Privacy Policy

Last updated: 11 June 2026

Overview

PasteSuiteAI is a desktop application that runs entirely on your device. We do not collect telemetry or track usage. This policy explains what data the app stores locally, when data leaves your device, what is processed when you visit this website, and how we handle your data when you purchase a license.

Data Controller

The data controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

Keynaptic GmbH
Full address and company details: see Legal Notice
Privacy & security contact: security@pastesuiteai.com
Purchase & billing contact: billing@pastesuiteai.com

The privacy contact address (security@pastesuiteai.com) is a dedicated channel for security matters and privacy inquiries about the Software and this website. Requests concerning purchase data — including erasure requests under Art. 17 GDPR — go to billing@pastesuiteai.com. For general company contact, please refer to the Legal Notice.

Data Protection Officer

Keynaptic GmbH has not appointed a designated Data Protection Officer. Appointment is not mandatory for us because we do not meet the thresholds set out in Art. 37(1) GDPR or § 38(1) BDSG (fewer than 20 persons constantly engaged in the automated processing of personal data, no core activity involving large-scale systematic monitoring, and no large-scale processing of special categories of data). For privacy-related inquiries and data subject requests, please use the privacy contact address above.

Legal Bases for Processing (Art. 6 GDPR)

We rely on the following legal bases, depending on the type of processing:

Art. 6(1)(b) GDPR — Performance of a contract: for processing your purchase on our checkout page, delivering your license key, providing the Software, license validation, and checking for updates when you use PasteSuiteAI under our Terms of Service.
Art. 6(1)(c) GDPR — Legal obligation: for retaining invoice and order records as required by German tax law (§ 147 AO, § 14b UStG).
Art. 6(1)(f) GDPR — Legitimate interests: for the technically necessary operation and security of this website (server logs, protection against abuse), for fraud prevention during payment processing, and for the integrity of the update-delivery mechanism. Our legitimate interest is to keep the site and the Software available, secure, and functional.

AI actions (BYOK model) — no Keynaptic processing: When you manually trigger an AI action, the Software sends your data from your device directly to the Third-Party Provider you configured, authenticated with your own API key. Within the meaning of Art. 4 Nr. 7 GDPR, you — not Keynaptic — are the controller for that transfer: you select the provider, you maintain the direct contractual relationship with the provider, you hold the API key, and the purposes and means of processing are determined by you. Keynaptic neither receives, stores, nor has any technical access to the content of your prompts or the provider’s responses; we operate no proxy or routing layer. Accordingly, no legal basis under Art. 6 GDPR and no transfer safeguard under Art. 44 ff. GDPR is required on Keynaptic’s part for these transfers. Your own legal basis and transfer safeguards apply vis-à-vis the provider.

Website Hosting & Server Log Data

This website is hosted on Cloudflare Pages, a service provided by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. When you visit this website, Cloudflare automatically processes technical connection data for the purpose of delivering the page and protecting the infrastructure. This typically includes:

Your IP address (shortened or anonymised where feasible)
Date and time of the request
The page or resource requested
HTTP status code and amount of data transferred
Browser type, version, and operating system (user agent)
Referring URL, if provided by your browser

Keynaptic’s own legal basis for making the website available via Cloudflare Pages is Art. 6(1)(f) GDPR (legitimate interest in the secure, stable, and abuse-free operation of the website). Cloudflare, Inc. acts as a third-party hosting and content-delivery provider; the technical connection data described above is collected and processed directly by Cloudflare in the course of operating its global network, and is typically served from a data centre close to your location (including data centres within the EU). Cloudflare’s retention periods and security measures are described in Cloudflare’s Privacy Policy.

Transfer to the USA: Because Cloudflare, Inc. is based in the United States, access to log data from the USA cannot be ruled out. Cloudflare is certified under the EU–U.S. Data Privacy Framework, and the transfer is further safeguarded by the EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914).

Data Stored on Your Device

PasteSuiteAI stores the following data locally in a dedicated application data folder on your device:

Settings — Your preferences, action configurations, and prompt library entries.
Action definitions — Your custom and built-in action configurations.
Usage data — Timestamps of AI actions for license enforcement. No content is recorded.
Application log — Diagnostic log for troubleshooting. Contains no user content or AI responses.
API keys — Stored in your operating system's secure credential store. Never in plaintext files.
License key — Stored in your operating system's secure credential store. Signature verified locally; activation requires a one-time online check per device (see “License Activation & Device Binding” below).

