Privacy Policy

Effective Date: 2026-05-05 Version: 1.0

1. Data Controller

The data controller for the processing of your personal data is Ecliptio Ltd, a company registered in Malta (Company Registration Number: C111698), with registered office at Northlink Business Centre Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta, VAT Number MT31906033.

For privacy-related inquiries: privacy@eclipt.io

2. Data We Collect

2.1 Data You Provide

• Account Data: name, email address, password, avatar image, preferred language
• Profile Data (optional): company name, address, phone, bio
• Workspace Data: Workspace name, slug, member roles, AI configuration (encrypted credentials at rest)
• Customer Data: any content, code, files, media, secrets, database rows, or other material you upload, generate, or store within the Platform
• Payment Data: processed by Stripe; we store only transaction IDs, amounts, subscription status, and VAT-relevant invoice data. We never store credit card numbers
• Communication Data: messages and attachments sent to our support team

2.2 Data Collected Automatically

• Usage Data: features used, conversation counts, session duration, AI inference token counts (for billing and trial tracking)
• Device Data: browser type, operating system, device type, screen resolution
• Log Data: IP address (for security and abuse detection; anonymized after 30 days), access timestamps, error logs

2.3 Data We Do NOT Collect

• We do not track precise geolocation
• We do not collect biometric data
• We do not aggregate or sell any data to advertisers or data brokers

3. Legal Bases for Processing (GDPR Art. 6)

• Contract Performance (Art. 6(1)(b)): account creation and login, providing the Platform services, processing payments and subscriptions, billing trial credit usage
• Legitimate Interest (Art. 6(1)(f)): Platform security, fraud and abuse prevention, infrastructure monitoring, customer support, product analytics in aggregate form
• Consent (Art. 6(1)(a)): marketing communications, optional analytics cookies
• Legal Obligation (Art. 6(1)(c)): tax records, anti-money laundering requirements, responding to lawful data access requests

4. How We Use Your Data

• To provide, operate, and maintain the Platform, including AI inference, hosting, storage, and deploys
• To authenticate users and secure accounts (including email verification, password reset, two-factor authentication when enabled)
• To process payments and manage subscriptions via Stripe
• To send transactional emails (verification, password reset, invitations, billing) via our email delivery providers
• To send marketing communications, but only with your explicit opt-in consent (see Section 7); you can unsubscribe at any time
• To improve the Platform through aggregated, non-identifying analytics
• To provide customer support
• To detect and prevent fraud, abuse, and misuse of AI features
• To comply with legal obligations and respond to lawful requests

5. Data Sharing and Transfers

5.1 Third-Party Processors

We share personal data with the following processors, each bound by Data Processing Agreements (DPAs) where applicable. The exact set of processors depends on your AI Configuration and feature usage.

• Anthropic (USA): AI inference, when your Workspace uses Anthropic models. Receives prompt content from Specialists. Transfer basis: EU Standard Contractual Clauses (SCCs)
• OpenAI (USA): AI inference, when your Workspace uses OpenAI models. Receives prompt content. Transfer basis: SCCs
• Google (USA/EU): AI inference (Gemini) when configured. Receives prompt content. Transfer basis: SCCs and adequacy
• OpenRouter (USA): AI router, when your Workspace uses Trial Credits or routes via OpenRouter. Receives prompt content. Transfer basis: SCCs
• DeepSeek (Hong Kong / global): AI inference, when configured. Receives prompt content. Transfer basis: SCCs and supplementary measures
• Stripe (USA): Payment processing. Receives payment details. Transfer basis: EU-US Data Privacy Framework + SCCs
• SendGrid (USA): Marketing email delivery (when applicable). Receives recipient email and message content. Transfer basis: SCCs
• mxroute (USA): Transactional email delivery. Receives recipient email and message content
• Wasabi (EU region): Object storage for media and customer-uploaded assets. EU-based servers (Amsterdam), no international transfer
• Hetzner (EU): Hosting infrastructure for the Platform. EU-based, no international transfer

5.2 Self-Configured Third Parties

If you configure your Workspace to use Bring-Your-Own keys (e.g., your own OpenAI key) or self-hosted inference endpoints, prompts and outputs flow through providers and infrastructure of your choosing. Ecliptio is not the data controller or processor for such flows; you are. Your relationship with that provider is governed by their terms.

5.3 International Transfers

Where personal data is transferred outside the EEA, we ensure adequate protection through: EU Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and supplementary technical measures including encryption in transit (TLS 1.3) and at rest (AES-256).

