Solverfox
Log inSign up

Privacy Policy

Effective: 7 June 2026 · Last updated: 7 June 2026

This Privacy Policy explains how Invisid AB ("Invisid", "we", "us" or "our") collects, uses, shares and protects your personal data when you use Solverfox, our AI work platform, and the related websites and services (together, the "Service"). We have written it to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Swedish Data Protection Act (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning), the ePrivacy rules on cookies, and the transparency expectations of the EU AI Act for AI-enabled features.

We have tried to write this policy in clear, plain language. Where a section uses a legal term (for example, a "legal basis" under Article 6 GDPR), we explain what it means in practice. If anything is unclear, you are welcome to contact us at contact@solverfox.ai.

Please note: Solverfox is currently in a pre-launch testing phase. At this time the only users are invited test users who do not pay for AI usage. This policy is written for the live, generally available product, and we will keep it accurate as the Service evolves. Some sections note where current behaviour differs during testing.

1. Who we are (the data controller)

The data controller responsible for your personal data is Invisid AB, a company registered in Sweden. "Data controller" means the organisation that decides why and how your personal data is processed.

  • Company: Invisid AB
  • Address: Åkergatan 24, 784 36 Borlänge, Sweden
  • Contact email: contact@solverfox.ai

We have not appointed a statutory Data Protection Officer (DPO), as we are not currently required to under Article 37 GDPR. You can direct all privacy questions and data-subject requests to the contact email above, and they will reach the people responsible for data protection at Invisid AB.

2. Scope of this policy

This policy applies to personal data we process when you create an account, use the Service, communicate with us, or visit our websites. It does not cover third-party services that you may reach through links from the Service; those services have their own privacy policies, and we encourage you to read them.

Where we process personal data on your behalf as part of the content you put into the Service (for example, personal data contained in your conversations or uploaded files), we act primarily as the controller for operating the Service. You are responsible for ensuring you have a lawful basis to include any personal data about other people in your content.

3. Personal data we collect

We collect the following categories of personal data. Most of it comes directly from you when you use the Service; some is generated automatically as you use it.

Account data. When you register and use your account, we store your email address, display name, avatar URL, timezone, preferred language (English or Swedish), your interface and AI model preferences, and account timestamps (created and updated). Authentication is handled by Supabase Auth. If you sign up with email and password, your password is stored only as a salted bcrypt hash and is never visible to us. If you sign in with Google, we receive your email address, name and profile picture from Google when you consent to that sign-in.

Billing and transaction data. If you purchase credits or a subscription, we store your Stripe customer ID, subscription identifiers, credit balance, lifetime credits purchased, used and granted as bonus, and transaction records (amount, credits, model cost, token counts, and Stripe payment identifiers). Card numbers and security codes (CVC) never reach our servers. All card data is collected and processed solely by Stripe, which is certified to PCI DSS Level 1.

User content. This is the heart of the Service. It includes the messages in your conversations (both your inputs and AI responses), which are stored as immutable conversation blocks ("segments"); AI-generated summaries of those segments; vector embeddings (1536-dimensional numerical representations) used for semantic search; your chats, projects and organisations; files you upload together with text extracted from them and the chunks and embeddings derived from them; and feedback you submit, including any optional screenshots you attach. If you create API keys, they are stored only as a hash.

Email and communications data. We store whether you have opted in to our newsletter (a subscription flag), an unsubscribe token, and email delivery logs (recipient, delivery status and the message identifier from our email provider).

Operational and technical data. To run, secure and improve the Service, we process administrative audit logs (which, for administrator actions, may include an IP address and user agent), internal analytics events keyed to a user, chat or segment, and aggregated usage statistics. Our hosting and error-tracking providers also process technical request data such as IP address and user agent (see the Subprocessors and Cookies sections).

We do not intentionally collect special categories of personal data (such as data about health, ethnicity, religion or political opinions). Please avoid entering such data into the Service unless strictly necessary, as it will be processed in the same way as your other content.