Data Sent to Third Parties

PasteSuiteAI sends data to external services only when you manually trigger an AI action. For these transfers you are the data controller under the BYOK model (see “AI actions (BYOK model)” above). Specifically:

What is sent: The text you selected or copied, combined with the action's prompt template and any additional input you typed.
When: Only when you press a hotkey or click an action. Never automatically, never in the background.
Where: To the AI provider you configured (e.g. OpenAI, Azure OpenAI, Anthropic, or a local model). The connection is direct from your device to the provider — there is no PasteSuiteAI server in between.
Authentication: Using the API key you provided, stored in your OS credential store.

PasteSuiteAI itself never receives, stores, or has access to your text content or AI responses. We cannot see what you send or receive.

Third-Party Sub-Processors

PasteSuiteAI does not process your data on its own servers. However, when you trigger an AI action, your data is sent directly from your device to the AI provider you configured. The following providers are commonly used with PasteSuiteAI:

OpenAI (api.openai.com) — GPT models, Whisper speech-to-text. Privacy Policy
Anthropic (api.anthropic.com) — Claude models. Privacy Policy
Google (generativelanguage.googleapis.com) — Gemini models. Privacy Policy
Microsoft Azure OpenAI (*.openai.azure.com) — Azure-hosted OpenAI models. Privacy Policy
Groq (api.groq.com) — LLM and STT inference. Privacy Policy
Mistral (api.mistral.ai) — Mistral LLMs. Privacy Policy
Perplexity (api.perplexity.ai) — Perplexity LLMs with web search. Privacy Policy
ElevenLabs (api.elevenlabs.io) — Speech-to-text. Privacy Policy
iFlytek (iat-api-sg.xfyun.cn) — Speech-to-text. Privacy Policy
Local/self-hosted models (user-configured endpoint) — For local providers (e.g. Ollama, LM Studio), data stays entirely on your device or local network.

You choose which provider to use. PasteSuiteAI does not mandate any specific provider. Each provider’s own terms of service and privacy policy govern how they handle data you send to them. We recommend reviewing the privacy policies of any provider you configure.

This list reflects commonly supported providers and may not be exhaustive. PasteSuiteAI supports any OpenAI-compatible API endpoint, including self-hosted and private deployments.

Transfers to Third Countries

Several of the Third-Party Providers listed above are established outside the European Economic Area (EEA), in particular in the United States (OpenAI, Anthropic, Google, Microsoft Azure, Groq, Perplexity, ElevenLabs) and in the People’s Republic of China (iFlytek). When you trigger an AI action directed at such a provider, the text you submit is transferred directly from your device to that provider’s servers.

Under the BYOK model, you are the controller for these transfers; the requirements of Art. 44 ff. GDPR (adequacy, appropriate safeguards, derogations) apply to you and the respective provider, not to Keynaptic. For your orientation, the following safeguards are typically available when users configure the listed providers:

US providers: Most major US providers participate in the EU–U.S. Data Privacy Framework (DPF) and/or offer EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914) as part of their own data-processing terms.
Non-DPF countries (e.g. China): For providers in countries without an adequacy decision, users typically rely on a derogation under Art. 49 GDPR — in particular explicit informed consent under Art. 49(1)(a) GDPR — or on the provider’s own SCC-based terms. You are responsible for selecting an appropriate legal basis and transfer safeguard for your specific use case. You acknowledge that countries outside the EEA may not provide a level of data protection equivalent to that of the EEA.
Your choice: You decide which provider, if any, to configure. You can restrict your usage to EEA-based or self-hosted providers at any time.

Software Updates

PasteSuiteAI periodically contacts pastesuiteai.com to check whether a newer version is available. This check transmits only the current application version and your platform identifier (e.g. “windows-x86_64”). No personal data, usage statistics, or device identifiers are sent.

