Privacy Policy

Last updated: 19 April 2026

Overview

PasteSuiteAI is a desktop application that runs entirely on your device. We do not operate servers, collect telemetry, or track usage. This policy explains what data the app stores locally, when data leaves your device, and what is processed when you visit this website.

Data Controller

The data controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

Keynaptic GmbH
Full address and company details: see Legal Notice
Privacy contact: security@pastesuiteai.com

The privacy contact address (security@pastesuiteai.com) is a dedicated channel for privacy-related inquiries and data subject requests. For general company contact, please refer to the Legal Notice.

Data Protection Officer

Keynaptic GmbH has not appointed a designated Data Protection Officer. Appointment is not mandatory for us because we do not meet the thresholds set out in Art. 37(1) GDPR or § 38(1) BDSG (fewer than 20 persons constantly engaged in the automated processing of personal data, no core activity involving large-scale systematic monitoring, and no large-scale processing of special categories of data). For privacy-related inquiries and data subject requests, please use the privacy contact address above.

Legal Bases for Processing (Art. 6 GDPR)

We rely on the following legal bases, depending on the type of processing:

Art. 6(1)(b) GDPR — Performance of a contract: for providing the Software, license validation, and checking for updates when you use PasteSuiteAI under our Terms of Service.
Art. 6(1)(f) GDPR — Legitimate interests: for the technically necessary operation and security of this website (server logs, protection against abuse) and for the integrity of the update-delivery mechanism. Our legitimate interest is to keep the site and the Software available, secure, and functional.

AI actions (BYOK model) — no Keynaptic processing: When you manually trigger an AI action, the Software sends your data from your device directly to the Third-Party Provider you configured, authenticated with your own API key. Within the meaning of Art. 4 Nr. 7 GDPR, you — not Keynaptic — are the controller for that transfer: you select the provider, you maintain the direct contractual relationship with the provider, you hold the API key, and the purposes and means of processing are determined by you. Keynaptic neither receives, stores, nor has any technical access to the content of your prompts or the provider’s responses; we operate no proxy or routing layer. Accordingly, no legal basis under Art. 6 GDPR and no transfer safeguard under Art. 44 ff. GDPR is required on Keynaptic’s part for these transfers. Your own legal basis and transfer safeguards apply vis-à-vis the provider.

Website Hosting & Server Log Data

This website is hosted on GitHub Pages, a service provided by GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA. When you visit this website, GitHub automatically processes technical connection data for the purpose of delivering the page and protecting the infrastructure. This typically includes:

Your IP address (shortened or anonymised where feasible)
Date and time of the request
The page or resource requested
HTTP status code and amount of data transferred
Browser type, version, and operating system (user agent)
Referring URL, if provided by your browser

Keynaptic’s own legal basis for making the website available via GitHub Pages is Art. 6(1)(f) GDPR (legitimate interest in the secure, stable, and abuse-free operation of the website). GitHub, Inc. acts as a third-party hosting provider under its own legal bases and its own Terms of Service; the technical connection data described above is collected and processed directly by GitHub in the course of operating the platform. GitHub’s retention periods and security measures are described in GitHub’s General Privacy Statement.

Transfer to the USA: Because GitHub, Inc. is based in the United States, access to log data from the USA cannot be ruled out. GitHub is certified under the EU–U.S. Data Privacy Framework, and the transfer is further safeguarded by the EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914).

Data Stored on Your Device

PasteSuiteAI stores the following data locally in a dedicated application data folder on your device:

Settings — Your preferences, action configurations, and prompt library entries.
Action definitions — Your custom and built-in action configurations.
Usage data — Timestamps of AI actions for license enforcement. No content is recorded.
Application log — Diagnostic log for troubleshooting. Contains no user content or AI responses.
API keys — Stored in your operating system's secure credential store. Never in plaintext files.
License key — Stored in your operating system's secure credential store. Signature verified locally; activation requires a one-time online check per device (see “License Activation & Device Binding” below).

