Privacy Policy

SessionWise sp. z o.o., a company registered in Poland (KRS: 0000803658, NIP: 5272905462, REGON: 384349430), with its registered office at Grzybowska 87, 00-844 Warsaw, Poland ("SessionWise," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect your information when you use our platform, including the web application at app.sessionwise.dev, the marketing website at sessionwise.dev, the SessionWise command-line interface ("CLI"), Model Context Protocol ("MCP") servers, APIs, and any related software or services (collectively, the "Service").

SessionWise is a zero-trust, end-to-end encrypted platform for AI coding session knowledge management. We have designed our architecture so that your most sensitive data (session transcripts, code, knowledge nuggets) is encrypted before being stored on our servers. During the session upload pipeline, session content is temporarily processed in plaintext by third-party AI providers (via secure TLS connections) for analysis purposes. After analysis, all data is encrypted locally on your device before transmission to our servers for storage. We cannot read, access, or decrypt the stored content on our servers.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service.

For the purposes of the EU General Data Protection Regulation ("GDPR") and applicable data protection laws, SessionWise is the data controller responsible for your personal data processed through the Service.

If your Organization uses SessionWise, your Organization may act as a data controller (or joint controller) with respect to the personal data processed within the Organization's account.

Data Protection Officer: We have not designated a Data Protection Officer at this time. For all data protection inquiries, please contact privacy@sessionwise.dev.

We collect different categories of information depending on how you interact with the Service. Critically, we distinguish between data that is end-to-end encrypted (which we cannot read) and plaintext metadata (which we can access).

2.1 Information You Provide Directly

• Account Information: When you create an account using an OAuth provider (GitHub or Google), we receive and store your email address, display name, and avatar URL as provided by the OAuth provider. This data is managed by Supabase Auth.
• Billing Information: When you subscribe to a paid plan, payment information (credit card numbers, billing address) is collected and processed directly by Stripe, our payment processor. SessionWise does not store your full credit card number or payment credentials on our servers.
• Communications: If you contact us for support, submit feedback, or communicate with us via email, we collect the content of those communications along with your contact information.
• Waitlist Information: If you join our waitlist, we collect your email address.

2.2 End-to-End Encrypted Data (We Cannot Read)

The following data is encrypted on your local device using XChaCha20-Poly1305 AEAD envelope encryption before being stored on our servers. We store only encrypted ciphertext and have no technical ability to decrypt the stored data. Note: during the session upload pipeline, session content is temporarily processed in plaintext by AI providers for analysis (see Section 3.2) before encryption occurs:

• Session transcripts and content from AI coding sessions;
• Knowledge nugget content, including titles, problem descriptions, solutions, code examples, and related metadata;
• Glossary definitions and terms;
• Embedding vectors generated from your content.

Zero-Trust Guarantee: Your encryption keys (Key Encryption Key, or KEK) are generated and stored locally in your operating system's secure keychain (macOS Keychain, Windows DPAPI, or Linux libsecret). They are never transmitted to our servers. Even if our backend infrastructure were compromised, attackers would only have access to encrypted ciphertext that cannot be decrypted without your KEK.

2.3 Plaintext Metadata (We Can Access)

To operate the Service, certain metadata is stored in plaintext (unencrypted) form:

• Session identifiers (session_id), organization identifiers (org_id), and developer identifiers (developer_id);
• Timestamps (session start/end times, creation dates, modification dates);
• Repository names and identifiers;
• Tags and categorization labels;
• Confidence scores from AI analysis;
• Usage metrics (number of sessions, nuggets captured, features used);
• Plan and subscription status.

2.4 Automatically Collected Information

• Device and Browser Information: We automatically collect information about the device and browser you use to access the Service, including device type, operating system, browser type and version, and screen resolution.
• IP Address: Your IP address is collected when you access the Service. IP addresses are used for rate limiting, security monitoring, and approximate geolocation for analytics purposes.
• Usage Data: We collect information about how you interact with the Service, including pages visited, features used, click events, navigation patterns, and error logs.
• Analytics Events: We track custom analytics events via Vercel Analytics, including navigation clicks (nav_click), call-to-action interactions (cta_click), waitlist submissions (waitlist_submit), and similar engagement events. Bot traffic is filtered and excluded.

2.5 Data Stored Locally

The SessionWise CLI stores data locally on your device in SQLite databases, including cached session data, local configuration, and encryption keys. This data is protected by your operating system's native file system permissions and keychain security. SessionWise does not remotely access data stored locally on your device.

2.6 Special Categories of Personal Data

We do not intentionally collect or process special categories of personal data as defined by GDPR Article 9 (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation). If you inadvertently include such data in your session content, it will be processed as part of the AI analysis pipeline and subsequently encrypted. We strongly recommend not including sensitive personal data in your coding sessions.

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

• To create and manage your account;
• To provide, operate, and maintain the Service;
• To process and manage your subscription and billing;
• To authenticate your identity and authorize access;
• To store and transmit your encrypted data;
• To enforce usage limits and rate limits associated with your plan.