Frequency: At most once every 14 days, starting a few seconds after app launch.
What is received: A small JSON manifest containing the latest version number and a download URL.
No automatic installation by default: When an update is available, you are shown a dialog with the option to install, skip the version, or dismiss. Updates are only installed with your explicit consent.
Opt-out: You can disable update checks entirely in Settings (“Automatic updates” toggle). An optional “Background updates” setting allows fully unattended installation, but is disabled by default.
Download source: Update installers are downloaded exclusively from pastesuiteai.com over HTTPS.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in keeping users on a supported, secure version). Standard server-log data (IP address, timestamp, user agent) is received by our hosting provider for the duration of the request and retained for a short period for abuse prevention and debugging.

Community Template Gallery

The application includes a “Custom API” connection type with an optional Community Template Gallery. If — and only if — you open the gallery browser in Settings, PasteSuiteAI fetches a manifest file from pastesuiteai.com/templates/manifest.json and, on your selection, the corresponding template JSON from the same host.

What is sent: A standard HTTPS GET request. No user identifier, no license key, no prompt content, no AI data.
What is received: A static JSON manifest listing community-contributed Custom API templates, and any template file you explicitly select.
When: Only on explicit user action (opening the template gallery in Settings). Never automatic, never in the background.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing an optional, user-initiated resource). Standard server-log data (IP address, timestamp, user agent) is received by our hosting provider for the duration of the request.
Opt-out: Do not open the template gallery. All other application features work without ever contacting this endpoint.

STT Retry-Phrase Sharing (optional, opt-in)

The application lets you maintain a local list of phrases that speech-to-text providers occasionally produce as hallucinations when given silent or low-signal audio (e.g. “Thanks for watching” on an empty clip). These are filtered locally so they do not appear in your transcripts. Separately, you may opt in to share this phrase list with Keynaptic, so that other users can benefit from it in future builds.

Default state: OFF. No data is sent unless you explicitly enable the “Share with Keynaptic” toggle in Settings → Transcription → Retry Phrases.
What is sent (only if enabled): The phrase strings you added, the STT language code (e.g. “en”, “de”), and the application version. No user identifier, no license key, no account email, no device identifier, no prompt content, no AI response content, no audio.
Where: pastesuiteai.com, via HTTPS POST.
Frequency: Fire-and-forget, at most a few times per session, only after you change the list while sharing is enabled.
Your role: When sharing is enabled, Keynaptic acts as controller for the phrase list submitted by you; legal basis is your consent under Art. 6(1)(a) GDPR. You may withdraw consent at any time by turning the toggle off — this stops any further submission with immediate effect.
Retention: Submitted phrase lists are retained only as long as necessary to curate the built-in hallucination filter that ships with future builds.

License Activation & Device Binding

When you enter a Pro license key in the application, PasteSuiteAI performs a one-time online activation with our licence service (hosted on Cloudflare Workers, EU region) in order to bind the key to your computer. This step is required so that we can enforce the per-licence device cap; without it, a single key could be reused without limit.

Data transmitted at activation:

License key — for verification against our licence database.
Device identifier — a pseudonymous SHA-256 hash of your system’s hardware UUID (a stable firmware-level identifier). The raw UUID is transmitted to our licence service over TLS solely for the purpose of computing this hash, and is discarded immediately afterwards; only the hash is persisted in our database. We do not transform or salt the identifier on your computer before transmission, because any client-side transformation would not survive an operating-system reinstallation and would force you to consume a new device record every time you reinstall Windows.
Activation timestamp and application version.

No content collection: No content of your work, no AI prompts, no transcripts, no clipboard data, and no usage statistics are ever sent to us beyond the activation step described above.

Why we do this: A Pro licence permits activation on the licensed user’s devices, within the device cap that comes with the licence. When more licences are purchased in a single order, the device cap on the resulting key grows accordingly. Binding each key to specific devices allows us to enforce these limits and to detect large-scale key-sharing. Re-installing PasteSuiteAI on a device you have already activated is idempotent and does not consume an additional device record.

Legal basis: The primary basis for the device-binding processing is Art. 6(1)(f) GDPR — our legitimate interest in protecting the commercial viability of the Pro plan and preventing licence abuse. Art. 6(1)(b) GDPR (performance of the licence contract) additionally applies to the part of the processing that delivers the paid licence to you.

