Privacy Policy

Effective date: June 5, 2026

Last updated: June 5, 2026

This Privacy Policy explains how Senka Solutions LLC (“shin,” “we,” “us,” or “our”), a Wyoming limited liability company with a principal place of business at 1021 E Lincolnway, 7845, Cheyenne, WY 82001, Laramie, US, collects, uses, shares, and protects personal data when you use shin.chat (the “Service”).

This Policy applies to the shin.chat web application and related services we operate. It does not apply to third-party websites or services we do not control.

For the rules governing your use of the Service, see our Terms of Service. For cookies and similar technologies, see our Cookie Policy. For the third parties that process data on our behalf, see our Subprocessors list.

Who We Are and Our Role
Scope and Early Access
Personal Data We Collect
How We Use Personal Data
Legal Bases for Processing (EEA/UK)
How We Share Personal Data
AI Processing and Third-Party Models
Data Retention
Security
International Data Transfers
Your Privacy Rights
California Privacy Rights (CCPA/CPRA)
Children’s Privacy
Automated Decision-Making
Changes to This Policy
Contact Us

1. Who We Are and Our Role

For the purposes of applicable data protection law, Senka Solutions LLC is the data controller for personal data processed through the Service, except where we process data solely on your instructions as a processor (which is not the typical relationship for individual beta users).

Contact:

Privacy: privacy@shin.chat
Support: support@shin.chat
Postal: 1021 E Lincolnway, 7845, Cheyenne, WY 82001, Laramie, US

2. Scope and Early Access

shin.chat is currently in early-access beta. Access is invite-only. We do not offer self-service public registration at this time.

During the beta:

The Service is free. We do not collect payment card numbers or billing addresses through the Service.
We may change features, data practices, or retention as the product evolves. We will update this Policy when material changes occur.

If you joined our waitlist before receiving access, your email may have been collected through a separate landing-page or email-list flow. That collection is governed by the notice provided at signup.

3. Personal Data We Collect

We collect personal data in the following categories.

3.1 Account and identity data

Data	Source	Purpose
Email address	You (login), or we (early-access provisioning)	Authentication, account identification, support, transactional email
Internal user ID (UUID)	Generated at account creation	Ties your data to your account across our systems
Account creation date	System metadata	Display in settings, support

We do not currently collect your name, phone number, postal address, or profile photo through the Service UI. If a display name exists in authentication metadata (for example, from a welcome email), it is minimal and optional.

3.2 User-generated content

This is the core data you provide to use the Service:

Chat messages — text you send and AI responses, including structured message parts (such as tool calls and retrieval results shown to the model).
Conversations — titles, summaries, status (active/closed), and timestamps.
Workspaces — names and color labels you assign to organize content.
Notes — titles, body text, and highlighted quotes from conversations.
Uploaded documents — original files (PDF, DOCX, Markdown, plain text), filenames, MIME types, sizes, and parsed text chunks derived from those files.
Search queries — text you enter when searching your archive or when retrieval runs during chat.

All of the above is stored in our database and, for uploaded files, in private object storage. Content is scoped to your account and, for retrieval features, to the workspace you are using.

3.3 AI-derived data

To power retrieval and organization features, we generate and store:

Conversation titles and summaries produced by AI from your messages.
Extracted decisions — machine-generated distillations of concrete decisions from conversations, including source quotes linking back to messages.
Entities and mentions — people, projects, concepts, tools, dates, and related excerpt snippets identified by AI.
Embeddings — numerical vector representations of summaries, decisions, entities, notes, document chunks, and search queries, used for semantic similarity search.
Full-text search indexes derived from message text and other content.

These artifacts are generated automatically. You cannot edit extracted decision text through the Service. They may be regenerated as conversations change.

3.4 Usage and metering data

We record usage events for AI calls, including:

provider (Anthropic, Google, OpenAI);
model name or tier;
token counts (input, output, cache read/write where applicable);
computed internal cost in micro-dollars;
associated conversation or message identifiers.

This data supports fair-use metering during the free beta. It does not include the full text of your messages in the usage ledger.

3.5 Technical, diagnostic, and security data

When you use the Service, we and our subprocessors may automatically collect:

Device and browser information (user agent, browser type, operating system);
IP address and approximate location derived from IP;
Request logs from our hosting provider (URLs, timestamps, status codes);
Error reports and performance traces, including stack traces and session context;
Session replay data on a sampled basis when errors occur or for a small fraction of sessions (see Cookie Policy).

We use this data to operate, secure, debug, and improve the Service.

3.6 Cookies and local storage

We use strictly necessary authentication cookies, a preference cookie for onboarding, and browser IndexedDB storage to cache conversations locally for performance. Details are in our Cookie Policy.

3.7 Communications

If we email you (welcome message, early-access invite, support responses), we process your email address and the content of those communications.

Login magic links are sent through our authentication provider’s email infrastructure (Supabase Auth), separate from our product email sender (Resend).

