Privacy Policy

Last updated: December 16, 2025

Introduction

This Privacy Policy explains how Claude Insider ("we", "us", or "our") collects, uses, and protects your information when you visit our website at www.claudeinsider.com (the "Website"). Claude Insider is a personal project operated by Vladimir Dukelic from the Republic of Serbia.

We are committed to protecting your privacy as a fundamental human right, as recognized by Article 12 of the Universal Declaration of Human Rights. This policy complies with applicable privacy laws including the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and international privacy frameworks.

Legal Framework

Claude Insider operates under a multi-jurisdictional legal framework to ensure all users are protected regardless of their location:

Jurisdiction	Applicable Law	Your Rights
Serbia (Primary)	Zakon o zaštiti podataka o ličnosti	Full GDPR-equivalent rights
European Union/EEA	GDPR, ePrivacy Directive	8 data subject rights
California, USA	CCPA/CPRA	Right to know, delete, opt-out
Other US States	State consumer laws	Applicable state rights
International	OECD Privacy Guidelines, UN Consumer Protection Guidelines	Universal privacy principles

We adhere to the OECD Privacy Principles: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.

Data Controller

The data controller responsible for your personal data is:

Vladimir Dukelic
Email: vladimir@dukelic.com
Location: Republic of Serbia

Serbian Supervisory Authority:
Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti
Bulevar kralja Aleksandra 15, 11000 Belgrade, Serbia
Website: www.poverenik.rs

Legal Basis for Processing

We process your personal data only when we have a valid legal basis. Under Serbian law and GDPR, we rely on the following:

Processing Activity	Legal Basis	GDPR Article
Account creation & management	Contract performance	Art. 6(1)(b)
Security monitoring, fingerprinting	Legitimate interest	Art. 6(1)(f)
Marketing emails, newsletters	Consent	Art. 6(1)(a)
AI assistant conversations	Contract performance	Art. 6(1)(b)
Direct messaging (E2EE)	Contract performance	Art. 6(1)(b)
Donation processing	Contract performance	Art. 6(1)(b)
Tax receipt generation	Legal obligation	Art. 6(1)(c)
Analytics (Vercel)	Legitimate interest	Art. 6(1)(f)

User Accounts & Authentication

Claude Insider offers optional user accounts to enhance your experience. Here's what data we collect when you create an account:

Account Registration Data

Email address: Required for account creation and communication
Password: Securely hashed using bcrypt (we never store plain-text passwords)
OAuth data: If you sign in with Google or GitHub, we receive your name, email, and profile picture from those services
Username: A unique identifier you choose for your public profile

Profile Information (Optional)

Display name: Your preferred name shown on the site
Bio: A short description about yourself
Avatar: Profile picture (uploaded or from OAuth provider)
Social links: Links to your Twitter, GitHub, LinkedIn, or personal website
Location: Optional location information

Two-Factor Authentication (2FA)

If you enable 2FA for enhanced security:

TOTP secret: Encrypted secret key for authenticator apps
Backup codes: Hashed recovery codes (10 single-use codes)
Multiple devices: You can add multiple authenticator apps per account
Device metadata: Device name and last used timestamp for each authenticator

Passkeys (WebAuthn)

If you register passkeys for passwordless authentication:

Credential ID: Public identifier for your passkey
Public key: Cryptographic public key (private key stays on your device)
Device type: Platform (Face ID, Touch ID, Windows Hello) or cross-platform (security key)
Backup status: Whether your passkey is backed up to a cloud provider
Device name: A friendly name you can set to identify your passkey
Last used: Timestamp of last authentication with this passkey

Passkeys use public-key cryptography. Your private key never leaves your device. We only store the public key for verification.

Connected Accounts (OAuth)

You can link multiple OAuth providers (GitHub, Google) to your account:

Provider ID: Identifier of the OAuth provider (github, google)
Account ID: Your unique ID from the OAuth provider
Connection date: When you linked the account
Access tokens: Securely stored, used only for authentication

You can view, connect, or disconnect OAuth providers anytime in Settings. We never access your data on connected platforms beyond basic profile information for authentication.