Data Sent to Third Parties

PasteSuiteAI sends data to external services only when you manually trigger an AI action. For these transfers you are the data controller under the BYOK model (see “AI actions (BYOK model)” above). Specifically:

What is sent: The text you selected or copied, combined with the action's prompt template and any additional input you typed.
When: Only when you press a hotkey or click an action. Never automatically, never in the background.
Where: To the AI provider you configured (e.g. OpenAI, Azure OpenAI, Anthropic, or a local model). The connection is direct from your device to the provider — there is no PasteSuiteAI server in between.
Authentication: Using the API key you provided, stored in your OS credential store.

PasteSuiteAI itself never receives, stores, or has access to your text content or AI responses. We cannot see what you send or receive.

Third-Party Sub-Processors

PasteSuiteAI does not process your data on its own servers. However, when you trigger an AI action, your data is sent directly from your device to the AI provider you configured. The following providers are commonly used with PasteSuiteAI:

OpenAI (api.openai.com) — GPT models, Whisper speech-to-text. Privacy Policy
Anthropic (api.anthropic.com) — Claude models. Privacy Policy
Google (generativelanguage.googleapis.com) — Gemini models. Privacy Policy
Microsoft Azure OpenAI (*.openai.azure.com) — Azure-hosted OpenAI models. Privacy Policy
Groq (api.groq.com) — LLM and STT inference. Privacy Policy
Mistral (api.mistral.ai) — Mistral LLMs. Privacy Policy
Perplexity (api.perplexity.ai) — Perplexity LLMs with web search. Privacy Policy
ElevenLabs (api.elevenlabs.io) — Speech-to-text. Privacy Policy
iFlytek (iat-api-sg.xfyun.cn) — Speech-to-text. Privacy Policy
Local/self-hosted models (user-configured endpoint) — For local providers (e.g. Ollama, LM Studio), data stays entirely on your device or local network.

You choose which provider to use. PasteSuiteAI does not mandate any specific provider. Each provider’s own terms of service and privacy policy govern how they handle data you send to them. We recommend reviewing the privacy policies of any provider you configure.

This list reflects commonly supported providers and may not be exhaustive. PasteSuiteAI supports any OpenAI-compatible API endpoint, including self-hosted and private deployments.

Transfers to Third Countries

Several of the Third-Party Providers listed above are established outside the European Economic Area (EEA), in particular in the United States (OpenAI, Anthropic, Google, Microsoft Azure, Groq, Perplexity, ElevenLabs) and in the People’s Republic of China (iFlytek). When you trigger an AI action directed at such a provider, the text you submit is transferred directly from your device to that provider’s servers.

Under the BYOK model, you are the controller for these transfers; the requirements of Art. 44 ff. GDPR (adequacy, appropriate safeguards, derogations) apply to you and the respective provider, not to Keynaptic. For your orientation, the following safeguards are typically available when users configure the listed providers:

US providers: Most major US providers participate in the EU–U.S. Data Privacy Framework (DPF) and/or offer EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914) as part of their own data-processing terms.
Non-DPF countries (e.g. China): For providers in countries without an adequacy decision, users typically rely on a derogation under Art. 49 GDPR — in particular explicit informed consent under Art. 49(1)(a) GDPR — or on the provider’s own SCC-based terms. You are responsible for selecting an appropriate legal basis and transfer safeguard for your specific use case. You acknowledge that countries outside the EEA may not provide a level of data protection equivalent to that of the EEA.
Your choice: You decide which provider, if any, to configure. You can restrict your usage to EEA-based or self-hosted providers at any time.

Software Updates

PasteSuiteAI periodically contacts pastesuiteai.com to check whether a newer version is available. This check transmits only the current application version and your platform identifier (e.g. “windows-x86_64”). No personal data, usage statistics, or device identifiers are sent.

Frequency: At most once every 14 days, starting a few seconds after app launch.
What is received: A small JSON manifest containing the latest version number and a download URL.
No automatic installation by default: When an update is available, you are shown a dialog with the option to install, skip the version, or dismiss. Updates are only installed with your explicit consent.
Opt-out: You can disable update checks entirely in Settings (“Automatic updates” toggle). An optional “Background updates” setting allows fully unattended installation, but is disabled by default.
Download source: Update installers are downloaded exclusively from GitHub (github.com / objects.githubusercontent.com) over HTTPS.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in keeping users on a supported, secure version). Standard server-log data (IP address, timestamp, user agent) is received by our hosting provider for the duration of the request and retained for a short period for abuse prevention and debugging.