3.2 AI-Powered Analysis

• To analyze your AI coding sessions using third-party AI services (Anthropic Claude and Google Cloud Vertex AI) for the purpose of extracting knowledge nuggets, identifying patterns and antipatterns, and generating actionable insights;
• To generate vector embeddings of your content using Voyage AI for semantic search functionality;
• AI processing of your session data occurs as part of the session upload pipeline. Session content is sent in plaintext to AI providers via secure TLS connections for analysis. This is the only stage where your content exists in an unencrypted form outside your device. After analysis, the content and extracted knowledge are encrypted locally before storage. AI providers do not retain your data beyond the processing request (see Section 5 for details).

3.3 Service Improvement

• To analyze usage patterns and trends to improve the Service;
• To diagnose technical problems and debug errors;
• To develop new features and enhancements;
• To conduct internal research and analytics using aggregated, anonymized data.

3.4 Communication

• To send you transactional emails (account verification, password resets, billing receipts);
• To send you Service-related announcements (maintenance windows, security notices, Terms updates);
• To respond to your inquiries and support requests;
• To send promotional communications, where you have opted in (you may opt out at any time).

3.5 Security and Fraud Prevention

• To monitor for and prevent unauthorized access, fraud, and abuse;
• To enforce our Terms of Service and Acceptable Use Policy;
• To comply with legal obligations and respond to lawful requests from authorities.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR:

• Performance of a Contract (Article 6(1)(b)): Processing necessary to provide the Service to you, including account creation, session processing, data storage, and subscription management.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms. This includes: service improvement, analytics, fraud prevention, security monitoring, and direct marketing to existing customers. We have conducted Legitimate Interest Assessments (LIAs) for each processing activity relying on this basis; these are available upon request at privacy@sessionwise.dev. You have the right to object to processing based on legitimate interests.
• Consent (Article 6(1)(a)): Where we rely on your consent (for example, for non-essential cookies or promotional communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax reporting, responding to lawful government requests, or data breach notification requirements.

We share your information with third-party service providers only as necessary to operate the Service. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.1 Infrastructure and Hosting

5.2 AI Processing

Important: Session content sent to AI providers for analysis is transmitted via secure TLS connections. Anthropic operates under a zero data retention policy, meaning your session data is not stored after processing. Google Cloud Vertex AI is SOC 2 certified and does not use customer data for model training. AI processing is performed as part of the session upload pipeline, and results are encrypted before storage.

5.3 Payments

5.4 Communications

5.5 Authentication

5.6 Sub-Processors and Changes

The third-party services listed above act as sub-processors of your personal data. We maintain a current list of sub-processors in this Privacy Policy. We will provide at least 30 days' notice before adding new sub-processors that process personal data, via email or in-app notification. If you object to a new sub-processor, you may terminate your account before the change takes effect.

5.7 Other Disclosures

We may also disclose your information:

• To comply with applicable laws, legal processes, or government requests;
• To enforce our Terms of Service and protect our rights, privacy, safety, or property;
• In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets (in which case your information may be transferred to the successor entity);
• With your consent or at your direction.

Note: Due to our end-to-end encryption architecture, even if compelled by legal process, we can only provide encrypted ciphertext for E2E encrypted data categories. We cannot provide decrypted content because we do not possess the decryption keys.

We use a limited set of cookies and similar technologies:

6.1 Essential Cookies

• Authentication Cookies: Managed by Supabase Auth. These cookies are strictly necessary for authenticating your session, maintaining your login state, and managing JWT token rotation. Without these cookies, you cannot use the authenticated portions of the Service.

6.2 Analytics

• Vercel Analytics: We use Vercel Analytics to collect anonymized usage data, including page views and custom events (such as navigation clicks, call-to-action clicks, and waitlist submissions). Vercel Analytics is privacy-focused and does not use cookies for tracking. Bot traffic is automatically detected and filtered. Data collected includes page URL, referrer, browser type, operating system, device type, and country-level geolocation.

6.3 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling essential cookies may prevent you from using authenticated features of the Service. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

7.1 Storage Location

Your data is stored on infrastructure provided by Supabase, which runs on Amazon Web Services (AWS) in the us-east-1 (Northern Virginia) region. For information about international data transfers, see Section 11.

7.2 Encryption

We employ multiple layers of encryption to protect your data:

• End-to-End Encryption: Sensitive content is encrypted using XChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data) with envelope encryption. Each record is encrypted with a unique 256-bit Data Encryption Key (DEK), which is itself encrypted with your organization's 256-bit Key Encryption Key (KEK).
• Key Management: Your KEK is generated locally and stored in your operating system's secure keychain (macOS Keychain, Windows DPAPI, or Linux libsecret). KEKs are never transmitted to our servers.
• Transport Encryption: All data in transit between your device and our servers is protected by TLS (Transport Layer Security). WebSocket connections used for real-time features are also secured with TLS.
• At-Rest Encryption: In addition to our application-level E2E encryption, Supabase/AWS provides infrastructure-level encryption at rest for all stored data.

7.3 Access Controls

• Row-Level Security (RLS) policies enforce that users can only access data belonging to their organization;
• OAuth-based authentication with JWT (JSON Web Token) and refresh token rotation;
• API rate limiting to prevent abuse;
• Principle of least privilege applied to all internal access.

