Privacy Policy · Sery.ai

1. Who we are

"Sery" (the product), the Sery Link desktop application, and the Sery.ai service are operated independently as a pre-incorporation project, with primary operations in Vancouver, British Columbia, Canada("Sery," "we," "us," or "our").

For any privacy question, email [email protected].

2. Summary (plain English)

Sery Link — the desktop app — is designed to keep your files on your own machines. We can't collect what never reaches us.

Free, local use: we collect nothing. No analytics, no telemetry, no "phone home." You can use Sery Link permanently without an account, and we will have no record of it.
When you enable the optional AI tier: your question text, a small amount of column metadata from the files you're asking about (including heuristically redacted sample rows), and the answer text cross the network. Raw file contents do not.
If you subscribe: we collect billing information through our payment processor (Stripe) and an email address for account management.

The rest of this policy is the detailed, lawful version.

3. What we collect and when

3.1 Local operation — zero collection

When you install Sery Link and use it without enabling cloud features, we collect no personal data of any kind. The application does not send analytics, telemetry, crash reports, or usage metrics. The only outbound network requests Sery Link makes on the local path are:

Auto-updater: the app fetches the signed release manifest directly from https://github.com/seryai/sery-link/releases/latest/download/latest.json. Your IP reaches GitHub, not us. We do not proxy this request through any sery.ai-controlled endpoint, so we do not observe which machines check for updates or when.
Remote data sources you configure: if you point Sery Link at an S3 bucket, a Google Drive folder, a public URL, or a database, the request goes directly from your machine to that source under the credentials you supplied. Your IP reaches that source, not us.

No other outbound traffic leaves your machine on the local path — no heartbeat, no "first run" ping, no telemetry beacon, no crash reporter.

We cannot technically know that a given installation exists unless and until you voluntarily sign in to a Sery.ai account, enable the managed AI tier, or enable cloud sync. See §3.9 below for what we do (and do not) know about your local machine after you sign in.

You can verify every claim in this section by reading the source at github.com/seryai/sery-link — the codebase is open under AGPL-3.0.

3.2 Account data (if you sign up)

If you sign up for an account on Sery.ai (required only for paid features), we collect:

Email address — to identify your account and send transactional messages (password resets, receipts, service announcements).
Display name — optional, used in your workspace.
IP address — transient, used for basic abuse prevention; not stored beyond request logs (see §6).

3.3 Billing data (if you subscribe)

Payments are processed by Stripe. Stripe collects your card information directly; we never see the full card number. We receive and store:

A non-sensitive Stripe customer ID.
Billing email, country (for VAT / sales-tax purposes), and last four digits of the card for display.
Invoice history.

Stripe's handling of your payment data is governed by their own privacy policy at stripe.com/privacy.

3.4 AI query data (if you enable AI features)

The AI tier has two modes, and the data flow is materially different between them. Read both subsections and know which mode you're using.

3.4.a Sery-managed AI

When you send a question through the Sery-managed AI tier, the following is transmitted to our servers and from there to our LLM provider (Anthropic):

The question text you typed.
Column metadata from files the question touches: column names, types, and optionally small sample rows. Sample-row values from columns whose names match a heuristic sensitive-name list (email, ssn, credit, card, cvv, phone, tel, password, passwd, token, secret, api_key, apikey, auth) are blanked on your machine before upload — full list and implementation at sery-link/src-tauri/src/scanner.rs. This is a column-name heuristic, not value-pattern scanning: if a column has an unrelated name (e.g. notes, description, comments) but contains sensitive values, those values are not redacted. It is not a guarantee that every piece of Personal Data has been removed from a sample. Sample-row upload can be disabled entirely in Settings; column names and types are required for the AI to answer.
Document text from DOCX/PPTX/HTML/IPYNB files, only if you have explicitly enabled "Include document text in workspace catalog" in Settings → Sync. The toggle defaults off: with the default setting, the cloud catalog stores only the document's filename, size, and last-modified date — none of its text. Turn the toggle on if you want cross-machine document search to match on extracted text; the markdown will then be uploaded with the next sync. You can turn it off at any time, after which new syncs stop including text and previously-uploaded text is purged on request via the existing data-deletion path (see §10).
The AI-generated answer (including any charts, tables, or commentary we render back to you).