3.8 Data we do not collect

Through the Service today, we do not intentionally collect:

payment card or bank account information;
government ID numbers;
precise GPS location;
contacts from your device;
advertising identifiers for cross-site tracking.

We do not sell your personal data. We do not use your content to train third-party foundation models through our commercial API agreements (see Section 7).

4. How We Use Personal Data

We use personal data to:

Purpose	Examples
Provide the Service	Authenticate you, store and display your conversations, run chat, search your archive, surface related conversations, process document uploads
Generate AI features	Summaries, titles, decision extraction, entity extraction, embeddings, semantic search
Enforce usage limits	Track metered AI usage against the free-tier ceiling
Secure the Service	Detect abuse, investigate errors, prevent fraud
Communicate with you	Magic-link login, welcome and invite emails, support responses
Comply with law	Respond to lawful requests, enforce our Terms
Improve the Service	Debug failures, understand performance (not to train third-party models on your content)

We do not use your chat content for third-party model training under our current commercial API arrangements.

5. Legal Bases for Processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:

Processing	Legal basis
Providing the Service you request (account, chat, storage, retrieval)	Performance of a contract (Art. 6(1)(b) GDPR)
Security, abuse prevention, error monitoring	Legitimate interests (Art. 6(1)(f) GDPR) — balanced against your rights
AI-derived indexing (summaries, decisions, embeddings) necessary to deliver retrieval features	Performance of a contract and/or legitimate interests
Compliance with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)
Optional communications where consent is required by law	Consent (Art. 6(1)(a) GDPR), withdrawable at any time

You may object to processing based on legitimate interests as described in Section 11.

We share personal data with subprocessors — service providers that process data on our behalf under contractual safeguards. Our current list is maintained in Subprocessors.

Categories of recipients include:

Infrastructure and database — hosting, Postgres database, authentication, file storage, realtime updates;
AI inference providers — chat, summarization, extraction, and embeddings;
Background job platform — orchestrates deferred processing tasks;
Email delivery — transactional product email;
Error monitoring — crash reporting and session replay.

We may also share data:

With professional advisers (lawyers, accountants) under confidentiality obligations;
In connection with a business transaction (merger, acquisition, asset sale), subject to notice where required by law;
To comply with law — if we believe disclosure is required by subpoena, court order, or other legal process, or to protect rights, safety, and security;
With your direction — if you explicitly ask us to share information.

We do not sell personal data. We do not share personal data with third parties for their independent advertising purposes.

7. AI Processing and Third-Party Models

shin.chat routes your content to third-party AI providers to deliver the Service. This section describes what is sent where and when.

7.1 Anthropic (chat)

When: Each time you send a message in chat.

What is sent: Your conversation history (user and assistant messages), system instructions, and — when the retrieval tool runs — excerpts from your workspace archive (conversation summaries, decisions, notes, document chunks) returned by search.

What is not sent: We do not send your data to Anthropic for the purpose of training their models. Under Anthropic’s commercial API terms, customer content submitted through the API is not used to train models by default.

7.2 Google Gemini (background text generation)

When: After conversations idle, on note save, and during other background tasks.

What is sent: Conversation transcripts or excerpts for generating titles, summaries, extracted decisions, and entities; note text for entity extraction on notes.

7.3 OpenAI (embeddings only)

When: During semantic search, note reindexing, conversation embedding, decision embedding, entity embedding, and document ingestion.

What is sent: Text snippets to be converted into embedding vectors — including search queries, summaries, user messages (for conversation embeddings), decision strings, entity labels, note text, and document chunks. OpenAI is not used for chat completions in the Service.

Under OpenAI’s API data usage policies for API customers, API data is not used to train models by default unless you opt into separate programs (which we have not).

7.4 Trigger.dev (job orchestration)

When: Background tasks are queued (title generation, summarization, decision extraction, document ingestion, etc.).

What is sent: Task identifiers (conversation ID, note ID, document ID). Workers then read full content from our database using privileged credentials and forward text to the AI providers above. Job logs may contain IDs and error messages.

7.5 No training on your content

We do not use your content to train third-party foundation models through our commercial API integrations. We do not offer an in-app opt-in to model training. We do not send your chats to providers for training purposes.

If we ever introduce optional feedback or research programs that could use content for improvement, we will provide separate, explicit notice and consent where required.

7.6 Workspace isolation

Retrieval and search are scoped to the workspace you are in. We do not expose one user’s content to another user. Cross-workspace sharing within your account is limited to documents you explicitly attach to multiple workspaces; conversations, notes, and decisions remain in a single workspace.

8. Data Retention

8.1 General rule

We retain personal data for as long as your account is active and as needed to provide the Service, unless you delete specific content or request account deletion.

We do not currently apply automatic time-based deletion to conversations, messages, notes, documents, or AI-derived artifacts.

8.2 Deletion you can perform in the Service

You can delete:

Workspaces (if you have more than one) — cascades to conversations, messages, decisions, notes, and workspace links to documents;
Documents — removes the file from storage and all parsed chunks;
Notes and highlights — individually or by deleting the note;
Document–workspace attachments — without deleting the underlying document.

