GDPR · ENGLISH

Privacy Policy

Version: 1.0 · Date: 4 June 2026

⚠ Draft for legal reviewThis text is a working draft. A review by a data protection lawyer is recommended before publication. Fields in [brackets] must be completed.

1. Who we are

This policy explains how [Company name] («we», «the controller») collects and processes your personal data when you use the ASEO + Shield platform («the Platform»).

For questions regarding your personal data: [contact email].

2. What data we collect and why

2.1. Account data

Email address and encrypted password — to create your account and provide access to the Platform.

2.2. Organisation data

Organisation name and selected subscription plan — to manage the contractual relationship.

2.3. Security data (login audit)

IP address, browser type (User-Agent), date, time and result of the attempt — to protect your account and prevent unauthorised access. Deleted automatically after 90 days.

2.4. Website data

The URL of your website — for content optimisation and analysis features (ASEO).

2.5. Usage data

Records of actions performed in the Platform (audit trail) — for traceability and compliance with the EU AI Act.

2.6. Content generation data (Google Gemini)

Your prompts (including URL and keywords) are processed by Google LLC via the Gemini API. We do not send personal identification data. All other AI functions run locally within the EU.

3. Legal basis

Basis	Application
Performance of a contract (Art. 6(1)(b))	Account management, service provision, content generation
Legitimate interest (Art. 6(1)(f))	Protection and security (login audit), audit trail
Legal obligation (Art. 6(1)(c))	Audit logs under the EU AI Act

4. How long we keep your data

Category	Retention period
Account data	Contract term + 12 months
Organisation and contract data	Contract term + 5 years
Login audit (IP)	90 days, then automatic deletion
Audit logs (Shield/EU AI Act)	3 years from generation
Gemini API data	In accordance with Google's policy

5. Automated decisions and profiling

The Shield platform generates automated EU AI Act compliance assessments. These assessments may have significant effects on your organisation, as they determine the risk level of your AI systems and the associated regulatory obligations.

You have the right to contest an automated assessment and request a review by our specialist: [contact email].

6. Who we share your data with

We do not sell your personal data. We share data only in the following cases:

Infrastructure providers: Contabo GmbH (Germany, EU) — hosting.
Google LLC (USA): processing of prompts via the Gemini API on the basis of Standard Contractual Clauses (SCCs). Google acts as a processor.
Partners/agencies: only if you are registered through a partner — access to your data only.
Competent authorities: where required by law.

7. Your rights

Access — a copy of your data
Rectification — correction of inaccurate data
Erasure — deletion (where grounds exist)
Restriction — in certain cases
Portability — in a machine-readable format
Objection — to processing based on legitimate interest
Human intervention — contesting an automated assessment

Requests are submitted to: [contact email]. We respond within 1 month. You have the right to lodge a complaint with the competent supervisory authority.

8. Data security

Password hashing (bcrypt)
Encrypted communication (TLS/HTTPS)
Firewall and attack protection (UFW, fail2ban, WAF)
Login rate limiting
Automatic deletion after the retention period
Isolation via containerisation (Docker)
Local execution of AI models (except the Gemini API)

9. Cookies

The Platform uses strictly necessary cookies for session management (JWT tokens). These are mandatory and do not require consent. We do not use tracking or advertising cookies.

10. Changes to this policy

We may update this policy periodically. In the event of material changes, we will notify you at least 30 days before they take effect.

Finalisation note: complete [Company name], [Company ID], [Registered seat], [contact email], [DPO/officer]. A formal DPIA procedure is recommended due to Shield's automated decisions and processing via the Gemini API.