Paperline logo
Paperline
FeaturesPricingDocs

Privacy Policy

Last updated: October 15, 2025

Introduction

Paperline, Inc. ("Paperline," "we," "us," or "our") provides an AI-powered desktop application that helps you build mobile apps through natural language conversation with an AI agent.

Privacy-First Design: Your source code, project files, chat history, and API keys stay entirely on your local device. We never upload your code, conversations, or API keys to our servers. We only store minimal account data, subscription information, and usage metadata in the cloud.

This Privacy Policy explains what data we collect, how we use it, and your rights. By using Paperline, you agree to this Policy.

1. Data We Collect

1.1 Data Stored in the Cloud

  • Account Information: Basic profile data provided during authentication (email, name, avatar)
  • Subscription Data: Current plan, activation date, and credit balance information
  • Payment Information: Payment processing is handled entirely by Stripe. We only store references to your Stripe customer and subscription IDs. Payment card details and transaction records are stored by Stripe, not by us.
  • Credit Transactions: Audit trail of credit operations for billing transparency

1.2 Data Stored Locally on Your Device

  • API Keys: On the Free plan, you provide your own API keys (Anthropic, OpenAI) which are stored encrypted locally on your device and never uploaded to our servers. On paid plans, we use our API keys to provide the service.
  • Projects: All project data including metadata, source code, and file structure
  • Chat History: All conversations with the AI agent
  • Checkpoints: Project snapshots for version control and rollback
  • Settings: Application preferences and configurations

1.3 Data Sent to AI Providers (Anthropic, OpenAI)

  • Your Prompts: Messages you send to the AI agent
  • Project Context: Only specific files and code snippets that you explicitly reference or that the AI requests through tools to complete your task. We never send your entire project to AI providers.
  • Important: AI providers use this data for inference only. They do NOT use your data to train their models. They may retain logs for safety review and abuse prevention per their policies.

1.4 Analytics & Telemetry

  • Website Usage: Page views, navigation patterns, button clicks, form submissions
  • Technical Data: Browser type, device type, operating system, IP address (anonymized)
  • Desktop App: Crash logs (without code content), error reports, app version, OS version (for stability and debugging). We never include your source code in crash reports.

We do NOT collect: Your source code files, project files, passwords, or payment card details (handled by Stripe). Your API keys (on Free plan) are stored encrypted locally on your device and never uploaded to our servers. We do not collect any special-category personal data (health, biometric, etc.). Please avoid sharing sensitive personal information in chat messages.

1.5 Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website for analytics and functionality:

  • Essential Cookies: Required for website functionality (authentication, security)
  • Analytics Cookies: Google Analytics cookies to understand how visitors use our website

You can control cookies through your browser settings. Disabling cookies may affect website functionality. Most browsers accept cookies by default, but you can modify your browser settings to decline cookies if you prefer.

2. How We Use Your Data & Legal Bases (GDPR)

  • Provide the Service — Create and manage your account, process subscriptions, allocate and track credits, enable AI-powered code generation, sync settings across devices.
    Legal Basis: Contract (GDPR Art. 6(1)(b))
  • Process Payments — Handle subscription payments, credit purchases, refunds, and billing through Stripe.
    Legal Basis: Contract (GDPR Art. 6(1)(b))
  • Security & Fraud Prevention — Detect and prevent unauthorized access, abuse, fraud, and security incidents. Monitor for unusual activity.
    Legal Basis: Legitimate Interests (GDPR Art. 6(1)(f)) — You may object
  • Product Improvement & Analytics — Analyze usage patterns, identify bugs, improve features, optimize performance. Analytics are aggregated and anonymized where possible.
    Legal Basis: Legitimate Interests (GDPR Art. 6(1)(f)) and/or Consent (GDPR Art. 6(1)(a))
  • Customer Support — Respond to your inquiries, troubleshoot issues, provide technical assistance.
    Legal Basis: Contract (GDPR Art. 6(1)(b)) and Legitimate Interests (GDPR Art. 6(1)(f))
  • Marketing Communications — Send product updates, feature announcements, promotional offers (only with your consent; you can unsubscribe anytime).
    Legal Basis: Consent (GDPR Art. 6(1)(a))
  • Legal Compliance — Comply with applicable laws, regulations, legal processes, and enforceable governmental requests. Maintain records for tax and accounting purposes.
    Legal Basis: Legal Obligation (GDPR Art. 6(1)(c))

No Model Training on Your Data: We use third-party AI providers (Anthropic, OpenAI) for inference only. We do NOT use your prompts, code, or outputs to train our own or third-party models. AI providers may retain limited logs for safety review and abuse prevention per their policies, but do NOT use your data for model training.