Community Template Gallery

The application includes a “Custom API” connection type with an optional Community Template Gallery. If — and only if — you open the gallery browser in Settings, PasteSuiteAI fetches a manifest file from pastesuiteai.com/templates/manifest.json and, on your selection, the corresponding template JSON from the same host.

What is sent: A standard HTTPS GET request. No user identifier, no license key, no prompt content, no AI data.
What is received: A static JSON manifest listing community-contributed Custom API templates, and any template file you explicitly select.
When: Only on explicit user action (opening the template gallery in Settings). Never automatic, never in the background.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing an optional, user-initiated resource). Standard server-log data (IP address, timestamp, user agent) is received by our hosting provider for the duration of the request.
Opt-out: Do not open the template gallery. All other application features work without ever contacting this endpoint.

STT Retry-Phrase Sharing (optional, opt-in)

The application lets you maintain a local list of phrases that speech-to-text providers occasionally produce as hallucinations when given silent or low-signal audio (e.g. “Thanks for watching” on an empty clip). These are filtered locally so they do not appear in your transcripts. Separately, you may opt in to share this phrase list with Keynaptic, so that other users can benefit from it in future builds.

Default state: OFF. No data is sent unless you explicitly enable the “Share with Keynaptic” toggle in Settings → Transcription → Retry Phrases.
What is sent (only if enabled): The phrase strings you added, the STT language code (e.g. “en”, “de”), and the application version. No user identifier, no license key, no account email, no device identifier, no prompt content, no AI response content, no audio.
Where: pastesuiteai.com, via HTTPS POST.
Frequency: Fire-and-forget, at most a few times per session, only after you change the list while sharing is enabled.
Your role: When sharing is enabled, Keynaptic acts as controller for the phrase list submitted by you; legal basis is your consent under Art. 6(1)(a) GDPR. You may withdraw consent at any time by turning the toggle off — this stops any further submission with immediate effect.
Retention: Submitted phrase lists are retained only as long as necessary to curate the built-in hallucination filter that ships with future builds.

License Activation & Device Binding

When you enter a Pro license key in the application, PasteSuiteAI performs a one-time online activation with our licence service (hosted on Cloudflare Workers, EU region) in order to bind the key to your device and prevent key sharing.

Data transmitted at activation:

License key — for verification against our licence database.
Device identifier — a stable hash derived from your system’s hardware UUID (SMBIOS UUID on Windows). This hash is used solely to identify the device in the licence record; the raw UUID is not transmitted.
Activation timestamp and application version.

Why we do this: A Pro licence permits activation on up to 6 devices per key. Binding the key to specific devices allows us to enforce this limit, detect large-scale key-sharing, and ensure a fair use of the Pro subscription. Re-installing PasteSuiteAI on a device you have already activated is idempotent and does not consume an additional slot.

Legal basis: Art. 6(1)(b) GDPR (performance of the licence contract) and Art. 6(1)(f) GDPR (legitimate interest in preventing licence abuse and protecting the commercial viability of the Pro tier).

Retention: The device identifier is retained for the duration of your licence. After your licence expires or is revoked, device records are deleted within 90 days, except where retention is required by German tax and commercial law in connection with the underlying subscription record (see the Paddle section below).

No heartbeat, no ongoing tracking: After successful activation, the signed licence key is cached locally on your device. Day-to-day use of PasteSuiteAI does not require further contact with our licence service. There is no periodic “phone-home” of the device identifier.

Your rights: You can view all devices activated under your licence and deactivate devices you no longer use via account.pastesuiteai.com (access via magic-link to the email address on record with Paddle), or by contacting support@pastesuiteai.com. Deactivation immediately frees the device slot.