Raw file binaries, full row data beyond the capped sample rows above, or file paths outside the question text are not transmitted.

We log each managed-AI query (question text, response, cost, latency) for 30 days for debugging, abuse detection, and cost accounting. After 30 days the conversation and its messages are permanently deleted by an automated daily job that runs at 04:00 UTC — implementation at api/app/jobs/retention.py. You can also delete a conversation manually at any time, or delete your account to purge everything immediately (§10).

Anthropic's handling of data we send them on the managed path is governed by their enterprise agreement with us and their Trust & Safety policy at anthropic.com/trust. We have configured our Anthropic account with the zero-retention option — queries sent to Anthropic on the managed path are not used to train their models.

3.4.b Bring Your Own Key (BYOK)

If you configure Sery Link to use your own API key for a supported LLM provider (Anthropic, OpenAI, etc.):

The question text, column metadata, and answer travel directly from your machine to the LLM provider under your key.
They do not reach our servers at any point. We have no log of them, no cache of them, and no ability to intercept them.
We are not a Processor of this query data under Applicable Data Protection Law. Your legal relationship for this data is solely with the LLM provider whose key you used.
The LLM provider's privacy policy, retention settings, and any data-processing terms you have with them govern — not this policy.
We may still receive a minimal authentication handshake so the desktop application can confirm your paid Sery.ai account is active and unlock BYOK as a feature. The handshake does not include the question, the metadata, or the answer.

You choose which mode to use from Settings → AI Provider. Switching mode is permanent only for queries already sent; future queries follow whatever mode is selected at the time they are sent.

3.5 Machines ("devices") in your workspace

If you use the paid tier to connect multiple machines to one workspace, we store:

Machine metadata: hostname (e.g., "johns-mbp"), OS family ("macOS 14"), a machine-generated ID, the workspace it belongs to, and its online/offline status.
Dataset metadata: for each file you've indexed, the file's path on the machine, schema (column names and types), size, and last-modified timestamp.

Raw file contents are not stored on our servers.

3.6 Support correspondence

If you email [email protected] or [email protected], we receive and store your message until the conversation is resolved, after which we retain it for 12 months for quality and training.

3.7 Cookies and similar technologies on sery.ai

The marketing website sery.ai uses no analytics and sets no tracking cookies. Page views are not counted, mouse movements are not recorded, and we do not set cross-site tracking cookies. The site is served as static HTML through Cloudflare; standard request logs (IP, user-agent, URL) are retained per §6.

3.8 Local data — what we cannot see

Separately from "what we collect," it is useful to know what we cannot collect by the design of Sery Link itself, even in principle, even if we wanted to:

Your files. Raw file contents stay on your machines and are never uploaded to our servers, in any mode of the product.
Your local index and per-file profiles. The column-aware search index, file profiles, and cached query results live in a local cache on your machine. We have no remote read of that store.
Your BYOK queries. See §3.4.b above.
Your disk. Sery Link only reads the folders you explicitly configured for indexing. It does not traverse the rest of your file system, does not access system keychains beyond what you granted, and respects your operating system's file permissions.

We also have no remote-wipe or remote-kill capability for the Sery Link desktop application. If we discontinue the Service, the locally-running application will continue to function for its local features; see the Terms of Service §10.3 (Discontinuation).

3.9 What we know about your machine after you sign in

Once you create a Sery.ai account and connect a machine to a workspace, we can observe, from the metadata listed in §3.2 and §3.5:

That the machine exists (via its machine-generated ID).
Which workspace it belongs to.
Whether it is currently online.
The names and schemas of files you indexed on it — not their contents.
Approximate file sizes and last-modified timestamps.
When AI queries originated from it, for the 30-day window in §3.4.a.