Retention: The device record is freed when the licence expires, when you deactivate the device from the app, or when our support team releases this device record at your request. The historical record of that activation (the device identifier and the timestamps) is retained alongside the underlying purchase record for the duration of the legal record-keeping period required by German tax and commercial law (§ 147 AO, § 257 HGB — up to 10 years), so that we can answer support and audit questions about historic activations on your account. You may at any time request earlier deletion of an inactive activation record under your Art. 17 GDPR right to erasure by contacting billing@pastesuiteai.com; we will honour the request unless we are legally obliged to retain the record under the rules cited above.

Your rights: You can deactivate the device you are currently using directly from PasteSuiteAI at any time via Settings → License → “Deactivate this device”. Deactivation takes effect immediately and frees the device record. If you no longer have access to a device you previously activated (lost, stolen, or decommissioned hardware), please contact billing@pastesuiteai.com and we will release the affected device record for you.

License Purchase & Subscription Management

If you purchase a Pro subscription, Keynaptic GmbH is the seller and the data controller for the entire purchase process. The purchase takes place on our own checkout page. Payment execution is handled on our behalf by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (“Stripe”), acting as our processor within the meaning of Art. 28 GDPR; a data processing agreement (Art. 28 GDPR) is in place with Stripe. Stripe is not an independent seller and processes your purchase data only on our instructions and for the purposes described below.

Data we collect directly from you (Art. 13 GDPR): All purchase data is collected directly from you on our checkout page; it is not supplied to us by any third party. Specifically:

Email address — entered on the checkout page. Used to deliver your purchase confirmation and license key, to send renewal and cancellation emails, and to verify your subscription when you contact us. This is the only purchase-related personal data stored in our own systems.
Billing address and, if you provide one, your VAT ID — entered into Stripe’s embedded form elements on the checkout page and transmitted directly to Stripe for invoicing and VAT determination. They are held in Stripe’s records and are not stored in our own systems.
Payment-instrument data (card number, etc.) — entered into Stripe’s embedded, PCI-DSS-compliant form elements and transmitted directly to Stripe. Keynaptic never receives or stores payment-instrument data.

Recipients and transfers to third countries:

Stripe — payment processing, fraud prevention, invoicing, and tax records. Stripe Payments Europe, Ltd. is established in Ireland (EEA); in the course of payment processing, data may be transferred to Stripe, Inc. in the United States. Stripe is certified under the EU–U.S. Data Privacy Framework, and the transfer is further safeguarded by the EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914). See Stripe’s Privacy Policy.
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA — our order-fulfillment service runs on Cloudflare Workers and processes your email address in order to generate and deliver your license key; the email address is stored in our license database (Cloudflare D1). Cloudflare is certified under the EU–U.S. Data Privacy Framework, and the transfer is further safeguarded by the EU Standard Contractual Clauses (SCCs); a data processing agreement is in place with Cloudflare.
Resend (Plus Five Five, Inc., San Francisco, CA, USA) — our primary transactional email provider — and Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; EU) as fallback. On every purchase, both providers may process your email address and your license key in order to deliver the purchase confirmation and license email; they likewise deliver renewal and cancellation emails. Data processing agreements (Art. 28 GDPR) are in place with both providers. Because Resend is established in the United States and uses an Amazon Web Services (AWS SES) infrastructure backend, emails sent via Resend involve a transfer to the USA; this transfer is safeguarded by the EU–U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses (SCCs). Brevo processes data within the EU.

Legal bases: Art. 6(1)(b) GDPR (performance of the contract) for processing your order, executing payment, and delivering and servicing your license; Art. 6(1)(c) GDPR (legal obligation) for the invoice and order records we must retain under German tax law; Art. 6(1)(f) GDPR (legitimate interest) for fraud prevention during payment processing.

Subscription management & cancellation: You can cancel your subscription at any time, free of charge, via our online cancellation page — no login required — or by emailing billing@pastesuiteai.com. Cancellation stops future renewals; your current paid term continues to be active until its expiry.

