§ LEGAL · PRIVACY

Privacy Policy

Effective: May 7, 2026 Last updated: May 7, 2026 Controller: Eigentic AS, Norway

This policy explains what personal data Eigentic AS (“Eigentic”, “we”) collects when you visit eigentic.ai, sign in to the customer dashboard, or run agentic workflows on our platform — and how we use, share, and protect it.

Who we are
Data we collect
How we use data
Legal bases (GDPR)
Sharing & sub-processors
Google user data
Retention
Your rights
Security
International transfers
Children
Changes to this policy
Contact

01Who we are

Eigentic AS is a Norwegian company (org. nr. 999 888 777) registered at Pilestredet 32, 0166 Oslo. We are the data controller for personal data processed about visitors to our website and customers of our platform. For data processed on behalf of customers (workflow inputs and outputs), we act as a data processor under a separate Data Processing Agreement.

02Data we collect

Account data

When you create an Eigentic account — directly with email + password, or via Google or GitHub — we collect:

Email address and (if provided) full name and avatar
Hashed password (we never see the plaintext)
OAuth provider id (e.g. your Google sub claim) so we can link future sign-ins
Workspace settings, time zone, and notification preferences

Billing data

Subscription, invoice history, and payment-method metadata. Card details are tokenized by Stripe; we store the last four digits and brand only.

Usage and product data

API requests, workflow executions, run latency, success/error rates
Logs, eval results, and audit events scoped to your workspace
Diagnostic data: browser, device, IP address, page-view events

Communications

Emails you send to us (sales, support, security), Slack messages in shared channels, and call recordings only when both parties consent.

03How we use data

Operate the service — authenticate you, run workflows, deliver evals and logs
Billing — charge subscriptions, issue invoices, prevent fraud
Improve the product — debugging, performance analysis, aggregated usage analytics
Safety & abuse — detect and block abuse, secure customer accounts
Communications — transactional email (receipts, security alerts) and, with your opt-in, product updates

We do not use customer workflow inputs, outputs, or logs to train models that serve other customers.

04Legal bases (GDPR)

Purpose	Legal basis
Provide the service to you	Performance of contract (Art. 6(1)(b))
Billing & tax records	Legal obligation (Art. 6(1)(c))
Product analytics, security, abuse prevention	Legitimate interests (Art. 6(1)(f))
Marketing emails	Consent (Art. 6(1)(a))

05Sharing & sub-processors

We share personal data only with vetted sub-processors that help us operate the platform. Each is bound by a written DPA and processes data on our instructions.

Sub-processor	Purpose	Region
Supabase	Authentication & database	EU (Frankfurt)
Stripe	Subscription billing & invoices	US, EU
Cloudflare	CDN, edge compute, DDoS protection	Global
Google LLC	OAuth sign-in (when you choose Google)	US
Anthropic, OpenAI, Mistral	Model inference (sub-set per workflow)	US, EU
Resend	Transactional email	EU

An up-to-date list, with notification of changes, is available to enterprise customers under DPA.

06Google user data

If you sign in with Google, we receive your email, name, profile picture, and a stable Google account id (the OpenID Connect sub claim). We use this data only to:

Create and authenticate your Eigentic account
Display your name and avatar inside the dashboard
Send transactional email to your address

Eigentic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell, share with third parties for advertising, or use Google user data to train generalized AI/ML models.

You can revoke Eigentic's access to your Google account at any time at myaccount.google.com/permissions.

07Retention

Account data — kept while your account is active. Deleted within 30 days of account closure.
Workflow logs & eval data — kept 90 days by default, configurable per workspace.
Invoices & tax records — kept 5 years (Norwegian Bookkeeping Act).
Server access logs — kept 30 days.

08Your rights

If you are in the EEA, UK, or Switzerland you have the right to access, correct, port, or delete your personal data, to restrict or object to processing, and to withdraw consent. You may also lodge a complaint with your supervisory authority (in Norway: Datatilsynet). To exercise any right, email privacy@eigentic.ai; we respond within 30 days.

09Security

We protect data with encryption at rest (AES-256) and in transit (TLS 1.3), least-privilege access controls, mandatory 2FA for staff, and continuous monitoring. Access to customer data is logged and auditable. We test our backups quarterly.

10International transfers

Our primary data centers are in the EU. When data is transferred to a sub-processor outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework.

11Children

Eigentic is a B2B product not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has provided personal data, contact us and we will delete it.

12Changes to this policy

We will notify customers by email and post a banner on this page at least 14 days before any material change takes effect. Older versions remain available on request.

13Contact

Privacy questions or rights requests: privacy@eigentic.ai
Postal: Eigentic AS, Pilestredet 32, 0166 Oslo, Norway
EU representative: Available on request to enterprise customers under DPA.