Last updated: 2026-03-23
Privacy Policy
1. Data controller
Chut, Belgium. Contact: contact@chut.app
2. Data we collect
Account data
When you register, we collect your email address and a hash of your password (argon2id). We never store your password in plaintext.
API usage data
We record the number of requests, characters processed, and entities detected per period. This data is aggregated and contains no personal data from your requests.
Anonymization data
No data is retained. Text and documents sent to the API are processed in memory and immediately discarded. Nothing is stored, logged, or shared with third parties.
3. Cookies
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
pii_session | Essential | Session | Authentication (httpOnly, secure) |
lang | Functional | 1 year | Language preference |
cookie_consent | Essential | 1 year | Remember cookie consent |
We do not use any tracking, analytics, or advertising cookies. No third-party cookies.
4. Legal basis
- Performance of contract (Art. 6(1)(b) GDPR): processing account data to provide the service.
- Legitimate interest (Art. 6(1)(f) GDPR): aggregated usage statistics to maintain and improve the service.
5. Data transfers
No data transfers outside the European Union. All servers are located in Belgium. No use of AWS, Azure, GCP, or any other US cloud provider.
6. Retention periods
- Account data: retained until account deletion.
- Usage statistics: retained for 90 days.
- Anonymization data: not retained (in-memory processing only).
7. Your rights
Under the GDPR, you have the following rights:
- Access: obtain a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: delete your account and associated data.
- Portability: receive your data in a structured format.
- Objection: object to processing based on legitimate interest.
- Complaint: lodge a complaint with your data protection authority.
To exercise these rights: contact@chut.app
8. Security
Passwords hashed with argon2id. All communications encrypted with TLS 1.3. API keys SHA-256 hashed server-side. 134 automated tests and 57 security tests per deployment.
9. Sub-processors
None. No third-party APIs. All processing is performed on our own servers in the EU.