This is the surface area. If your use case requires even this much to stay private, you can run Sery Link without a Sery.ai account at all — local use requires no sign-in — or enable BYOK under an account that has never connected this particular machine to a workspace.

4. How we use your data

Account authentication and service delivery — keeping you signed in, rendering your workspace, processing AI queries.
Billing — charging you, issuing receipts, collecting applicable taxes.
Debugging and reliability — diagnosing why a query failed or a machine disconnected.
Security and abuse prevention — detecting credential stuffing, automated scraping, query-cost abuse.
Transactional communication — password resets, payment receipts, security advisories, significant changes to this policy.

We do not use your data:

To train our own or third-party AI models.
To build advertising profiles or sell to data brokers.
To send marketing emails without your explicit opt-in.

5. Who we share data with

We share data only with these categories of recipients, and only the minimum required:

Anthropic — LLM provider, receives question text + column metadata + returns answer text. Zero retention configured.
Voyage AI — Embedding provider, receives column metadata (names/types) to generate vector embeddings for semantic search. Data-retention terms governed by Voyage AI's standard service agreement.
Stripe — Payments and billing. Receives card data directly from you, not via us.
Cloudflare — Runs our website, edge compute, and storage. Standard Cloudflare data-protection terms apply; data encrypted in transit (TLS) and at rest.
Law enforcement — Only when we receive a valid, enforceable legal order in our jurisdiction. We will notify affected users where legally permitted.

We do not share data with advertisers, data brokers, or marketing partners.

6. How long we keep data

Data	Retention
Account record	While your account is active; 30 days after deletion
AI query logs (with query text)	30 days
Aggregate AI cost statistics	18 months
Billing records	7 years (tax-law requirement)
Support correspondence	12 months
Server access logs (IPs, URLs)	30 days
Machine metadata	While the machine is registered; removed on un-pair

7. Your rights

Depending on where you live, you may have these rights. We honor them globally — you do not need to prove residency in a particular jurisdiction to exercise them.

Access — ask what personal data we hold about you.
Correction — fix inaccurate data.
Deletion ("right to be forgotten") — ask us to delete your account and associated data. Billing records retained per §6 for tax-law compliance.
Portability — get a machine-readable export of your workspace metadata.
Objection / restriction — object to specific processing activities.
Withdraw consent — at any time, for any processing that relies on consent (e.g., disabling AI sample-row upload).

To exercise any of these: email [email protected] with your account email and the request. We respond within 30 days.

8. Data transfers

Our infrastructure runs on Cloudflare's global edge network, with primary operations in Vancouver, British Columbia, Canada. If you use Sery from outside Canada, your data may cross borders to be served by the nearest Cloudflare edge location.

9. Security

We encrypt data at rest (AES-256) and in transit (TLS 1.2+). We maintain access controls, log administrative actions, and run regular security reviews. The Sery Link desktop code is open-source, so you can independently verify the client-side security posture.

No system is perfectly secure. If we become aware of a breach that affects your data, we will notify you without undue delay consistent with our legal obligations.

Report security vulnerabilities responsibly to [email protected].

10. Children

Sery is not intended for children under 13 (or the minimum age in your jurisdiction, whichever is higher). We do not knowingly collect data from children. If you believe we have, contact [email protected] and we will delete the account.

11. Changes to this policy

We update this policy when our practices change or laws require it. For material changes, we will:

Email registered users at least 30 days before the change takes effect.
Post a notice on sery.ai.
Update the "Last updated" date at the top.

Continuing to use Sery after the effective date of a change means you accept the updated policy.

12. Contact

Privacy questions: [email protected]
Security vulnerabilities: [email protected]
Support: [email protected]
Mail: Sery, Vancouver, British Columbia, Canada (postal correspondence may take significantly longer than email — please prefer email channels above for time-sensitive requests). For correspondence requiring a registered legal entity, contact [email protected].