Privacy policy
Last updated: May 4, 2026
The short version
- No accounts. No email or password. No name or contact info required.
- Your prompts and the images we generate are deleted from our servers within 10 minutes.
- We don't track you across other apps or websites.
- We don't sell or share your data for advertising. Ever.
If that's enough, you can stop reading. If you want the details, they're below.
For the purposes of EU data-protection law (GDPR), the data controller of any personal data processed through hi-key is us: hi-key, run by Zafeirios Malafouris, based in Athens, Greece. For privacy questions, email support@hi-key.ai.
1. What data hi-key handles
Unless noted below, data is kept for as long as it's needed to run hi-key. You can ask us to delete your data at any time, see Your rights.
| Data | Why we have it | Notes |
|---|---|---|
| An anonymous user identifier | To keep track of your credit balance and subscription status. | A random string. No name, email, or phone attached. |
| Your subscription and credit history | To know how many credits you have left and what you've purchased through Apple. | Linked to the anonymous user identifier, not to your Apple ID or any personal info. |
| The text prompts you type | Sent to AI providers to generate images. | Deleted from our servers within 10 minutes of generation. |
| The images we generate for you | Delivered to your keyboard so you can copy and share them. | Deleted from our servers within 10 minutes of generation. |
| Anonymous usage events (e.g. "opened referral screen") | To understand what works and improve the app. | Not linked to you personally. |
| Your name (optional) | If you set one in Settings, part of it appears in your referral code so a friend can recognise it. | The referral code contains part of your name and is shared only if you generate one. |
| Your referral code (if you create one) | To grant credits to you and a friend who uses it. | Linked to the anonymous user identifier. |
| Your email address (waitlist only) | If you signed up on the website before launch, we email you when hi-key is ready. | Deleted after the launch email is sent. |
| Crash and error reports | To diagnose bugs. | Anonymous device, OS, and app data only. No personal data is included. Typically retained for 90 days by our error-tracking provider. |
2. What we don't collect
- Your name, address, phone number, or any contact info (apart from the optional waitlist email).
- The content of your messages, conversations, browsing history, or contacts.
- Anything you type outside the hi-key prompt bar.
- Your location.
- Any advertising identifiers (such as Apple's IDFA). We don't use them.
3. Where data goes (sub-processors)
To run hi-key we rely on a few well-known services. None of them know who you are personally. Below is who handles what.
| Service | What they do for hi-key | Region |
|---|---|---|
| Supabase | Anonymous user record, credit balance, and usage metadata (e.g. which models are used, generation timing, settings) | Central EU (Frankfurt) |
| Cloudflare R2 | Temporary image storage | EU |
| Upstash QStash | Background job queue | Central EU (Frankfurt) |
| OpenAI | Prompt processing (proofreading, autocomplete, enhancement) | United States |
| Replicate | Runs the AI models that produce the images | United States |
| RevenueCat | Subscription and credit status | United States |
| PostHog | Anonymous product analytics | EU |
| Resend | Sends the waitlist confirmation email (waitlist users only) | United States |
| Sentry | Crash and error reports | EU |
| Vercel | Hosts hi-key.ai and the backend API used by the iOS app | Central EU (Frankfurt) |
4. International transfers
Some of these services are based in the United States (notably OpenAI, Replicate, RevenueCat, Resend). When data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses and each provider's certifications under the EU-U.S. Data Privacy Framework, where applicable. The data sent to AI providers is your prompt, without any identifier that links it to you.
5. Why we're allowed to process this data (legal basis)
- To provide the service (Article 6(1)(b) GDPR, contract performance), sending your prompts to AI providers, storing your credit balance, processing purchases through Apple/RevenueCat.
- Our legitimate interests (Article 6(1)(f) GDPR), anonymous analytics to improve the product, error logging to keep things working.
- Your consent (Article 6(1)(a) GDPR) for the optional waitlist signup. You can ask us to delete your email at any time.
6. Your rights
Under GDPR you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Delete your data (the "right to be forgotten")
- Object to processing based on legitimate interests
- Restrict processing in certain situations
- Receive a copy of data you've provided in a portable format
Because hi-key has no accounts, your only identifier is an anonymous user ID. You can find it inside the app under Settings → User ID. Email it to support@hi-key.ai with a brief description of what you'd like, and we'll handle the request within 30 days (usually much faster).
You also have the right to lodge a complaint with the Hellenic Data Protection Authority or with your local EU supervisory authority if you live elsewhere in the EEA.
7. AI providers and your prompts
The text you type into the hi-key prompt bar is sent to AI providers (such as OpenAI and Replicate) so they can process and generate images for you. They use your prompt for the duration of the request and may retain it briefly for abuse-prevention per their own policies. They don't receive any identifier that links the prompt to you.
For reference, here are their privacy policies:
8. Children
hi-key isn't designed for users under 13, and the App Store age rating reflects that. If you believe a child under 13 has used hi-key, contact support@hi-key.ai and we'll remove their data.
9. Security
We follow accepted security practices: HTTPS for all traffic, and access to our systems is restricted to what's needed to run them. The strongest protection, though, is what we don't store. hi-key has no accounts, so there are no passwords. Prompts and images are deleted from our servers within minutes of generation. And nothing in our systems is tied to your real-world identity. By design, there isn't much to expose.
10. Changes to this policy
If we change this policy in a way that materially affects your data, we'll post a notice in the app. The "last updated" date at the top will tell you when the document changed.
11. Contact
Email: support@hi-key.ai
Athens, Greece
See also: Terms of Service.