Retention & Erasure of Purchase Data

Retention periods: Invoice and order data are retained for 10 years, as required by German tax law (§ 147 AO, § 14b UStG). The invoice — including your billing address and, where provided, your VAT ID — is held in Stripe’s records; our own license database stores only your email address together with the license and subscription records needed to operate your license.

Erasure (Art. 17 GDPR): After the retention period has expired — or earlier, on your erasure request — we anonymize your personal data: your email address is replaced with an irreversible placeholder, while the license and billing records themselves are kept in anonymized form to the extent the law requires. If your subscription is still active when you request erasure, we treat the request as a cancellation: the subscription ends at the close of the current paid period, and anonymization is carried out after the period ends. Until then we need your email address in order to perform the contract — to deliver your license key, renewal notices, and cancellation confirmations (Art. 17(1)(b), Art. 17(3) GDPR). To request erasure of purchase data, email billing@pastesuiteai.com.

Tracking, Analytics & Cookies

The PasteSuiteAI application and this website do not use analytics services, tracking pixels, or any form of behavioural telemetry or profiling, and — with the single exception of the checkout page described below — do not set cookies. The only circumstances under which the application contacts PasteSuiteAI servers are the ones described above: the periodic update check, the optional Community Template Gallery (on explicit user action), and the opt-in STT Retry-Phrase Sharing (disabled by default).

Checkout page (Stripe.js): Our checkout page embeds Stripe.js, Stripe’s payment library. Stripe.js sets cookies (e.g. __stripe_mid, __stripe_sid) that are used strictly for payment processing and fraud prevention — not for advertising, analytics, or cross-site tracking on our behalf. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, fraud-free payment processing) and Art. 6(1)(b) GDPR (performance of the contract). No cookies are set on any other page of this website.

Your Rights (GDPR)

Because all data is stored locally on your device, you have full control at all times. The application provides built-in tools to exercise your rights:

Right of access & portability (Art. 15, 20 GDPR) — Use the “Export My Data” feature in Settings to download all your data as a JSON file.
Right to erasure (Art. 17 GDPR) — Use the “Delete All Data” feature in Settings to permanently remove all local data, including API keys and license keys from the OS credential store.
Right to rectification (Art. 16 GDPR) — Edit your settings, connections, and actions directly in the application at any time.
Right to restriction of processing (Art. 18 GDPR) — You can disable AI actions, update checks, and logging in Settings.
Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests (e.g. server logs, update checks) at any time by contacting us.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time with effect for the future.

Since no personal data is stored on our servers in connection with the Software itself, most rights can be exercised directly on your device.

Purchase data: For personal data we process in connection with a purchase (your email address and the related order and license records), please send access, rectification, and erasure requests to billing@pastesuiteai.com. How erasure requests are handled — including while a subscription is still active — is described under “Retention & Erasure of Purchase Data” above. For security matters, contact security@pastesuiteai.com.

Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority competent for Keynaptic GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Website: lda.bayern.de

No Automated Decision-Making or Profiling

We do not use your data for automated decision-making within the meaning of Art. 22 GDPR, and we do not perform profiling. AI outputs generated by Third-Party Providers at your request are not used by us to make decisions about you.

Data Retention

Action history: Cleared on every app restart.
Usage timestamps: Rolling window, automatically pruned after 7 days.
Application log: Configurable maximum line count. Can be disabled entirely in Settings.
Purchase and license records: Our license database stores only your email address together with the license and subscription records; the invoice with billing address and VAT ID is held in Stripe’s records. Invoice and order data are retained for 10 years under German tax law (§ 147 AO, § 14b UStG); after the retention period — or on an erasure request under Art. 17 GDPR — personal data is anonymized and the license and billing records are kept in anonymized form (see “Retention & Erasure of Purchase Data” above). Payment-instrument data is never stored by Keynaptic.

Children

PasteSuiteAI is not directed at children under 16. We do not knowingly collect data from children.

Changes to This Policy

We may update this policy when new features are added. The "Last updated" date at the top reflects the most recent revision. Significant changes will be noted in the application's changelog.

Contact

For privacy questions and security matters: security@pastesuiteai.com

For purchase data, billing, cancellation, and erasure requests concerning purchase records: billing@pastesuiteai.com

See also: Licensing · Terms of Service · Accessibility · Legal Notice