Privacy Policy

Effective Date: January 28, 2026 | Last Updated: February 26, 2026

inchambers.ai, a sole proprietorship of Pawan Khatri ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, Microsoft Word add-in, and related services (collectively, the "Service"). For more details on our privacy architecture, see our Privacy Architecture page. This policy complies with Microsoft Office Add-in Store requirements, Google OAuth requirements, and Microsoft Azure OAuth requirements. Inchambers is built on a zero-knowledge architecture. Your documents, AI prompts, AI responses, API keys, templates, chat history, and analysis results never touch our servers. All document processing happens entirely on your device.

1. Information We Collect

Information You Provide: When you register, we collect your name, email address, profile picture URL, and country (via Google OAuth or Microsoft Azure OAuth). Payment information is processed by Stripe; we store only your Stripe customer ID. Contact form submissions include name, email, message, and IP address for spam prevention. Newsletter subscriptions collect your email address.

Information Collected Automatically: We collect aggregate feature usage data (feature name, AI provider/model selected, success/failure status, per-user request count). We record session duration and activity count. Your IP address is processed transiently by our Redis-based rate limiter and is not persisted.

Information We Do Not Collect: Consistent with our zero-knowledge architecture, we do not collect, store, transmit, or have access to: document content, AI prompts and responses, API keys, templates, chat history, analysis results, device information, page views or browsing patterns, or client/case information.

2. How We Use Your Information

We use collected information to: provide, maintain, and improve the Service; process transactions and manage subscriptions; authenticate your identity; send technical notices, updates, and support messages; respond to inquiries; monitor aggregate usage trends; enforce rate limits; detect and prevent fraud; and comply with legal obligations.

3. Third-Party Authentication and OAuth Scopes

Google OAuth: We request openid, email, profile (for authentication) and drive.appdata (for optional encrypted cloud sync to a hidden app-specific folder). We comply with Google's OAuth 2.0 policies and limited use requirements. Microsoft Azure OAuth: We request openid, profile, email, User.Read (for authentication) and Files.ReadWrite (for optional encrypted cloud sync to a hidden app-specific folder). We comply with Microsoft identity platform requirements. Cloud sync is disabled by default. All synced data is encrypted client-side with AES-256-GCM before upload. You can revoke access at any time through your Google/Microsoft account settings.

4. Zero-Knowledge Architecture and Data Security

Inchambers operates across four isolated layers: (1) Authentication Layer — validates identity and subscription only, no document data; (2) Processing Layer — all document analysis happens client-side; (3) API Layer — data relayed on-the-fly through our zero-knowledge edge proxy, never stored; BYOK users connect directly to AI providers; (4) Storage Layer — only billing metadata and aggregate usage counts.

Free trial users use our platform proxy (Cloudflare Worker to OpenRouter). Content passes through Worker memory only for the duration of the request and is never logged, stored, or persisted. API keys are encrypted with AES-256-GCM using WebCrypto API. Templates, chat history, and analysis results are stored in your browser's IndexedDB. Optional Cloud Sync encrypts all data client-side with AES-256-GCM before uploading to your Google Drive or OneDrive; we cannot decrypt your cloud-synced data.

Security measures include: TLS 1.2+ encryption in transit, AES-256-GCM encryption for local and cloud-synced data, origin-isolated IndexedDB storage, OAuth 2.0 with PKCE, JWT-based session management with RS256 signatures, and regular security assessments. No method of transmission or storage is 100% secure.

5. Data Sharing and Disclosure

We do not sell your personal information. Service providers include: Stripe (payment processing, we store only customer ID), Railway (hosting), Cloudflare (DNS, CDN, platform proxy), AWS SES (transactional email), Upstash Redis (transient rate-limiting only), OpenRouter (AI request routing, content relayed in-memory only), and AI service providers (for BYOK users, direct device-to-provider connections).

MCP integrations transmit data directly from your device to third-party services. Data shared with third parties is subject to their privacy policies. Authentication credentials for MCP services are stored locally with AES-256-GCM encryption. Some MCP integrations may use unofficial APIs or methods and may not have the same privacy and security guarantees as official integrations. We may disclose information if required by law. In a merger or acquisition, your information may be transferred.

6. Your Rights and Choices

You can access and export your account information and locally stored data at any time. You can update account information through settings. You can request deletion of server-side data by contacting [email protected] (processed within 90 days). Local data can be cleared through browser settings or the "Clear Data" option. Cloud Sync data can be deleted through Settings or directly from your Google Drive/OneDrive. You can opt out of marketing communications and revoke OAuth permissions at any time.

7. Data Retention

Account data is retained while your account is active and deleted/anonymized within 90 days of deletion. Usage metrics are retained for the lifetime of your account. Rate-limiting data is transient and not persisted. Password reset tokens expire after 1 hour. Local data is stored on your device until you clear it.

8. Children's Privacy

Inchambers is not intended for use by individuals under 18. We do not knowingly collect personal information from children.

9. International Data Transfers

Your account information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers.

10. Microsoft Office Add-in Compliance

Document content is processed entirely client-side and never reaches our servers. We do not transmit, store, or use document content for advertising. When AI features are used, content is relayed on-the-fly (never stored) or sent directly to the AI provider for BYOK users.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide additional notice such as email notification.

12. Contact Us

Inchambers, sole proprietorship of Pawan Khatri. Email: [email protected]. Data Protection Officer: [email protected].

13. Jurisdiction-Specific Rights

EEA (GDPR): We process personal data under Contract Performance (Art. 6(1)(b)), Legitimate Interests (Art. 6(1)(f)), and Consent (Art. 6(1)(a)). You have rights to access, rectify, erase, restrict processing, data portability, and to lodge complaints with a supervisory authority.

California (CCPA): You have the right to know, right to delete, and right to non-discrimination. We do not sell your personal information or share it for cross-context behavioral advertising.

Canada (PIPEDA): You have rights to access and correct your personal information under PIPEDA.

India (IT Act): Your information is subject to the Information Technology Act, 2000. Grievance Officer: [email protected]. We will acknowledge complaints within 48 hours and resolve within 30 days.

By using Inchambers, you acknowledge that you have read and understood this Privacy Policy. See also: Terms of Service · Disclaimer