4. How and why we use your data, and our legal bases

Under Article 6 GDPR we must have a valid "legal basis" for each purpose for which we use your personal data. The table below maps each purpose to its legal basis. "Contract" means processing necessary to provide the service you asked for; "Legitimate interests" means a business interest that does not override your rights; "Consent" means you have given us specific permission; and "Legal obligation" means the law requires it.

PurposeData usedLegal basis (Art. 6 GDPR)
Create and manage your account; authenticate youAccount data, authentication dataPerformance of a contract (Art. 6(1)(b))
Provide core Service features: store conversations, generate AI responses, summaries, embeddings and semantic searchUser content, account preferencesPerformance of a contract (Art. 6(1)(b))
Process payments and manage credits/subscriptionsBilling and transaction dataPerformance of a contract (Art. 6(1)(b))
Keep accounting and tax recordsTransaction dataLegal obligation (Art. 6(1)(c))
Secure the Service, prevent abuse and fraud, maintain audit logsOperational and technical data, admin audit logsLegitimate interests (Art. 6(1)(f))
Diagnose errors and maintain reliabilityTechnical/error dataLegitimate interests (Art. 6(1)(f))
Understand and improve the Service through internal, mostly aggregated analyticsInternal analytics events, aggregated usageLegitimate interests (Art. 6(1)(f))
Measure how the Service is used to improve it via opt-in product analytics (PostHog)Pseudonymous user ID and product-usage eventsConsent (Art. 6(1)(a))
Send service and transactional emails (e.g. account, billing, security notices)Email address, account dataPerformance of a contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))
Send our newsletter and product updatesEmail address, subscription flagConsent (Art. 6(1)(a))
Respond to your support requests and feedbackCommunications data, feedback contentLegitimate interests (Art. 6(1)(f))
Comply with legal requests and defend legal claimsRelevant data as requiredLegal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms, and we will provide further detail about that balancing on request. Where we rely on consent (for example, the newsletter), you can withdraw it at any time without affecting processing that happened before withdrawal.

5. AI features and your data

Solverfox is an AI-enabled product. When you use it, you are interacting with artificial intelligence. AI responses are generated by large language models and may contain errors; you should review AI output before relying on it. We disclose the use of AI clearly in line with the transparency expectations of the EU AI Act.

How your content is processed by AI. To generate responses, summaries and search, we send relevant parts of your content to AI providers acting as our subprocessors. The primary chat and summarisation model is Anthropic’s Claude; text embeddings are generated by OpenAI; alternative or fallback models may be served via OpenRouter or Mistral. The data shared with each provider is described in the Subprocessors section.

Zero Data Retention and no training on your data. We have configured our AI providers for Zero Data Retention (ZDR) wherever it is supported: Anthropic provides direct ZDR, OpenAI ZDR is configured for embeddings, and OpenRouter and Mistral apply account-level ZDR. In practice this means the providers discard your inputs after generating the response and do not retain them. We do not sell your personal data, and neither we nor our AI providers use your content to train AI models.

Embeddings are derived from summaries. The vector embeddings used for semantic search are generated from AI-written summaries of your segments rather than from your raw messages, which limits the personal data shared for that purpose.

Automated decision-making. We do not use your personal data to make decisions that produce legal or similarly significant effects about you solely by automated means within the meaning of Article 22 GDPR. AI generation of content at your request is not such a decision.

6. How we share your data

We do not sell your personal data. We share it only in the following situations:

  • With subprocessors (service providers) who process data on our behalf under written data processing agreements, as listed in the Subprocessors section below.
  • When required by law, court order or a valid request from a competent authority, or to establish, exercise or defend legal claims.
  • To protect the rights, safety and security of Invisid AB, our users or the public, including to detect and prevent fraud or abuse.
  • In connection with a business transaction such as a merger, acquisition or asset sale, in which case we will ensure your data remains protected and inform you of any change in controller.

