consens.io
About Terms Imprint Open app

Data handling

Privacy Notice

Short and clear: how consens.io handles prompts, provider calls, account data, and local settings.

Important note

consens.io compares answers from multiple AI models. Please avoid entering personal, confidential, or sensitive information in prompts. Model providers can process the content you send to them.

1. Controller

The controller under the GDPR is the operator of consens.io: . The postal address is provided in the Imprint.
Contact:

2. Purposes and data we process

  • Prompts and model outputs: used to provide the service, send requests to selected AI models, and display answers. We do not permanently store prompts or outputs on our servers unless you save them as bookmarks.
  • Technical logs: timestamps and basic diagnostics for stability, security, and abuse prevention.
  • Account data: if you sign up, your e-mail address and a user ID are processed via Google Firebase Authentication (including optional Google Sign-In) for access control, quota handling, and related usage features. Your tier and saved bookmarks (query, answers, sources, attachment metadata) are stored in Google Cloud Firestore until you delete them or your account.
  • Abuse prevention: to enforce the one-account-per-person rule, we temporarily process your IP address and match it against the account ID. This mapping is held in volatile server memory only and is not written to a database (legal basis: Art. 6(1)(f) GDPR, prevention of quota abuse).
  • Feedback: if you send feedback, we store your message, the e-mail address you optionally provide, your account ID, and a timestamp, for as long as needed to follow up on the feedback.
  • Pro interest list: if you click a Pro-interest option, we store your account ID, e-mail address, and a timestamp so we can inform you about this feature.
  • Local storage: used for interface preferences, session flags, and optional user settings. We do not use non-essential cookies.
  • Your own API keys, optional: if you enter keys, they are stored in your browser only. With each request, the key is transmitted over an encrypted connection through our server to the selected provider. We do not store your keys on the server.

3. Usage analytics with Umami

We use Umami Cloud for privacy-focused web analytics. Umami records page views and selected interaction events so we can understand which parts of consens.io are used, improve the product, find friction, and prevent abuse. The tracker is configured to respect browser Do Not Track signals and to exclude URL search parameters and hash fragments.

Umami may process technical usage information such as visited pages, referrer, browser, operating system, device type, approximate country, timestamps, and the custom events listed below. Umami states that its tracking code does not use cookies, anonymizes collected data, and does not identify users across websites.

The custom events we track are limited to product usage signals: landing-page calls to action, opening or using the app, sending or cancelling a query, completing a model run, generating or cancelling a consensus, copying a consensus or citation, changing interface modes, model selection changes, sidebar section opens, settings/help/feedback actions, login/register/password-reset/account-deletion attempts and outcomes, bookmark save/open/delete actions, API-key test outcomes, and Pro-interest clicks.

Event properties are limited to non-content metadata, for example selected mode, number of selected models, provider or model label, status, trigger type, and boolean states such as logged-in, own-keys, Agent Mode, or Auto Consensus. We do not send prompts, model answers, consensus text, feedback message text, e-mail addresses, passwords, authentication tokens, API keys, bookmark contents, or other user-entered content to Umami as custom event data.

Legal basis: Art. 6(1)(f) GDPR, our legitimate interest in measuring aggregate product usage, improving the service, maintaining security, and prioritizing development. You can object to this processing under Art. 21 GDPR using the contact details above.

4. Provider routing

Model requests are sent to the model providers selected for the query: OpenAI (USA), Anthropic (USA), Google (USA), Mistral AI (France), xAI (USA), and DeepSeek (People's Republic of China). consens.io does not add an extra model marketplace or router layer between your prompt and those selected providers.

Note on DeepSeek: DeepSeek processes data in China, a country without an EU adequacy decision. If you select DeepSeek models, your prompt and attachments are transmitted to DeepSeek for processing. If you do not want this, deselect DeepSeek models before sending a query; the other models work independently of this choice. See also the Terms of Use.

Necessary infrastructure providers, authentication services, and selected AI providers may still process data where needed to operate the service.

5. Shared pages (public sharing)

If you publish a consensus answer as a public shared page (an explicit, opt-in action in the app), we store the shared content (question, consensus answer, differences analysis, sources, and model names) together with your internal account ID. The account ID is used solely so that you can manage and revoke your own shared pages and so that we can fulfil our moderation duties; it is never displayed publicly and never embedded in the public page.

Shared pages are public: anyone with the link can read them, and selected pages may appear in search engines after a manual review by us. Please do not include personal data in questions you intend to share.

Visitors can report a shared page ("Report this page"). Reports are stored without any personal data — as anonymous counters per reason only; we do not store the reporter's IP address or browser data.

Retention and deletion:

  • Consensus results that are eligible for sharing are kept server-side for a maximum of 24 hours; if you do not share them within that period, they are deleted automatically.
  • Shared pages remain online until you revoke them or delete your account.
  • When you revoke a shared page, it immediately becomes unavailable to the public and is permanently deleted within 30 days. Copies cached by browsers or search engines for a short period are outside our control.
  • When you delete your account, all your shared pages and pending results are deleted as part of the account-deletion process.
  • Report counters are deleted together with the page.

Legal bases: Art. 6(1)(b) GDPR for publishing and managing pages you create; Art. 6(1)(f) GDPR for moderation, report handling, and abuse prevention.

6. Legal bases under the GDPR

  • Art. 6(1)(b): performance of the service you request.
  • Art. 6(1)(f): legitimate interests in security, stability, abuse prevention, and aggregated product improvement.
  • Art. 6(1)(a): where we explicitly ask for consent.

7. Recipients, processors, and international transfers

To provide the service, we use the following categories of providers, who may process data on our instructions as processors or as independent providers when their interfaces are used:

  • Hosting: Render (Render Services, Inc., USA) hosts the application server, including technical request logs.
  • Authentication and database: Google Firebase Authentication and Google Cloud Firestore (Google Ireland Ltd. / Google LLC, USA) for accounts, tier status, and bookmarks.
  • Analytics: Umami Cloud (see section 3).
  • AI model providers: the providers selected per query (see section 4).

Processing may occur outside the EU/EEA, in particular in the USA and — only if you select DeepSeek models — in China. For transfers to the USA we rely on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses; for other transfers on appropriate safeguards under Art. 44 et seq. GDPR or, for DeepSeek, on your request to route the query to that provider (Art. 49(1)(b) GDPR).

8. Storage periods

We retain data only as long as necessary for the stated purposes or as required by law. Technical logs are generally kept short-term. Model content is retained only insofar as needed for stability, abuse defense, or aggregated and anonymized product improvement. For shared pages and pending share results, the specific retention periods in section 5 apply. On request, we will review earlier deletion.

9. Your rights in the EU/EEA

  • Access, rectification, erasure, restriction, and portability, subject to legal conditions.
  • Right to object to processing based on legitimate interests under Art. 21 GDPR.
  • Withdrawal of consent with future effect.
  • Right to lodge a complaint with a supervisory authority, for example the Lower Saxony DPA.

You can delete your account yourself at any time in the app settings ("Delete account"). This removes your authentication account, profile data, bookmarks, shared pages and pending share results, and entries you created in the feedback and Pro-interest lists. For anything else, contact us at the address above.

10. Security

We implement appropriate technical and organizational measures, including access limitation, logging, and up-to-date transport encryption.

11. Children

consens.io is not directed at children. Use the service only if you are old enough to use online services under the law applicable to you.

12. Changes and contact

We may update this notice and indicate the last updated date below.

Email:

Back to app Imprint
Last updated: 12 June 2026
App About Terms Imprint