TL;DR: Gotcha never stores the content of your prompts. We collect only the minimum data necessary to operate the service – anonymously, time-limited and exclusively on servers within the EU.
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) for the Chrome extension Gotcha and this website is:
Gotcha
Gigingweg 56
8063, Eggersdorf bei Graz
Austria, Styria
Email: matthias@dornerlabs.com
(Full contact details: see Imprint.)
2. Overview of processed data
The table below gives a complete overview of all data processed in the operation of Gotcha:
| Data category | Example | Purpose | Storage location | Retention |
|---|---|---|---|---|
| Email address | user@example.com | Authentication (OTP login) | Supabase EU (Frankfurt) | Until account deletion |
| User ID (UUID) | 550e8400-e29b-41d4-… | User account, rate limiting | Supabase EU (Frankfurt) | Until account deletion |
| Usage timestamp | 2026-03-15T10:23:00Z | Rate limiting, monthly quota | Supabase EU (Frankfurt) | 30 days (auto-deleted) |
| Session tokens (access & refresh) | eyJ… | Browser authentication | chrome.storage.local (device) | Until logout / uninstall |
| Stripe customer ID | cus_NffrFeUfHPRMlG | Subscription management | Supabase EU (Frankfurt) | Until account deletion |
| Stripe subscription ID | sub_1NvDyn2eZvKYlo2C… | Subscription management | Supabase EU (Frankfurt) | Until account deletion |
| Prompt content | — | NOT stored | — | — |
| IP address | — | NOT stored | — | — |
3. Purposes and legal bases of processing
3.1 Performance of a contract (Art. 6(1)(b) GDPR)
Processing your email address, user ID and subscription data is necessary to provide the Gotcha service – including authentication, account management and subscription handling.
3.2 Legitimate interests (Art. 6(1)(f) GDPR)
Usage timestamps (user ID + UTC timestamp) are stored to prevent abuse and enforce fair usage limits (max. 5 requests/minute, max. 20 requests/month on the free tier). This data is automatically deleted after 30 days. The legitimate interest is the security and availability of the service.
3.3 Consent (Art. 6(1)(a) GDPR)
Where we obtain your consent (e.g. for optional communications), you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
4. Chrome Extension – permissions and local storage
4.1 Declared browser permissions
Gotcha requests only the following permissions:
-
storage – Stores your session token locally on your device
in
chrome.storage.local. This data does not leave your device except for authentication against our backend. - tabs – Allows the extension to read the active URL so the ✨ button is shown only on chatgpt.com and claude.ai. No browsing history is stored.
- Host permissions for chatgpt.com and claude.ai – Allows injection of the button into the input field of these two platforms only. No other websites are accessed.
4.2 Local data storage (chrome.storage.local)
Only the following is stored on your device:
- Session object containing access token, refresh token and email address
- Token expiry timestamp
This data is automatically deleted when the extension is uninstalled. You can delete it at any time by logging out via the extension popup or by uninstalling the extension.
Not stored: prompt content, browsing history, cookies, fingerprint data or any other personal information.
5. Prompt processing – privacy by design
When you click the ✨ button, your prompt text is transmitted to our Supabase Edge Function. Processing occurs exclusively in memory (in-memory). Prompt content is never stored in a database, logged or shared at any point.
To enhance your prompt, the text is forwarded to the Anthropic API (Claude Haiku). Your API key remains exclusively on our server – it is never visible in the extension or in your browser. Anthropic's privacy policy applies to the server-side processing.
No prompt training: We do not use your prompts to train AI models and do not share them with third parties – except for the single transmission to Anthropic for the purpose of enhancement at the moment of the request.
6. Authentication (passwordless OTP login)
Gotcha uses passwordless login via email (One-Time Password). You enter only your email address – we send you a 6-digit code. No password is set, stored or transmitted.
Authentication is handled by Supabase Auth, which creates
short-lived access tokens (~1 hour) and refresh tokens. Both are stored
exclusively in chrome.storage.local on your device.
7. Payment processing (Stripe)
For the Pro subscription (€4.90/month) we use Stripe, Inc. as payment processor. When you subscribe you are redirected to Stripe. Stripe processes your payment data under its own privacy policy. We receive from Stripe only the following information:
- Stripe customer ID (cus_…)
- Stripe subscription ID (sub_…)
- Subscription status (active, cancelled)
- End date of the current billing period
We never store credit card numbers, bank details or full payment information. Stripe is PCI-DSS Level 1 certified. Data processing by Stripe is governed by a data processing agreement under Art. 28 GDPR.
8. Third-party providers and data processors
| Provider | Purpose | Server location | Data protection |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, edge functions | EU – Frankfurt (eu-central-1) | GDPR, SCCs |
| Anthropic, PBC | AI prompt processing (Claude Haiku) | USA | SCCs, Anthropic Privacy Policy |
| Stripe, Inc. | Payment processing | USA / EU | PCI-DSS, SCCs, GDPR |
Data processing agreements under Art. 28 GDPR are in place with all processors. For transfers to third countries (USA), EU Standard Contractual Clauses (SCCs) serve as the legal safeguard.
9. Data security
We implement the following technical and organisational measures:
- All data transfers are encrypted via HTTPS/TLS
- API keys are stored exclusively server-side as encrypted environment variables
- JWT tokens are verified for validity and expiry before every request
- Stripe webhooks are verified via HMAC-SHA256 signature
- Automatic data deletion after 30 days via a scheduled database job (pg_cron)
- Access to production data is restricted to authorised personnel
- No sensitive data is stored in the browser via cookies
10. Retention periods
- Usage timestamps (usage_log): automatically deleted after 30 days by a database job running daily at 03:00 UTC.
- Account data (email, user ID): until account deletion upon request or after permanent inactivity.
- Subscription data: for the duration of the subscription, then in accordance with statutory retention obligations (generally 7 years for tax records).
- Local session data: until logout or uninstallation of the extension.
11. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): What data we hold about you.
- Right to rectification (Art. 16 GDPR): Correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): Complete deletion of your account and all associated data.
- Right to restriction of processing (Art. 18 GDPR): Limiting the use of your data.
- Right to data portability (Art. 20 GDPR): Receiving your data in machine-readable format.
- Right to object (Art. 21 GDPR): Objecting to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): At any time without stating reasons, with effect for the future.
To exercise your rights, contact us by email at: privacy@example.com. We will respond within 30 days.
You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence within the EU.
12. Cookies
Gotcha uses no cookies – neither first-party nor third-party.
Authentication relies entirely on chrome.storage.local, which is
accessible only to the extension itself and is not shared with websites.
13. Minors
Gotcha is not directed at persons under 16 years of age. We do not knowingly collect data from minors. If you are a parent or guardian and discover that a child under 16 has created an account, please contact us for deletion.
14. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy when material changes to the service or applicable law occur. Registered users will be notified of material changes by email. The date of the last update is shown at the top of this page.
15. Contact
For questions about data protection or to exercise your rights:
Contact Details are the same as above.