudflare D1 database:

• Your username — the only identifier you give us. Pick one that does not reveal your real identity if you prefer to stay anonymous.
• A one-way hash of your password (PBKDF2-SHA-256) plus a random per-account salt. We never store your actual password and cannot recover it.
• Hashes of 4 one-time recovery codes. Because we do not collect an email address, these codes are the only way to reset a forgotten password. They are shown to you once at sign-up for you to save; we store only their hashes.
• A session identifier, so you can stay logged in (see section 3).
• An avatar choice — just the name of one of our preset, self-hosted graphics. You cannot upload your own image, so no picture or file is collected.
• An account creation timestamp.

You can permanently delete your account and all of the above — including any blog comments (see section 4a) — at any time from your account; deletion is immediate and irreversible (see section 9).

4a. Comments on the Blog

If you are signed in, you may post a text comment on a blog post (one per post). When you do, we store the comment text, a link to your account, and a timestamp in our database. Comments are public: your chosen username and avatar are shown next to them to anyone who reads that post, so please do not include personal or sensitive information in a comment.

Comments are screened automatically by simple server-side rules (length, links, and obvious spam patterns) before they are stored; this is done on our own infrastructure, with no third-party service. You can remove your comments at any time by deleting your account, which erases them along with the rest of your data.

3. Information Stored in Your Browser & Cookies

Your chat history, language preference, and theme preference are stored locally in your own browser (using your browser's local storage). This data stays on your device. It is not transmitted to or saved on our servers, and we cannot read it. You can delete it at any time by clearing your browser data or your conversation history within the app.

We do not use cookies for advertising, analytics, or cross-site tracking, and we set no tracking cookies. The local storage described above is strictly necessary to provide the features you have actively requested (remembering your conversation and settings), so under the EU ePrivacy rules it does not require a consent banner. We also do not embed third-party fonts, icons, or scripts from external content delivery networks — these resources are served directly from our own site, so your browsing does not expose your IP address to those third parties. (The one deliberate exception, the Cloudflare Turnstile anti-bot check, is described in section 13.)

If you log in, we set a single strictly necessary session cookie (ocb_session). It holds a random session identifier — no personal data — and lets you stay signed in. It is marked HttpOnly, Secure, and SameSite=Lax, and is not used for tracking. It is removed when you log out, and under the EU ePrivacy rules this kind of authentication cookie does not require a consent banner.

4. Information We Process When You Chat

When you send a message (including any text or files you attach), that content is transmitted to our hosting backend and forwarded to Cloudflare Workers AI in order to generate a response. To keep the conversation coherent, the relevant history of the current chat is sent along with each new message. We do not store this content on our own servers, we do not use it to build advertising profiles, and we do not sell it.

Please do not enter passwords, financial details, health information, or other sensitive or personal information — whether your own or someone else's — into the chat.

5. Technical and Log Data

Like most websites, our hosting provider (Cloudflare) may automatically process limited technical information needed to deliver and secure the Service — for example, your IP address, browser type, and request timestamps. This information is used only for operating, maintaining, and protecting the Service, and is not used to build a profile of you.

6. Legal Bases for Processing

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a service you requested / our legitimate interests (Art. 6(1)(b) and 6(1)(f)) — to process your messages and generate AI responses, and to keep the Service running and secure.
• Legitimate interests (Art. 6(1)(f)) — to protect the Service against abuse, fraud, and technical faults.
• Consent (Art. 6(1)(a)) — where we ever ask for it; you can withdraw consent at any time.

7. Service Providers & International Transfers

The Service depends on Cloudflare for website hosting and for the AI model that generates responses. Cloudflare acts as our processor and may process your data (such as your IP address and message content) on servers located outside the EEA/UK, including in the United States. Such transfers are safeguarded by appropriate legal mechanisms, including the European Commission's Standard Contractual Clauses, as set out in Cloudflare's data processing terms. We do not control, and are not responsible for, Cloudflare's own independent privacy practices.

8. Data Retention

We do not keep your conversations on our servers. Your chat history remains in your browser's local storage until you delete it. Message content is processed by Cloudflare only transiently to generate a response. Technical log data is retained by our hosting provider for a limited period under its own policies.

9. Your Privacy Rights

If you are in the EEA or the UK, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. Because we do not store your conversations on our servers, your right to erasure over chat content is met by clearing your browser data or chat history at any time. If you created an account, you can exercise your right to erasure directly by deleting your account, which immediately and permanently removes your username, password hash, recovery-code hashes, and sessions from our database. For anything else, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or the minimum age required in your country). We do not knowingly collect information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. Your continued use of the Service after changes take effect means you accept the updated policy.

12. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, you can reach us at [email protected] or through the "Contact Us" link on our homepage.

13. Bot Protection (Cloudflare Turnstile)

On the sign-up, log-in, and account-recovery pages only, we use Cloudflare Turnstile to tell humans apart from automated abuse. This is the one deliberate exception to our "no third-party scripts" rule: to work, Turnstile loads a small script from challenges.cloudflare.com, so on those three pages your browser does contact a Cloudflare domain and Cloudflare receives your IP address and basic technical signals.

We chose Turnstile specifically because it is privacy-respecting: it is designed to work without tracking cookies, does not profile you across sites, and is not used for advertising. Cloudflare is already our hosting and AI processor (section 7), so no new company is introduced. Turnstile runs only on the three account pages — it is not present on the chat, blog, or other pages. We rely on our legitimate interest in protecting the Service from automated abuse (Art. 6(1)(f)) as the legal basis. For more, see Cloudflare's privacy documentation for Turnstile.