5.4 We Do NOT

• Sell your personal data to third parties
• Share your Customer Data, Workspace content, or conversation history with advertisers
• Use your Customer Data for AI model training (ours or third parties')
• Use your data for automated profiling or decision-making that produces legal effects

6. Data Retention

• Account Data: retained for the duration of your account plus 30 days after deletion request
• Customer Data: retained for the duration of your subscription; deleted within 30 days of account or Workspace deletion request, except where retention is required by law
• Conversation History: retained for the duration of your account; deleted within 30 days of account deletion
• Payment and Billing Records: retained for 10 years as required by Maltese tax law
• Log Data: IP addresses anonymized after 30 days; logs retained for 90 days
• Marketing Consent Records: retained for 3 years after consent withdrawal for audit purposes
• Encrypted API Keys: stored only while you choose to use Bring-Your-Own AI; deleted on configuration change or account deletion

7. Marketing Communications and Opt-In

We will only send you marketing communications (e.g., product updates, feature announcements, newsletters) if you have explicitly opted in by ticking the dedicated checkbox at signup or in your account settings. Opt-in is not a condition of using the Platform.

You can withdraw consent at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Disabling marketing emails in your account settings
• Replying to any marketing email with "unsubscribe"

Withdrawing consent does not affect transactional emails (such as verification, password reset, invoices, security alerts), which are sent on the basis of contract performance and cannot be opted out of while you have an active account.

8. Your Rights (GDPR Art. 15-22)

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): correct inaccurate or incomplete data
• Right to Erasure (Art. 17): request deletion of your data ("right to be forgotten")
• Right to Restriction (Art. 18): restrict processing in certain circumstances
• Right to Data Portability (Art. 20): receive your Customer Data in a structured, machine-readable format
• Right to Object (Art. 21): object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3)): withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: with the Office of the Information and Data Protection Commissioner (IDPC), Malta, or your local supervisory authority

To exercise any of these rights, contact: privacy@eclipt.io. We will respond within 30 days as required by GDPR.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Passwords stored as bcrypt hashes (never in plaintext)
• AI provider API keys encrypted with AES-256-GCM before storage
• Workspace-level multi-tenant isolation enforced at the application and database layer
• Regular security audits and dependency vulnerability scans
• Role-based access controls limiting employee access to personal data on a need-to-know basis
• Secure API authentication for all third-party integrations
• Automated anomaly detection for unauthorized access attempts

Customer Data and Workspace content are isolated by Workspace ID at the database level. We do not access Workspace content except where strictly necessary to provide support (e.g., when you submit a support ticket and reference specific data) or to investigate abuse.

10. Children's Privacy

The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will promptly delete their account and associated data.

11. AI-Specific Privacy Provisions

When you use AI-powered features, prompts and (where relevant) attachments are sent to the AI provider configured for your Workspace.

11.1 Data Sent to AI Providers

When you use AI features, the following may be transmitted to your configured AI provider:

• The text of your prompt or instruction
• Conversation context selected by the Specialist (which may include prior messages, attached files, project metadata)
• Skill configuration metadata
• Where image generation or vision is used: image data

11.2 Data NOT Sent to AI Providers

The following are NEVER included in AI provider requests by Ecliptio:

• Your name, email, account ID, or any identifier that would link the request to you personally (beyond what you may have voluntarily included in a prompt)
• Your password or authentication credentials
• Payment information
• Other Workspace members' private content unless explicitly attached by you to the conversation

11.3 AI Provider Data Handling

We rely on AI providers' published policies for their handling of API requests. Most providers (e.g., Anthropic, OpenAI, Google) state that API inputs are not used for model training and are retained only transiently for trust and safety monitoring. We recommend reviewing your chosen provider's data use policy.

If you use Bring-Your-Own keys or a self-hosted inference endpoint, the data handling of those flows is governed by the provider you have chosen, not by Ecliptio.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email and/or a prominent in-app notice at least 30 days before changes take effect. The effective date of the latest revision is always indicated at the top of this document.

13. Contact and Supervisory Authority

Data Controller: Ecliptio Ltd, Northlink Business Centre Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta Company Registration: C111698 | VAT: MT31906033 Privacy Contact: privacy@eclipt.io

Supervisory Authority: Office of the Information and Data Protection Commissioner (IDPC) Level 2, Airways House, High Street, Sliema SLM 1549, Malta Website: https://idpc.org.mt