7. Subprocessors

We rely on the third-party providers below to operate the Service. Each acts as a processor or sub-processor under a data processing agreement, and transfers outside the EU/EEA are protected by appropriate safeguards (see the International transfers section). "ZDR" means Zero Data Retention.

ProviderPurposeData sharedRetention / safeguardRegion
SupabaseDatabase, authentication, file storage (core processor)All personal data and user contentData processing agreement; backupsEU-hosted
Anthropic (Claude)Primary AI chat and summariesMessages and injected contextZero Data Retention; no training on inputsUS (SCCs)
OpenAIText embeddings only (text-embedding-3-small)Segment summary text only (not full messages)ZDR configured on account; no trainingUS (SCCs)
OpenRouterMulti-model gateway (fallback / non-Claude models)Messages and context when usedAccount-level ZDRUS (SCCs)
MistralOptional AI modelMessages and context when usedAccount-level ZDREU
StripePaymentsBilling/customer data; card data handled solely by StripePCI DSS Level 1US/EU (SCCs)
ResendTransactional and newsletter emailEmail address, email contentLogs retained short-termUS (SCCs)
Upstash (Redis)Caching, rate limitingHashed cache keys, short TTL; no long-term personal dataAutomatic expiryEU/US
SentryError trackingError and stack traces; configured with sendDefaultPii=false (no email, user ID or IP by default)Retention per Sentry policyUS (SCCs)
VercelHosting / CDNRequest logs, IP address, user agentLogs retained approx. 90 daysGlobal edge
GoogleOAuth login (optional)Authentication profile (email, name, picture) on user consentPer Google policyUS (SCCs)
PostHogProduct analytics (usage events, opt-in)Pseudonymous user ID and product-usage events; no email or message contentRetained per PostHog configuration; EU-hostedEU

We keep this list current and will update it when we add or change subprocessors. If you would like to be notified of material changes to our subprocessors, contact us at contact@solverfox.ai.

8. International data transfers

We aim to keep your core data within the EU/EEA. Our database, authentication and file storage (Supabase) are EU-hosted, and our optional EU AI model (Mistral) is in the EU. However, some of our subprocessors are located in the United States or operate globally, which means some personal data is transferred outside the EU/EEA.

When we transfer personal data outside the EU/EEA, we rely on appropriate safeguards under Chapter V GDPR, primarily the European Commission’s Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures (such as encryption and the Zero Data Retention configuration described above). You can read more about SCCs on the European Commission and EDPB websites at edpb.europa.eu.

You may request more information about the specific safeguards applied to a given transfer, and a copy of the relevant SCCs where available, by emailing contact@solverfox.ai.

9. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this policy, after which we delete or anonymise it. The main retention periods are:

  • Account and user content: kept for as long as your account is active. When you delete your account, the associated authentication user is deleted and database rows (including conversations, segments, summaries, embeddings, projects and files) and stored avatars are removed by cascading deletion.
  • Billing and transaction records: retained for as long as required by Swedish accounting and tax law (generally up to seven years), even after account deletion, and a record may also remain with Stripe under its own retention and legal obligations.
  • Email delivery logs and newsletter status: kept while relevant to your subscription and for a short period thereafter for deliverability and audit purposes.
  • Operational logs: hosting request logs (Vercel) are retained for approximately 90 days; error-tracking data (Sentry) is retained according to Sentry’s policy; cache data (Upstash) expires automatically after a short time-to-live.
  • Backups: residual copies of deleted data may persist in encrypted backups for a limited period until those backups are rotated and overwritten.

Because AI providers are configured for Zero Data Retention, your content sent to them for processing is not retained by those providers beyond generating the response.

10. Your rights under the GDPR

As a data subject in the EU/EEA, you have the following rights in relation to your personal data. We will respond to requests without undue delay and within one month, with the possibility of extending by two further months for complex requests (we will tell you if that applies).

