Privacy Policy

Data Controller

Jannik Vitztum
c/o IP-Management #9186
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Email: shura@comfyai.de

Data We Collect

When using ComfyAI, the following data is processed:

• Account Data: Username, email address (optional), password hash, and related account settings
• Chat History: Your conversations with the AI are stored to provide chat history
• Technical Data: IP address, browser information, device or request metadata, and related operational logs (for security, abuse prevention, and error analysis)
• Browser Storage Data: Authentication tokens, guest tokens, consent choices, disclaimer acknowledgements, and certain local preferences stored in your browser
• Moderation and Audit Records: Reports, flags, security records, conversation logs, uploaded media audit copies, and related review materials where relevant to operations, moderation, support, abuse prevention, or legal compliance

Legal Basis for Processing

We process your data based on the following legal grounds (Art. 6 GDPR):

• Art. 6(1)(a) - Consent: Optional analytics, campaign measurement, and tracking technologies (you choose when starting ComfyAI and can change later in Settings)
• Art. 6(1)(b) - Contract Performance: Chat functionality, account management, providing the service
• Art. 6(1)(f) - Legitimate Interest: Server logs, security measures, abuse prevention

How We Use Your Data

We use your data to operate, protect, maintain, and improve the service.

• Your chat history is stored so you can access it later
• The memory system helps the AI remember context from your conversations
• Automated safety systems may flag content that may violate our terms of use or create safety, abuse, or security concerns
• Authorized personnel may access, review, preserve, and use conversations, account data, metadata, and related records where reasonably necessary for service operations, support, moderation, abuse prevention, security, audits, legal compliance, or enforcement of our Terms
• We may create and retain service logs, moderation materials, and media audit records to investigate incidents, improve quality, and protect the platform

We don't sell your data. We don't train AI models on your conversations. We don't use it for advertising profiles or share chats for marketing.

Outside the processing needed to provide features you use, external disclosure of conversation content is limited to situations where reasonably necessary for legal compliance, serious safety risks, abuse prevention, security incidents, enforcement of our Terms, or protection of the Service. Nothing in this Privacy Policy requires us to monitor, report, or disclose user content except where required by applicable law.

Where Your Data Is Stored

Primary account, chat, and memory storage is hosted on our own private servers located in Austria. We do not use cloud hosting for core user data storage.

Optional third-party or BYOK model providers and web search providers may process selected messages or queries when you choose features that use them, as described below.

Some models marked as Testing may run on separate infrastructure from our primary Austrian servers, including temporary or evaluation servers hosted through providers such as RunPod. If you select such a model, the message content and any attachments needed for that request are processed on that separate server.

AI & API Services

Depending on which features you use, your data may be processed by:

• Local AI Models (Qwen): Your messages stay on our servers. Nothing leaves our infrastructure.
• Testing Models: If you choose a model marked as Testing, the message content and any attachments needed for that request may be processed on a separate server hosted through infrastructure providers such as RunPod. Those servers may be located outside Austria, depending on the active testing setup.
• Optional Third-Party or BYOK Model Providers: If optional third-party model integrations are enabled and selected by you, your messages may be sent to the provider you choose. Depending on availability, this may include providers such as OpenAI, OpenRouter, DeepSeek, or similar services.
• Web Search (Exa): If the AI uses web search, your query is sent to Exa. See their Privacy Policy.
• Technical CDN Assets: Some frontend libraries may be loaded from CDN providers such as jsDelivr. These providers may receive standard request metadata such as your IP address and browser information when your browser loads those files.

Tip: Stick with Qwen models if you want maximum privacy - everything stays local.

Cookies and Tracking

We use necessary cookies, browser storage, and similar client-side storage to keep ComfyAI working. This includes authentication, guest session continuity, security, abuse prevention, consent choices, and local settings.

Google Analytics: We use Google Analytics to understand how users interact with our website (page views, traffic sources, user engagement). Google Analytics is optional and is only loaded after you choose to allow optional analytics and campaign measurement. If you choose necessary cookies only, we do not set Google Analytics cookies. You can change your choice in Settings or opt out using the Google Analytics Opt-out Browser Add-on. More information: Google Privacy Policy.

