SayCraft Privacy Policy

1. Introduction & Who We Are

SayCraft is operated by an individual independent developer based in Hong Kong SAR, not by an incorporated company. For the purposes of data protection law, that individual is the data controller responsible for your personal information.

This policy is written to be transparent at a high standard, but your specific legal rights depend on where you live (see Section 11). For any privacy request or question, contact hzh981125@gmail.com — this is the fastest way to reach the person who actually runs the Service.

The "Last updated" date appears at the top of this page. We may update this policy over time; see Section 15 for how changes are handled.

2. Scope & What This Covers

This policy covers the SayCraft website, the in-browser web application, and the SayCraft API at saycraft.ai (together, the "Service"). It does not cover third-party websites, the generated web apps once you take them off our platform, or the independent privacy practices of the sub-processors listed in Section 7, each of which has its own policy.

SayCraft is a consumer product for general audiences. It is not designed for, and should not be used to process, large volumes of other people's sensitive personal data (see Section 5 for an important warning about what you put into a meeting).

3. Information We Collect

We collect only what the Service needs to function, bill you, and stay secure:

• Account information — your email, name, and avatar, provided when you sign up through our authentication provider, Clerk.
• Billing references — all payments run through Stripe. We store the Stripe identifiers needed to manage your billing (such as your customer ID and, for subscriptions, your subscription ID). We never receive, see, or store your card number, expiry, or CVV — that data stays with Stripe.
• Conversation content — when you run a meeting, your speech is converted to text and stored as meeting transcripts. The Service also stores the generated source code, file changes, and replays produced from that conversation.
• Usage & technical data — AI token and credit usage, per-meeting cost tracking, session events, and server logs used to operate, debug, and audit the Service.
• Cookies & local storage — to keep you signed in and remember your preferences (theme, font, and language). See Section 12.

4. How We Use Your Information

We use the information above to: deliver the Service (transcribe your conversation, run the AI coordinator and coder, host the generated app, and produce previews and replays); process subscriptions, credits, and billing; monitor performance, troubleshoot problems, and audit security; and send essential service messages such as invoices and important change notices.

We do not use your meeting transcripts or generated code to train our own AI models, and we do not sell your personal information. We do not use your personal information for cross-context behavioural advertising.

We do not control whether the third-party AI providers in Section 5 use data sent to them for their own model training; that is governed by their terms. To limit exposure, follow the warning in Section 5.

5. AI Processing & Third-Party Model Providers

SayCraft is AI-powered. To generate responses and build your app, your meeting content is transmitted to third-party AI model providers. Specifically, full meeting transcripts and the generated source code and diffs are sent to the AI model you select (DashScope for the coordinator, and a configured model backend such as DeepSeek or Kimi for the in-sandbox coder). Your raw speech audio is streamed live to Tencent Cloud ASR over a secured connection for speech-to-text.

Please do not speak or input sensitive personal data, passwords, API keys, secrets, financial or health details, or confidential third-party information you are not authorised to share. Once content is sent to a third-party model provider, its handling is also governed by that provider's terms, and we cannot recall it.

AI output may be inaccurate, incomplete, or outdated, and generated code may contain errors or security flaws. You are responsible for reviewing and verifying any output or code before relying on it. This is a privacy notice; the full terms governing AI output are in our Terms of Service.

6. Legal Bases for Processing

Where data protection law (such as the EU/UK GDPR) requires a legal basis, we rely on: performance of our contract with you (to provide accounts, meetings, and billing); our legitimate interests (to secure, debug, and improve the Service in ways that do not override your rights); your consent (for optional cookies and any optional features, which you can withdraw); and compliance with legal obligations (for example, retaining financial records).

In Hong Kong, our baseline is the Personal Data (Privacy) Ordinance (PDPO), under which we collect personal data for the lawful purposes described in this policy and use it consistently with those purposes.

7. Sharing & Sub-Processors

We do not sell your personal information. We share it only with the sub-processors below, each of which receives only the data it needs and is bound by contract to protect it:

• Clerk — identity and authentication (your account email, name, avatar).
• Stripe — payments and invoicing (PCI DSS Level 1; we receive only the customer and, where applicable, subscription identifiers).
• E2B — isolated sandboxes that run your generated apps and AI coding sessions.
• DashScope / DeepSeek / Kimi — AI model APIs — your transcripts and generated code are sent to the selected model.
• Tencent Cloud ASR — speech-to-text; your live audio stream is sent here for transcription.
• Langfuse — tracing of LLM calls for troubleshooting and monitoring.
• Pexels — stock image search — only the search query is sent, never your conversation content.