The Service does not currently offer a dedicated “delete conversation” control or a self-service “export all my data” feature.

8.3 Account deletion

To delete your entire account, email support@shin.chat with the subject “delete my shin.chat account.” During the beta, we process deletion manually and aim to complete it within 48 hours after verifying your request.

When your account is deleted, data tied to your user ID is removed from our production database through cascading deletion, including workspaces, conversations, messages, decisions, entities, notes, documents, chunks, embeddings, and usage events.

8.4 Subprocessor retention

AI providers may retain API inputs and outputs for a limited period under their commercial terms (for trust and safety and abuse monitoring). Typical API log retention is on the order of days, not indefinite. We do not control their internal retention schedules; see their privacy documentation for details.

Error monitoring (Sentry) retains event data according to our Sentry project configuration.

8.5 Legal retention

We may retain limited information where required by law, to resolve disputes, enforce agreements, or protect security — and only for as long as necessary for those purposes.

8.6 Local device data

Cached data in your browser (IndexedDB) persists until you clear site data or uninstall the browser profile. Clearing cookies alone may not remove IndexedDB. See our Cookie Policy.

9. Security

We implement technical and organizational measures designed to protect personal data, including:

Encryption in transit (HTTPS/TLS) for data between your browser and our servers;
Row-level security in our database so authenticated users can access only their own rows;
Workspace scoping on retrieval queries so search does not leak across workspaces or users;
Private object storage for uploaded documents, with access paths tied to your user ID;
Session management via HTTP-only authentication cookies with refresh-token rotation;
Access controls limiting production database access to authorized personnel and background workers;
Invite-only access during beta to reduce unauthorized signups.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact support@shin.chat promptly.

10. International Data Transfers

shin is based in the United States. If you access the Service from outside the United States, your personal data may be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate.

Those countries may have data protection laws that differ from those in your jurisdiction. Where required, we rely on appropriate safeguards for international transfers, such as the EU Standard Contractual Clauses or UK International Data Transfer Addendum, incorporated into agreements with subprocessors that process EEA/UK personal data.

Contact privacy@shin.chat for more information about transfer safeguards.

11. Your Privacy Rights

Depending on where you live, you may have rights regarding your personal data.

11.1 General rights

Subject to applicable law and exceptions, you may have the right to:

Access — request confirmation of whether we process your data and receive a copy;
Rectification — request correction of inaccurate data;
Erasure — request deletion of your data;
Restriction — request that we limit processing in certain circumstances;
Portability — request a copy of data you provided in a structured, machine-readable format where technically feasible;
Object — object to processing based on legitimate interests;
Withdraw consent — where processing is based on consent.

11.2 How to exercise your rights

Email privacy@shin.chat or support@shin.chat. We may need to verify your identity before fulfilling a request. We will respond within the timeframe required by applicable law (for example, 30 days under GDPR, with possible extension for complex requests).

11.3 Complaints

If you are in the EEA or UK, you may lodge a complaint with your local data protection authority. We encourage you to contact us first so we can address your concern.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides additional rights.

12.1 Categories collected (last 12 months)

In the preceding 12 months, we have collected the following categories of personal information for business purposes:

Category	Examples in our Service
Identifiers	Email, internal user ID, IP address
Customer records	Email (account identifier)
Internet/network activity	Usage logs, error data, session replay (sampled)
Inferences	AI-derived summaries, decisions, entities, embeddings
Sensitive personal information	We do not intentionally collect SSN, precise geolocation, or health data categories

We do not sell personal information.
We do not share personal information for cross-context behavioral advertising.

We do not treat your exercise of privacy rights as a basis for discrimination.

12.3 Your California rights

You may request:

To know what personal information we collect, use, disclose, and retain;
To delete personal information we hold about you;
To correct inaccurate personal information.

Submit requests to privacy@shin.chat. We will verify your request as required by law.

12.4 Authorized agents

You may designate an authorized agent to submit a request on your behalf. We may require proof of authorization and direct verification from you.

13. Children’s Privacy

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a person under 18 has provided us personal data, contact privacy@shin.chat and we will take steps to delete it.

14. Automated Decision-Making

The Service uses automated processing to generate AI responses, summaries, decisions, entities, and search rankings. These outputs inform what you see in the app but do not produce legal or similarly significant effects on you in the sense of GDPR Article 22. You are not subject to shin.chat automated decisions that determine eligibility for employment, credit, housing, or essential services.

AI outputs may be inaccurate. You should review them before relying on them.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated Policy and revise the “Last updated” date. Where required by law, we will provide additional notice (for example, by email or in-app message). Continued use after the effective date constitutes acceptance of the updated Policy.

16. Contact Us

Senka Solutions LLC
1021 E Lincolnway, 7845, Cheyenne, WY 82001, Laramie, US

Purpose	Contact
Privacy requests	privacy@shin.chat
Support & account deletion	support@shin.chat
General product email	hi@shin.chat