Elenor AI Platform Privacy Policy

Effective date: 17 November 2025

This Privacy Policy explains what personal data the Elenor AI Platform processes, for what purposes and how it is protected. The controller is Cristian Bucioaca, contact: privacy@elenor.io.

1. Scope

This policy applies to all products and services offered through the Elenor AI Platform, including but not limited to:

  • Elora AI - intelligent personal assistant
  • Elenor Enterprise - AI infrastructure for businesses (coming soon)
  • Future products and services

For product-specific data processing details, please refer to individual product privacy policies (e.g., Elora Privacy Policy).

2. Roles under GDPR

  • The Provider acts as the data controller for personal data submitted by users or generated while using our services.
  • Third-party platforms (Supabase, Google Cloud, OpenAI, Anthropic, Stripe) act as processors or independent controllers depending on the service they deliver.
  • Data are shared with third parties only to the extent necessary to provide our services.

3. Categories of Processed Data

  1. Identification and login data: e-mail, hashed password, internal user ID.
  2. Profile information: optional display name, preferred language settings.
  3. Usage data: product usage metrics, activity logs, feature interactions.
  4. Technical metadata: device information, timestamps, browser version, IP address, error logs.
  5. Payment data: handled by Stripe; we store only reference identifiers (customer_id, subscription_id).
  6. Product-specific data: varies by product - see individual product privacy policies for details.

4. Purposes and Legal Basis

PurposeData categoriesLegal basis
Account creation and authenticationidentification, profileperformance of contract (GDPR Art. 6(1)(b))
Providing platform servicesidentification, usage data, product-specific dataperformance of contract
Security and fraud preventiontechnical metadatalegitimate interest (security)
Billing and invoicingidentification data, usage metrics, payment identifiersperformance of contract / legal obligation
Product improvement (aggregated analytics)aggregated usage datalegitimate interest

5. Data Sharing

  • Supabase (EU regions): authentication, database, file storage, real-time synchronization.
  • Google Cloud: AI services (Vertex AI), cloud infrastructure. Regions configured based on service requirements.
  • Anthropic: Claude API for AI capabilities. Only necessary context is transmitted.
  • OpenAI: GPT models for AI capabilities. System instructions and required context are sent.
  • Stripe: subscription and payment management; only tokenized identifiers are stored.

No data are sold to third parties or shared for third-party marketing.

6. Storage and Retention

  • Supabase: data are stored until the user deletes their account. Account deletion removes all associated data permanently.
  • Server logs: retained for up to 30 days for incident response and then anonymized or deleted.
  • Payment records: kept by Stripe in accordance with legal requirements.
  • Product-specific storage: varies by product - see individual product policies.

7. Security Measures

  • All data transmission is encrypted (HTTPS).
  • Database access is protected with Row Level Security policies.
  • Access tokens are verified using secure authentication mechanisms.
  • Passwords are hashed using industry-standard algorithms.
  • Access to API credentials is restricted to server-side code only.
  • Regular security audits and dependency updates.

8. User Rights

Users have the following rights under GDPR:

  1. Access: request a copy of your data.
  2. Rectification: update your profile information.
  3. Erasure: delete your account and all associated data.
  4. Restriction: limit processing of your data.
  5. Portability: request export of your data in machine-readable format.
  6. Objection: object to processing based on legitimate interests.
  7. Complaint: lodge a complaint with the Office for Personal Data Protection (www.uoou.cz).

Requests can be sent to privacy@elenor.io. We will respond within 30 days.

9. Automated Decision-Making

AI responses are generated using third-party models based on user input and system instructions. We do not apply automated decision-making that produces legal or similarly significant effects without human oversight.

10. Changes to this Policy

This document may be updated when technical or legal changes occur. Users will be informed about significant changes by e-mail or in-product notice at least 14 days before they take effect.

This policy applies to the Elenor AI Platform and all its products and services.