8. International Data Transfers

We operate from Hong Kong, and your data is processed in Hong Kong and in the countries where our sub-processors operate (including the United States for Stripe and certain AI model APIs).

Hong Kong does not have an EU adequacy decision. For EU/UK personal data transferred internationally, we rely on the safeguards offered by our sub-processors (such as their Standard Contractual Clauses or Data Privacy Framework certification, where applicable). By using SayCraft, you understand that your data will be processed in these locations.

9. Data Retention

We aim to keep meeting records (transcripts, generated apps, replays) no longer than necessary, with a target retention of 90 days. This 90-day period is a policy intention rather than an automatic purge. Today, meeting records persist until you delete them or request deletion. We may delete inactive meeting records in line with this retention target at our discretion.

When you delete a meeting in your console, it is hidden from your view (a soft delete); the underlying records are not yet permanently erased. If you want a meeting and its content fully and permanently removed, email hzh981125@gmail.com and we will erase it manually.

Account information is retained while your account exists. Financial and tax records are kept for 7 years as required by law, even after other data is deleted.

10. Security

We apply reasonable technical and organisational measures to protect your data. Information is encrypted in transit and at rest, access is limited, and secrets and credentials are stored in environment variables — never committed to source code or written to logs.

Payment credentials are held entirely by Stripe under PCI DSS Level 1 standards; we never store card data. No system is perfectly secure, so we cannot guarantee absolute security, but we work to protect your information and to keep our sub-processors accountable.

11. Your Privacy Rights

Your rights depend on where you live, and we honour requests regardless of location where we reasonably can. To exercise any right, email hzh981125@gmail.com; we may need to verify your identity first.

• Hong Kong (PDPO) — you have the right to access and correct your personal data held by us.
• EU / UK (GDPR) — you additionally have rights of access, rectification, erasure, restriction, data portability, and objection, plus the right to lodge a complaint with your supervisory authority.
• California (CCPA/CPRA) — you have rights to know, access, delete, and correct your personal information, and to opt out of "sale" or "sharing." We do not sell your personal information and do not share it for cross-context behavioural advertising, and we will not discriminate against you for exercising your rights.
• Self-service account deletion and one-click data export are not yet available in the product. Until they are, email us and we will action access, export, correction, or deletion requests for you, subject to the 7-year retention of financial records.

12. Cookies & Analytics

We use cookies and browser local storage to keep you signed in and to remember your interface preferences (theme, font, and language). These are essential or preference-level and are not used to build advertising profiles.

We do not run cross-site advertising trackers. You can clear cookies and local storage in your browser at any time, though doing so will sign you out and reset your saved preferences.

13. Children's Privacy

The Service is intended for users aged 18 or older (or the age of majority where you live) and is not directed to children. We do not knowingly collect personal information from anyone under 18.

If you believe a minor has provided us with personal information, contact hzh981125@gmail.com and we will delete it.

14. Data Breach Notification

If a security breach materially affects your personal information, we will notify affected users without undue delay and describe what happened and what we are doing about it. Where breach-notification laws apply to you (for example, the EU/UK GDPR or applicable US state laws), we will comply with their notification requirements and deadlines.

Meeting replays can be shared via an unguessable link, and anyone with that link can view the replay. Treat replay links as semi-public and share them only with people you trust.

15. Changes to This Policy

We may update this Privacy Policy as the Service evolves. The "Last updated" date at the top reflects the latest version.

For material changes, we will provide reasonable advance notice by email and/or an in-app notice before the change takes effect. Your continued use of the Service after a change takes effect means you accept the updated policy.

16. Contact & How to Exercise Your Rights

SayCraft is operated by an independent individual developer in Hong Kong SAR. For any privacy question, or to access, correct, export, or delete your data, email hzh981125@gmail.com and we will action access, correction, export, or deletion requests manually (self-service tools are not yet available).

We will respond within a reasonable time and, where required by law, within the statutory deadline that applies to your request.