3. Third-Party Services & Data Sharing

We do NOT sell your personal data. We only share data with trusted third-party service providers necessary to operate Paperline:

  • Supabase — Authentication and user database.
    Data Shared: Account information and subscription data
    Supabase Privacy Policy
  • Stripe — Payment processing and subscription management.
    Data Shared: Billing information (handled directly by Stripe)
    Stripe Privacy Policy
  • Anthropic — AI model inference for code generation.
    Data Shared: Your prompts and relevant code context (for inference only)
    Anthropic Privacy Policy
  • OpenAI — Alternative AI model for code generation.
    Data Shared: Your prompts and relevant code context (for inference only)
    OpenAI Privacy Policy
  • Google Analytics — Website usage analytics and event tracking.
    Data Shared: Anonymized usage data and interactions
    Google Privacy Policy

We may also share data: (i) with legal authorities when required by law, (ii) in connection with a merger, acquisition, or sale of assets, (iii) with your explicit consent, or (iv) to protect our rights, property, or safety.

4. International Transfers

Your data may be processed outside your country of residence. For transfers from the EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, along with additional technical and organizational measures such as encryption, access controls, and data minimization to ensure adequate protection of your personal data.

5. Security & Breach Notice

We use appropriate technical/organizational measures: encryption in transit/at rest, access controls, audit logging, isolation, and regular security reviews. No method is 100% secure.

If a breach is likely to risk your rights and freedoms, we will notify the authority within 72 hours and inform affected users when required.

6. Data Retention

We retain your data only as long as necessary to provide the service and comply with legal obligations:

  • Account Data: While your account is active + up to 90 days after account deletion (for legal and compliance purposes)
  • Chat History (Local): Stored on your device indefinitely until you manually delete. You can delete individual chats or all chats at any time from the desktop app.
  • Credit Transactions: Retained for the lifetime of your account + up to 7 years after account deletion as required by tax, accounting, and legal regulations
  • Logs & Telemetry: 30 days (aggregated statistics may be retained indefinitely without personal identifiers)
  • Backups: Rolling backups up to 35 days
  • Checkpoints (Local): Automatically cleaned up after 30 days by default (configurable in settings)

We periodically review retention policies and delete or anonymize data that is no longer needed. When you delete your account, we remove your personal data from our active systems within 30 days, subject to the retention periods above.

7. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data:

  • Right to Access: Request a copy of all personal data we hold about you by contacting us at hello@paperline.ai.
  • Right to Correction: Update or correct inaccurate information in your account settings or by contacting us.
  • Right to Deletion: Request deletion of your account and personal data. You can delete your account from the dashboard. Note: Some data may be retained for legal compliance (see Retention section).
  • Right to Portability: Receive your data in a structured, machine-readable format (JSON) for transfer to another service.
  • Right to Restriction: Request that we limit how we process your data in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests (e.g., marketing, analytics).
  • Right to Withdraw Consent: Withdraw consent for marketing communications or optional data processing at any time.

How to Exercise Your Rights: Send requests to hello@paperline.ai. We will respond within 1 month (or 2 months for complex requests). You may lodge a complaint with your local data protection authority if you believe we have violated your rights.

California Residents (CPRA/CCPA)

We do NOT sell or share your personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals. California residents have additional rights under the CPRA, including the right to know what data is collected, the right to delete, and the right to opt-out of sales/sharing (though we don't sell data).

European Economic Area & UK Residents (GDPR)

You have all the rights listed above under the GDPR. You also have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France).

8. Children's Privacy

Paperline is not intended for children under 13 years of age (or under 16 in the EEA/UK). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without appropriate consent, we will delete that information promptly. If you believe we have collected data from a child, please contact us at hello@paperline.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email or in-app notification
  • For significant changes, we may require you to review and accept the updated Policy

We encourage you to review this Policy periodically. Your continued use of Paperline after changes are posted constitutes your acceptance of the updated Policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

hello@paperline.ai