X/Twitter Pixel: We use the X (Twitter) conversion tracking pixel to measure the effectiveness of our social media presence. This is optional and is only activated if you choose to allow optional analytics and campaign measurement. More information: X Privacy Policy.

Data Retention

Your data is stored as long as your account exists. When you delete your account, access is removed immediately and your account cannot be restored. Selected account-related, moderation, audit, deletion-related, security, traffic, or compliance records may be retained for a limited period, typically up to 30 days, and in some cases longer where reasonably necessary or legally required.

• Account & Chat Data: Until you delete your account
• Server Logs: Typically up to 30 days, but may vary based on operational, security, or compliance needs
• Technical, Security, and Traffic Logs: Typically up to 30 days, but may be retained longer where reasonably necessary or legally required
• Moderation, Audit, and Deletion-Related Records: Typically up to 30 days after account termination, but may be retained longer where reasonably necessary for legal compliance, abuse prevention, security, or defense of legal claims

Account Suspension and Termination

We may suspend, restrict, or terminate accounts or features for policy enforcement, safety, abuse prevention, legal or compliance reasons, operational needs, or other legitimate service-protection purposes, as described in our Terms of Service. When this happens:

• Notification: We may provide limited notice or explanation where we choose to do so or where applicable law requires it
• Evidence Retention: We may retain relevant messages, reports, metadata, moderation materials, deletion-related records, and audit trails for a limited period, typically up to 30 days, and in some cases longer where reasonably necessary or legally required
• Reconsideration Requests: You may contact us regarding an enforcement decision, but review or response is discretionary except where applicable law requires otherwise
• Data Deletion: After the retention period, your data will be permanently deleted unless required by law

Legal Basis: Processing for account termination and evidence retention is based on our legitimate interest in maintaining platform safety and preventing abuse (Art. 6(1)(f) GDPR), as well as compliance with legal obligations (Art. 6(1)(c) GDPR).

Obligation to Provide Data

You are not legally required to provide personal data. However, certain data (username for registration, messages for chat) is necessary to use the service. Without this data, you cannot use the respective features.

Your Rights

You have the right to:

• Access your stored data
• Rectification of inaccurate data
• Deletion of your data
• Restriction of processing
• Data portability
• Object to processing

To exercise your rights, contact us at shura@comfyai.de.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority for Austria is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

Automated Decision-Making

We do not use fully automated decision-making as defined in Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Note: While our AI generates responses automatically, this does not constitute "automated decision-making" under GDPR as it does not produce legal or similarly significant effects on you.

Content Moderation: Automated systems may be used to flag, score, filter, throttle, or temporarily restrict activity and to support moderation and security workflows. Relevant records may then be reviewed and handled by authorized personnel as appropriate to the circumstances and applicable law.

Infrastructure & CDN

We use the following external services for infrastructure:

• IONOS (VPS): Our reverse proxy and landing pages are hosted on IONOS servers in Germany. Traffic is forwarded to our private servers - no user data is stored on IONOS.
• jsDelivr CDN: For JavaScript libraries (KaTeX, Mermaid, Highlight.js)

Related Documents

Please also review our Terms of Service, which govern your use of ComfyAI and include information about account suspension and termination.

How to Delete Your Account

To delete your ComfyAI account and all associated data:

1. Log in to your account at comfyai.de
2. Open the available account settings or user options
3. Go to the account or privacy section
4. Click "Delete Account" and confirm with your password

What is removed immediately:

• Account access and active sessions
• Primary account records from active user systems
• Chat and feature data from active services

What may be retained for a limited period after deletion:

• Selected account-related records, moderation materials, deletion-related records, audit logs, traffic or security records, and compliance evidence needed for abuse prevention, legal obligations, and defense of legal claims

Retained records are generally deleted after the applicable retention period, but some residual, backup, audit, security, or compliance records may persist longer where reasonably necessary or legally required. Deleted accounts cannot be restored.

Questions? Contact us: shura@comfyai.de

Changes

This privacy policy may be updated from time to time. The current version is always available on this page.

Last updated: May 11, 2026