7.4 Local Data Security

Data stored locally by the SessionWise CLI is kept in SQLite databases on your device. Security of local data relies on your operating system's file system permissions and keychain mechanisms. We recommend keeping your operating system and the SessionWise CLI updated to benefit from the latest security patches.

We retain your data for the following periods:

When data is deleted, we make commercially reasonable efforts to ensure it is permanently removed from our active systems. Encrypted data may persist in backup systems for a limited period (typically up to 30 days) before being purged.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the GDPR regarding your personal data:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you. Note that for end-to-end encrypted data, we can only provide the encrypted ciphertext, as we cannot decrypt it.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data. You can update your account information directly through your account settings or OAuth provider.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions. See Section 10 for details on how to exercise this right.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON). You can export your data through the CLI tool using the export commands.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances, including: (a) you contest the accuracy of your data (restriction during verification); (b) processing is unlawful but you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of our legitimate grounds. To request restriction, contact privacy@sessionwise.dev specifying which condition applies.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests. Where we process your data for direct marketing purposes, you have an absolute right to object.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or the place of the alleged infringement.

To exercise any of these rights, please contact us at privacy@sessionwise.dev. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

You can request deletion of your data through the following methods:

10.1 Self-Service Deletion (CLI)

You can delete all session records and associated data for a specific developer using the CLI command:

This command removes all session records, knowledge nuggets, and associated metadata for the specified developer from our servers.

10.2 Account Deletion

You can request full account deletion by contacting us at privacy@sessionwise.dev. Upon receiving and verifying your request, we will delete your account and all associated data within 30 days, except for data we are legally required to retain (such as billing records for tax compliance).

10.3 Limitations

• Aggregated, anonymized data that does not identify you will not be deleted;
• Data shared within an Organization may be subject to the Organization's data governance policies;
• Billing and transaction records may be retained as required by law;
• Data in backup systems may persist for up to 30 days after deletion from active systems.

SessionWise is operated from Poland (EU). However, your data is processed and stored using infrastructure located in the United States (AWS us-east-1, Northern Virginia) and may be processed by third-party services located in various countries.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to, stored in, and processed in countries outside the EEA that may not provide the same level of data protection as your home country.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

• Transfers to countries recognized by the European Commission as providing an adequate level of data protection;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Reliance on the EU-US Data Privacy Framework, where applicable;
• Other legally recognized transfer mechanisms under applicable data protection laws.

Encryption Safeguard: For end-to-end encrypted data, the transfer risk is significantly mitigated by the fact that data stored on US servers is in encrypted form that cannot be decrypted without your KEK, which remains on your local device in the EU (or wherever you are located). Even with full access to our servers, decryption is technically impossible without the KEK.

The Service is not directed to and is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use the Service or provide any personal information to us.

If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 16, please contact us at privacy@sessionwise.dev.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: email address, display name, user ID, IP address;
• Commercial Information: subscription plan, billing history, transaction records;
• Internet Activity: browsing history on our Service, page views, feature usage, analytics events;
• Professional Information: repository names, organization affiliations (as provided through OAuth);
• Inferences: usage patterns and preferences derived from Service interactions.

13.2 Your California Privacy Rights

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete your personal information, subject to certain legal exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

13.3 Exercising Your Rights

To exercise your California privacy rights, contact us at privacy@sessionwise.dev. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

13.4 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about the disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to or alter its practices upon receiving DNT signals. However, we note that our analytics (Vercel Analytics) are privacy-focused and do not use third-party cookies for cross-site tracking regardless of DNT settings.

We will continue to monitor developments in DNT technology and browser standards and will update our practices as appropriate.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, SessionWise will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR;
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR;
• Document the breach, its effects, and the remedial action taken;
• Comply with any additional breach notification requirements under applicable laws (including US state breach notification laws).

Encryption Benefit: In the event of a breach affecting our backend infrastructure, end-to-end encrypted data remains protected because decryption requires your KEK, which is not stored on our servers. A breach of our infrastructure would only expose encrypted ciphertext and plaintext metadata.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this page;
• For material changes, we will provide prominent notice by email, in-app notification, or a banner on our website at least 30 days before the changes take effect;
• We may ask for your explicit consent to material changes where required by applicable law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the changes.

17.1 Automated Decision-Making

SessionWise uses AI-powered analysis to process your session data and generate knowledge nuggets, pattern identification, and insights. This automated processing does not produce legal or similarly significant effects on you. The AI-generated outputs are informational and advisory in nature. You are not subject to decisions based solely on automated processing that produce legal effects concerning you. Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you. If you believe any automated decision has significantly affected you, you may contact us at privacy@sessionwise.dev to request human review of the decision, express your point of view, and contest the decision.

17.2 Third-Party Links

The Service may contain links to third-party websites or services that are not operated by SessionWise. We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of every website you visit.

17.3 Business Transfers

If SessionWise is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data via email and/or prominent notice on our website.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For general inquiries and support: support@sessionwise.dev

For GDPR-related requests and data subject rights: privacy@sessionwise.dev

We aim to respond to all privacy-related inquiries within 30 days.