Privacy Policy

This Privacy Policy describes how Calafai B.V., a private limited company incorporated in the Netherlands ("Calafai", "we", "us") collects, uses, shares, and protects personal data when you use the Calafai platform, including the web application, APIs, marketing pages, and client portal (together, the "Service").

Calafai is the data controller for personal data we collect in the course of providing the Service to you. Where we process customer personal data on behalf of a business customer (for example, end-user data submitted within an engagement), the business customer is the controller and Calafai acts as processor under a Data Processing Agreement.

We collect the following categories of personal data:

• Account data. Email address, hashed password (or SSO identifier), display name, organisation name, role, language preference. Provided by you at sign-up or invite.
• Billing data. Billing address, tax ID, invoice history. Payment-card details are handled directly by Stripe and never touch Calafai infrastructure.
• Engagement content. Briefs you write, files you upload, comments, annotations, deliverables produced for you, and the chain of intermediate AI reasoning that produced them.
• Usage and audit data. Pages viewed, actions taken, IP address (server-side, for security and audit), timestamp, viewport size category (mobile / tablet / desktop only — no cookies, no individual tracking).
• Communications. Emails you send to support or legal; transactional emails we send you; portal comments left by your collaborators.
• Diagnostic data. Application error traces, performance metrics, request context (PII scrubbed before transmission to our error-tracking provider).

Under GDPR Article 6, every processing activity needs a lawful basis. Ours are:

We do not use automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22. AI-generated deliverables are advisory outputs that you review and act on; the decision is yours.

We share personal data with the third parties listed in full on our Subprocessors page. In summary:

• AI model providers — receive engagement briefs and intermediate prompts to produce deliverables. No training on your inputs or outputs is permitted under our contracts with them. We audit this annually and publish the LLM Provider DPA Audit on written request to [email protected].
• Hosting providers — Supabase (database + auth), Vercel (web), Railway (engine), Upstash (cache).
• Payment processor — Stripe. Card data tokenised by Stripe and not stored by Calafai.
• Email delivery — Resend.
• Error and performance monitoring — Sentry, with PII scrubbing at the point of capture.
• Professional advisers — counsel, accountants, auditors — only when needed and under confidentiality.
• Successor entities — if Calafai is acquired, merged, or restructured, your data may transfer to the successor under the same protections and with notice to you.

We do not sell personal data, share it with advertisers, or use it to build advertising profiles.

Personal data is stored in EU-region infrastructure by default. Some subprocessors are based outside the EU, primarily in the United States. Where this involves a cross-border transfer of personal data, we rely on:

• The EU–US Data Privacy Framework for certified US providers, where applicable;
• The European Commission's Standard Contractual Clauses (Decision 2021/914) plus supplementary measures (encryption, access controls, audit rights);
• A documented Transfer Impact Assessment for higher- risk transfers (for example, providers without an adequacy decision).

Customers may request a copy of the transfer-mechanism documentation for any specific subprocessor by writing to [email protected].

• Account and engagement data — kept for the life of your account. After deletion, purged from primary storage immediately and from backups within 90 days.
• Billing and tax records — kept for 7 years to comply with Dutch tax law.
• Audit logs — kept for 24 months for security investigation, then anonymised.
• Diagnostic and error logs — kept for 30 days, then deleted.
• Marketing email lists — kept until you unsubscribe, then suppressed (your email is retained on a suppression list so we do not contact you again).
• Anonymised structural patterns — kept indefinitely. These contain no personal data after aggregation.

If you are in the EU, EEA, UK, or Switzerland, you have the following rights under the GDPR / UK GDPR. If you are elsewhere, we extend most of these rights to you as a matter of policy.

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17, "right to be forgotten") — request deletion of your data, subject to statutory retention requirements.
• Restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a structured, machine-readable format. Use the in-app data export, or write to us.
• Objection (Art. 21) — object to processing based on legitimate interest, including marketing.
• Withdraw consent (Art. 7(3)) — for any processing based on consent. Withdrawal does not affect processing already carried out.
• Lodge a complaint (Art. 77) — with your local data-protection authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

To exercise any of these rights, write to [email protected]. We respond within 30 days. We do not charge for these requests except where they are manifestly unfounded or excessive.

Calafai is an AI-powered consulting platform. Deliverables are produced by large language models orchestrated through our agentic pipeline. We classify the platform as a limited-risk AI system under the EU AI Act (Regulation (EU) 2024/1689).

• No training on your content. Calafai does not use your content to train, fine-tune, evaluate, or benchmark any AI model. The third-party AI providers we route to are contractually prohibited from training on the prompts, attachments, or completions we send them on your behalf. Each provider's no-training commitment is recorded in our annual LLM Provider DPA Audit, available on written request to [email protected]. If any provider's no-training posture changes, we treat that change as a new-subprocessor event and give you the same 30-day advance notice and objection right.
• Deliverables are clearly marked as AI-generated, in line with Article 50(1) and 50(2). The marker is carried in PDF and PPTX file metadata, on the cover page of every report, in client-portal banners, in the Thinking Partner interface, and in engagement-completion emails.
• Calafai is the deployer and provider of the orchestration system. The underlying foundation models are provided by the third parties listed on the Subprocessors page.
• GDPR Article 22. Calafai's deliverables are advisory. The system does not take decisions about you that produce legal or similarly significant effects. A human user (you, or your colleague) reviews the output and decides what to do with it. On that basis Article 22 is not engaged. Our reasoned position is documented in the GDPR Article 22 position memorandum, available on written request to [email protected].
• For AI-Act-specific questions or for the AI literacy record kept under Article 4, write to [email protected].

Calafai does not use cookies, pixels, browser fingerprinting, or any similar technologies to track you across the web or to build advertising profiles. We do not use analytics cookies. We do not use marketing cookies. We do not allow third-party advertisers to set cookies on our domain.

We use the following minimum technical cookies, which are necessary to operate the Service and are not subject to consent under the ePrivacy Directive:

• Session cookie — set when you sign in, so we know it is you on the next page load. Expires when you sign out or after extended inactivity. Stored as an HTTP- only, Secure, SameSite=Lax cookie.
• CSRF token — a short-lived value used to block cross-site request forgery on form submissions. No personal data.
• Theme and preference — your light/dark mode choice. Stored in localStorage on your device. Never sent to our server.

For aggregate device analytics (viewport width category only) we use no cookies and no identifiers. See section 2 above and section 8(a) of the Terms.

If we ever introduce a cookie that requires consent, we will ask first. This page is the canonical Cookie Notice required by the ePrivacy Directive and PECR.

Personal data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Tenant isolation is enforced at the database layer using PostgreSQL row-level security, so a bug in application code cannot cause cross-tenant data exposure.

Access to production systems is restricted to a small set of named individuals, requires multi-factor authentication, and is audit-logged. Calafai maintains an incident-response plan and will notify affected users and supervisory authorities of personal-data breaches in line with GDPR Articles 33 and 34.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has submitted data to Calafai, contact [email protected] and we will delete it.

We will update this Privacy Policy when our practices change. Material changes are announced at least 30 days in advance via email or in-app notice. The "Last updated" date at the top of this page reflects the most recent version. Prior versions are available on request.

Calafai B.V.
Amsterdam, Netherlands
Privacy contact: [email protected]
Legal: [email protected]
AI Act matters: [email protected]

See also our Terms of Service and the public Subprocessors page.