End-to-End Encryption (E2EE)

Claude Insider offers end-to-end encrypted messaging using the Matrix Olm/Megolm protocol with Double Ratchet algorithm. Here's how your encryption data is handled:

What We CANNOT See

The content of your encrypted messages
Your private encryption keys
Your cloud backup password
Decrypted message history

Device Keys

Data	Storage	Purpose
Private keys (Curve25519, Ed25519)	Your device only (IndexedDB)	Decrypt messages, sign data
Public keys	Our servers	Allow others to encrypt messages to you
One-time prekeys	Our servers (consumed on use)	Establish secure sessions
Device ID & metadata	Our servers	Device management

Cloud Key Backup

You can optionally back up your encryption keys to our servers:

Encryption: Your backup is encrypted with AES-256-GCM using a password you choose
We never store your password: If you forget it, your backup cannot be recovered
Deletion: You can delete your backup anytime from Settings

Device Verification

We store device verification status to help you trust your own devices:

SAS verification records: Emoji-based verification completion status
Cross-signing keys: Public keys for verifying your other devices
Trust relationships: Which devices you've verified

AI Assistant Access to Encrypted Messages

With your explicit consent, you can allow our AI assistant to access decrypted message content for features like summarization:

Consent required: AI access is strictly opt-in per conversation
Consent records: We store your consent preferences
Access logs: We log when AI accesses encrypted content (for your transparency)
Revocation: You can revoke AI access anytime

Direct Messaging

When you use direct messaging features (1:1 or group chats), we collect:

Data Type	Purpose	Retention
Message content (if not E2EE)	Deliver messages	Until deleted by user
Encrypted message blobs (if E2EE)	Store/relay encrypted data	Until deleted by user
Message metadata	Timestamp, sender, recipient	Until conversation deleted
Typing indicators	Real-time typing status	Not persisted (real-time only)
Online/presence status	Show who is online	Real-time + last seen timestamp
Read receipts	Show when messages are read	Until conversation deleted
Group memberships	Track group participants & roles	Until you leave or group deleted
Group invitations	Pending invites to groups	Until accepted/declined/expired

Donation System

If you choose to support Claude Insider through donations, we collect:

PayPal Donations

Transaction ID: PayPal order/capture ID for reference
Amount & currency: Donation amount
Payer email: As provided by PayPal (for receipts)
Payer name: As provided by PayPal

PayPal processes your payment. See PayPal's Privacy Policy.

Bank Transfer Donations

Reference code: Unique donation reference
Amount & currency: As manually confirmed
Donor information: As you provide when notifying us

Donor Badges & Recognition

Total donated: Sum of all donations (for badge tier calculation)
Badge tier: Bronze ($10+), Silver ($50+), Gold ($100+), Platinum ($500+)
Public display: Optional donor wall listing (you choose visibility)
Anonymous option: You can donate anonymously

Tax Receipts

Receipt number: Unique receipt ID (CI-YYYY-NNNNNN format)
Donor details: Name, email, address (as provided)
Donation details: Amount, date, payment method
Download tracking: When you downloaded the receipt

Retention: Donation records are retained for 7 years for tax compliance under Serbian law.

User Activity Data

When you use features requiring an account, we collect:

Data Type	Purpose	Retention
Comments & Replies	Community discussion	Until deleted by user or moderation
Favorites & Collections	Save and organize content	Until deleted by user
Edit Suggestions	Community contributions	Indefinitely (for content improvement)
Ratings & Reviews	Content quality feedback	Until deleted by user
Reading Lists	Track reading progress	Until deleted by user
Following/Followers	Social connections	Until unfollowed or account deleted
Achievements	Gamification and recognition	Until account deleted
AI Conversations	Save chat history	Until deleted by user
Search History	Quick access to past searches	Auto-cleaned after 30 days
Notification Preferences	Email and in-app notifications	Until account deleted
AI Assistant Settings	Model, voice, preferences	Until account deleted

How We Keep Your Data Safe

We implement comprehensive security measures to protect your data, in compliance with the Serbian Law on Information Security (Zakon o informacionoj bezbednosti):

Database Security

Supabase + PostgreSQL: Enterprise-grade database with automatic backups
Row Level Security (RLS): Users can only access their own data
Encrypted connections: All database connections use SSL/TLS

Authentication Security

bcrypt hashing: Passwords are hashed with bcrypt (cost factor 12)
OAuth 2.0: Secure sign-in via Google and GitHub
2FA support: TOTP-based two-factor authentication
Secure sessions: HTTP-only, secure cookies with SameSite protection

Application Security

HTTPS only: All connections are encrypted
Content Security Policy: Prevents XSS attacks
CSRF protection: All forms protected against cross-site request forgery
Input validation: All user inputs are validated and sanitized

Encryption

E2EE messaging: Matrix Olm/Megolm with Double Ratchet
API key encryption: AES-256-GCM with unique IVs
Cloud backup: User password-based encryption

Download Your Data

You have the right to download all data we have about you. This right is guaranteed under Serbian law, GDPR Article 20 (data portability), and CCPA. To export your data:

Go to Settings
Scroll to the "Data Management" section
Click "Export All Data"
A JSON file will download containing all your data

The export is provided in a machine-readable JSON format for data portability.