  • Right of access (Art. 15): to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Art. 16): to have inaccurate or incomplete data corrected. You can update most profile data yourself in your account settings.
  • Right to erasure (Art. 17): to have your data deleted in certain circumstances (the "right to be forgotten"). You can delete your account yourself, which removes your authentication user, associated database rows and stored avatars.
  • Right to restriction of processing (Art. 18): to limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): to receive data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to object (Art. 21): to object to processing based on our legitimate interests, and at any time to processing for direct marketing.
  • Right to withdraw consent (Art. 7(3)): where we rely on your consent (for example, the newsletter), you may withdraw it at any time without affecting prior processing.
  • Rights related to automated decision-making (Art. 22): we do not carry out solely automated decision-making with legal or similarly significant effects.

How to exercise your rights. Several rights can be exercised directly in the product: you can rectify your profile in account settings, export a copy of your data as a JSON file from account settings (supporting your rights of access and data portability), delete your account through the account deletion flow, and unsubscribe from our newsletter using the link or token in any newsletter email. Very large accounts may have their in-app export limited for performance, in which case we will provide a complete copy on request. For any other request, email us at contact@solverfox.ai. Exercising your rights is free of charge, except where a request is manifestly unfounded or excessive.

Right to lodge a complaint. If you believe we have not handled your personal data correctly, you can lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY"), our lead supervisory authority, at www.imy.se. You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work. We would, however, appreciate the chance to address your concerns first.

11. Cookies and local storage

We keep our use of cookies and similar technologies to a minimum. Strictly necessary cookies are used to provide the Service, and we do not require consent for these under the ePrivacy rules. We also use opt-in analytics cookies, which are set only with your consent as described below; we explain all of these here for transparency.

  • Authentication and session cookies (Supabase SSR): cookies such as sb-*-auth-token and a PKCE verifier, set with the SameSite and Secure attributes, are used to keep you signed in and to secure the login flow.
  • Local and session storage: we use a minimal amount of browser localStorage and sessionStorage for interface state and to preserve a pending draft. This does not contain personal data in the sense of identifying information.
  • Analytics cookies (PostHog), set only after you accept the analytics consent banner: used to measure how the Service is used so we can improve it. These are stored on the basis of your consent, which you can withdraw at any time; if you decline, no analytics cookies are set and no product-analytics events are collected.

We do not use advertising cookies or tracking pixels. There is no Google Analytics, Meta Pixel or similar advertising tracking on the Service. Strictly necessary cookies do not require your consent; analytics cookies require your prior consent via the banner that appears when you first use the Service, which you can withdraw at any time.

12. How we protect your data

We implement technical and organisational measures appropriate to the risk, in line with Article 32 GDPR, including:

  • Encryption in transit (HTTPS/TLS) for data moving between you, us and our providers.
  • Row Level Security (RLS) in our database, so each user can access only their own data.
  • Hashing of secrets: passwords are stored as salted bcrypt hashes and user-generated API keys are stored hashed; we cannot read them in plain text.
  • Zero Data Retention configuration with AI providers, so your content is not retained by them after processing.
  • Access controls and audit logging for administrative actions.
  • Use of reputable, security-certified infrastructure providers under data processing agreements.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify IMY and, where required, affected users in accordance with Articles 33 and 34 GDPR.

13. Children

The Service is intended for adults and is not directed at young children. Under the Swedish Data Protection Act, the age at which a child can give valid consent to information society services is 13. Where we rely on consent, we do not knowingly process the personal data of children under 13 without the consent or authorisation of a holder of parental responsibility.

If you believe a child under 13 has provided us with personal data without the appropriate consent, please contact us at contact@solverfox.ai and we will take steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or the Service. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the Service before the changes take effect.

We encourage you to review this policy periodically. Your continued use of the Service after an update takes effect indicates your awareness of the revised policy, to the extent permitted by law.

15. Contact us

If you have any questions, concerns or requests regarding this Privacy Policy or your personal data, please contact us:

Supervisory authority: Integritetsskyddsmyndigheten (IMY), Sweden — www.imy.se.

← Back to home