License Purchase & Subscription Management (Paddle)

If you purchase a Pro subscription, the purchase is processed by our Merchant of Record, Paddle (Paddle.com Market Limited, Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom; for U.S. buyers: Paddle.com Inc.). Paddle is the seller of record — it collects payment, issues invoices, and handles VAT, refunds, and chargebacks.

Data flow at the point of purchase:

You → Paddle (directly, on Paddle’s checkout pages): your name, email address, billing country, and payment-instrument data (card number, PayPal account, etc.). This data is processed by Paddle and its payment processors and never reaches Keynaptic. See Paddle’s own Privacy Policy for how this data is processed, retained (typically several years for tax and accounting compliance), and exercised against your data subject rights.
Paddle → Keynaptic (after each successful purchase or renewal, via webhook): your Paddle customer ID, your email address, the product/plan you purchased, the purchase date, the renewal status, the next renewal date, and the license key issued to you. We use this information solely to (a) generate and deliver your license key, (b) verify your subscription status when you contact support, and (c) keep records as required by German tax and commercial law.

What Keynaptic does not receive: billing address, payment card numbers, IBAN/SEPA details, or any other payment-instrument information. These remain solely with Paddle.

Legal basis: Art. 6(1)(b) GDPR (performance of the licence contract) for the data we use to provide and verify your subscription; Art. 6(1)(c) GDPR (legal obligation) for the records we are required to retain under German tax and commercial law (§ 147 AO, § 257 HGB).

Source of the data (Art. 14 GDPR): The customer information described above is received from Paddle, not collected directly from you. Paddle informs you about its own processing at the point of purchase.

Subscription management: You can manage or cancel your subscription at any time, free of charge, via the Paddle Buyer Portal (link in your purchase confirmation email). Cancellation stops future renewals; your current paid term continues to be active until its expiry.

No Tracking, No Analytics, No Cookies

The PasteSuiteAI application and this website do not use cookies, analytics services, tracking pixels, or any form of behavioural telemetry or profiling. The only circumstances under which the application contacts PasteSuiteAI servers are the ones described above: the periodic update check, the optional Community Template Gallery (on explicit user action), and the opt-in STT Retry-Phrase Sharing (disabled by default).

Your Rights (GDPR)

Because all data is stored locally on your device, you have full control at all times. The application provides built-in tools to exercise your rights:

Right of access & portability (Art. 15, 20 GDPR) — Use the “Export My Data” feature in Settings to download all your data as a JSON file.
Right to erasure (Art. 17 GDPR) — Use the “Delete All Data” feature in Settings to permanently remove all local data, including API keys and license keys from the OS credential store.
Right to rectification (Art. 16 GDPR) — Edit your settings, connections, and actions directly in the application at any time.
Right to restriction of processing (Art. 18 GDPR) — You can disable AI actions, update checks, and logging in Settings.
Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests (e.g. server logs, update checks) at any time by contacting us.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time with effect for the future.

Since no personal data is stored on our servers in connection with the Software itself, most rights can be exercised directly on your device.

Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority competent for Keynaptic GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Website: lda.bayern.de

No Automated Decision-Making or Profiling

We do not use your data for automated decision-making within the meaning of Art. 22 GDPR, and we do not perform profiling. AI outputs generated by Third-Party Providers at your request are not used by us to make decisions about you.

Data Retention

Action history: Cleared on every app restart.
Usage timestamps: Rolling window, automatically pruned after 7 days.
Application log: Configurable maximum line count. Can be disabled entirely in Settings.
Subscription records received from Paddle (customer ID, email, plan, purchase and renewal dates, license key): retained for the duration of your subscription and for at least 10 years thereafter in order to comply with German tax and commercial-law retention obligations (§ 147 AO, § 257 HGB). Address and payment-instrument data are not stored by Keynaptic; Paddle’s own retention rules apply to those.

Children

PasteSuiteAI is not directed at children under 16. We do not knowingly collect data from children.

Changes to This Policy

We may update this policy when new features are added. The "Last updated" date at the top reflects the most recent revision. Significant changes will be noted in the application's changelog.

Contact

For privacy questions or to exercise your rights, contact: security@pastesuiteai.com

See also: Licensing · Terms of Service · Accessibility · Legal Notice