Privacy Policy
Last updated: February 2026
1. Data Controller
AIActFlow
Email: info@aiactflow.com
2. Data We Collect and Why
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Registration, login, notifications | Contract performance (GDPR Art. 6(1)(b)) |
| Password (encrypted) | Authentication | Contract performance (GDPR Art. 6(1)(b)) |
| Conversation content | Service delivery, chat history | Contract performance (GDPR Art. 6(1)(b)) |
| Query count | Usage limit management | Contract performance (GDPR Art. 6(1)(b)) |
| Stripe customer ID | Payment processing (for subscriptions) | Contract performance (GDPR Art. 6(1)(b)) |
| IP address, browser type | Security, abuse prevention | Legitimate interest (GDPR Art. 6(1)(f)) |
3. AI-Based Data Processing
The Service uses artificial intelligence (Google Vertex AI) to answer user questions. Questions submitted by users are sent to the AI provider, which uses them solely to generate responses. AI responses are automatically generated but do not constitute automated decision-making under GDPR Article 22, as they are informational in nature and have no legal effect on the user.
4. Data Retention
- Account data and conversations: retained until account deletion, deleted within 30 days of request
- Billing records: retained as required by applicable law
- Log data (IP address): 90 days
5. Data Processors and Transfers
We use the following data processors:
- Google (Vertex AI) — AI response generation (USA/EU). Transfers are based on the EU–US Data Privacy Framework.
- Stripe, Inc. — Payment processing (USA/EU). Transfers are based on the EU–US Data Privacy Framework.
- Supabase — Database hosting (EU)
- Resend — Transactional email delivery (USA). Transfers are based on the EU–US Data Privacy Framework.
We do not share your data with any other third parties.
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access — request information about your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your personal data
- Right to restriction — restrict the processing of your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise your rights, email info@aiactflow.com. We will respond within 30 days.
7. Nature of Data Provision
Providing your email address and password is required for registration — the Service cannot be used without them. The provision of personal data is a contractual requirement, not a statutory one.
8. Cookies
The Service uses only essential cookies required for operation:
- app_token — login session (essential, expires: 7 days)
- cookie_consent — cookie consent status (essential, expires: 1 year)
We do not use third-party, analytics, or marketing cookies.
9. Complaints
If you believe your data protection rights have been violated, you may lodge a complaint with your local data protection authority. For EU residents, you can find your authority at edpb.europa.eu.