Delete Your Account & Data

You can permanently delete your account and all associated data at any time. This right is guaranteed under Serbian law, GDPR Article 17 (right to erasure), and CCPA:

Go to Settings
Scroll to the "Data Management" section
Click "Delete Account"
Enter your email to confirm
A confirmation email will be sent with a deletion link
Click the link within 24 hours to permanently delete your account

What Gets Deleted

All personal data including profile, messages, E2EE keys, achievements, and preferences.

What May Be Retained

Edit suggestions: May be retained anonymously if merged into content
Donation records: Retained 7 years for tax compliance (Serbian law)
Security logs: Retained if related to ongoing security investigations
Anonymized analytics: Aggregate statistics (no personal identifiers)

Analytics

We use Vercel Analytics, a privacy-focused analytics service:

What Vercel Analytics Collects

Page views: Which pages are visited
Referrers: How visitors found our site
Geographic location: Country-level only
Device information: Device type, browser, OS

What Vercel Analytics Does NOT Collect

No cookies: Cookie-free analytics
No personal data: No names, emails, or identifying info
No IP addresses: IPs are not stored
No cross-site tracking: No tracking across websites

Browser Fingerprinting & Security

To protect our website from automated abuse, we use browser fingerprinting (FingerprintJS).

What We Collect

Browser characteristics, screen resolution, timezone
Canvas, audio, WebGL fingerprints

How We Use Fingerprints

Bot detection and security monitoring
Trust scoring (0-100) for visitors
Rate limiting and honeypot protection

Legal Basis

Browser fingerprinting is processed under legitimate interest (GDPR Article 6(1)(f)) for security purposes. You may object under Article 21 by contacting us.

Retention: Fingerprint data is retained for 90 days.

AI Voice Assistant & Chat

Our AI features use third-party services:

Anthropic (Claude AI)
Chat messages are sent to Anthropic's Claude API. See Anthropic's Privacy Policy.

ElevenLabs (Text-to-Speech)
Voice output is generated by ElevenLabs. See ElevenLabs' Privacy Policy.

Your API Keys

If you add your own Anthropic API key:

Encryption: AES-256-GCM with unique IV per key
Storage: Only encrypted key and last 8 chars (hint) stored
Usage: Only used to make Claude API requests on your behalf
Deletion: Permanently deleted when you remove it

International Data Transfers

Your data may be transferred to and processed in countries outside Serbia and the EU/EEA:

Service	Location	Safeguard
Vercel (Hosting)	Global CDN, US headquarters	Standard Contractual Clauses
Supabase (Database)	AWS infrastructure	Standard Contractual Clauses
Anthropic (AI)	United States	Standard Contractual Clauses
ElevenLabs (TTS)	United States	Standard Contractual Clauses
Resend (Email)	United States	Standard Contractual Clauses
PayPal (Payments)	Global	BCR, Standard Contractual Clauses

Serbia is recognized by the EU as providing an adequate level of data protection. For transfers to other countries, we rely on Standard Contractual Clauses approved by the European Commission.

Cookies & Local Storage

We use minimal cookies:

Cookie	Purpose	Duration
NEXT_LOCALE	Language preference	1 year
better-auth.session_token	Authentication session	Session

Local Storage: Theme, voice settings, AI history, and fingerprint cache are stored locally and never sent to our servers.

Your Rights

Depending on your location, you have the following rights:

Under Serbian Law & GDPR

Access (Art. 15): Download all your data
Rectification (Art. 16): Update your information
Erasure (Art. 17): Delete your account and data
Restriction (Art. 18): Limit processing
Portability (Art. 20): Export in machine-readable format
Objection (Art. 21): Object to processing
Automated decisions (Art. 22): Challenge automated decisions
Complaint: Lodge complaint with supervisory authority

Under CCPA/CPRA (California)

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (We do NOT sell your data)
Right to non-discrimination for exercising rights
Right to correct inaccurate information
Right to limit use of sensitive personal information

Supervisory Authorities

Serbia: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (www.poverenik.rs)
EU/EEA: Your national data protection authority
US: FTC, California AG (CCPA), or state attorney general

Children's Privacy

Our website is not directed at children. Minimum age requirements:

Serbia: 15 years
EU/EEA: 16 years (or lower per member state, minimum 13)
United States: 13 years (COPPA)

We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, please contact us for deletion.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted with an updated date. For significant changes, we will notify registered users via email. Your continued use after changes constitutes acceptance.

Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

Vladimir Dukelic
Email: vladimir@dukelic.com

We will respond within 30 days as required by Serbian law and GDPR.

Summary

In short: Claude Insider operates under Serbian law (GDPR-equivalent), with full compliance for EU and US users. We collect account data, activity, and optionally: encrypted messages (E2EE), donations, and API keys. Private encryption keys never leave your device. We use fingerprinting for security only, never for ads. You can download or delete all your data anytime. We never sell your data. Serbian law and GDPR govern this policy, with your local consumer rights preserved.