Datenschutzerklärung / Privacy Policy

Last Updated: January 10, 2026
Effective Date: October 10, 2025
Language: This policy is provided in English. Eine deutsche Version ist auf Anfrage verfügbar.

Hinweis: Diese Datenschutzerklärung gilt für ein in Österreich ansässiges Unternehmen und befolgt die Datenschutz-Grundverordnung (DSGVO) der Europäischen Union.

Note: This privacy policy applies to a company based in Austria and complies with the European Union's General Data Protection Regulation (GDPR).

1. Controller / Verantwortlicher

Company Name: [TODO: YOUR REGISTERED COMPANY NAME]

Registered Address: [TODO: YOUR AUSTRIAN STREET ADDRESS, POSTAL CODE, CITY]

Email: [TODO: contact@yourcompany.com]

Phone: [TODO: +43 XXX XXXXXXX]

Company Registration Number (Firmenbuchnummer): [TODO: FN XXXXXX X]

UID Number: [TODO: ATU XXXXXXXX]

For data protection inquiries, please contact: [TODO: privacy@yourcompany.com]

2. Scope and Purpose

This Privacy Policy describes how GraySwan Intelligence ("we," "us," or "our") collects, uses, processes, and protects your personal data when you use our AI-powered market analysis platform (the "Service").

Our Commitment to GDPR Compliance

As an Austrian company, we fully comply with:

  • GDPR (Datenschutz-Grundverordnung / DSGVO) - EU Regulation 2016/679
  • Austrian Data Protection Act (Datenschutzgesetz / DSG)
  • Austrian Telecommunications Act (Telekommunikationsgesetz / TKG) - for cookies and tracking

3. Personal Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Username
  • Email address
  • Password (encrypted/hashed, never stored in plain text)
  • Account creation date
  • Subscription tier and billing information

3.2 Payment Information

For paid subscriptions, we collect:

  • Billing name and address
  • Payment method details (processed securely by Stripe, a PCI-DSS compliant payment processor)
  • Transaction history and invoice data

Note: We do NOT store your complete credit card numbers. All payment card data is handled exclusively by Stripe.

3.3 Usage Data

When you use our Service, we automatically collect:

  • IP address and geolocation (country/region level)
  • Browser type and version
  • Operating system
  • Pages visited and features used
  • Time and date of access
  • API requests and usage patterns
  • Feature quota consumption

3.4 Technical Data

  • Session cookies (for authentication)
  • API keys and widget tokens (for programmatic access)
  • Log files (for security and debugging)

3.5 GraySwan ID SSO Integration

If you log in via GraySwan ID Single Sign-On, we receive:

  • GraySwan username
  • Email address
  • Subscription tier information
  • HMAC-signed authentication token

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

4.1 Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary to provide the Service you subscribed to:

  • Account creation and management
  • Subscription billing and payment processing
  • Service delivery (market analysis, AI predictions)
  • Customer support

4.2 Legal Obligation (Art. 6(1)(c) GDPR)

We process data to comply with legal requirements:

  • Austrian tax law (BAO - Bundesabgabenordnung) - invoice retention for 7 years
  • Austrian Commercial Code (UGB) - accounting records
  • Anti-money laundering regulations

4.3 Legitimate Interest (Art. 6(1)(f) GDPR)

We process data for legitimate business purposes:

  • Security monitoring and fraud prevention
  • Service improvement and analytics
  • Bug detection and system optimization

4.4 Consent (Art. 6(1)(a) GDPR)

For optional features like marketing communications, we obtain your explicit consent. You may withdraw consent at any time.

5. How We Use Your Data

  • Service Provision: To deliver market analysis, AI predictions, and real-time updates
  • Account Management: To manage your subscription, authentication, and access control
  • Payment Processing: To process payments and issue invoices
  • Customer Support: To respond to inquiries and resolve issues
  • Security: To detect fraud, prevent abuse, and secure our systems
  • Legal Compliance: To comply with Austrian and EU legal obligations
  • Service Improvement: To analyze usage patterns and improve our platform

6. Data Sharing and Third-Party Processors

We share your data only with trusted third-party processors who comply with GDPR:

6.1 Payment Processing

Stripe, Inc. (USA - Adequate protection under EU-US Data Privacy Framework)

  • Purpose: Payment processing, subscription management
  • Data shared: Name, email, billing address, payment method
  • Privacy Policy: stripe.com/privacy

6.2 AI Services

Local AI Processing (Ollama)

  • Purpose: AI-powered market narrative analysis
  • Processing Location: On our own servers (EU)
  • Data shared: NONE - all AI processing is done locally on our infrastructure
  • No third-party AI providers: We do NOT use OpenAI, Anthropic, or other external AI APIs
  • Privacy benefit: Your data never leaves our EU-based infrastructure for AI processing

6.3 Hosting and Infrastructure

Rackforest (Hungary, European Union)

  • Purpose: Application hosting, database storage, and AI model hosting
  • Data Location: Hungary (EU member state)
  • GDPR Compliance: Full EU data protection regulations apply
  • No third-country transfers: All data remains within the European Union

6.4 GraySwan Integration (If Applicable)

If you use GraySwan ID SSO, data is exchanged with your GraySwan portal via HMAC-signed tokens.

Third-Country Transfers: Stripe (payment processor) is based in the USA. We ensure adequate protection through:

  • EU-US Data Privacy Framework participation (Stripe is certified)
  • Standard Contractual Clauses (SCCs) with Stripe
  • Limited data transfer: Only payment information (name, email, billing address)

Important: All AI processing and market analysis happens on our EU servers (Hungary). No personal data or market data is sent to third countries for AI processing.

7. Data Retention

We retain your personal data only as long as necessary:

  • Active Accounts: Data retained while account is active
  • Closed Accounts: Data deleted within 30 days, except:
    • Invoices and financial records: 7 years (Austrian tax law)
    • Anonymized analytics: Indefinitely (no personal data)
  • Security Logs: 90 days (for incident investigation)
  • Backups: Deleted within 60 days after account closure

8. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification (Art. 16 GDPR)

You can correct inaccurate or incomplete personal data.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data, subject to legal retention requirements.

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You can limit how we process your data in certain circumstances.

8.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format (JSON/CSV).

8.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time.

8.8 Automated Decision-Making

Our Service uses AI for market analysis, but NO automated decisions are made that significantly affect your legal rights without human oversight.

How to Exercise Your Rights:

Email us at: [TODO: privacy@yourcompany.com]

We will respond within 30 days as required by GDPR.

9. Data Security

We implement industry-standard security measures:

  • Encryption: TLS/SSL for data in transit, encryption at rest
  • Access Control: Role-based access, admin authentication
  • Password Security: Bcrypt hashing, minimum 8 characters
  • CSRF Protection: Protection against cross-site request forgery
  • Security Monitoring: Logging and intrusion detection
  • Regular Updates: Software patches and security audits

Data Breach Notification: In case of a data breach, we will notify affected users and the Austrian Data Protection Authority (Datenschutzbehörde) within 72 hours as required by GDPR Art. 33.

10. Cookies and Tracking

Essential Cookies (No Consent Required)

  • Session Cookie: For authentication and login persistence
  • CSRF Token: For security protection

Optional Cookies (Consent Required)

  • Analytics: [IF YOU USE ANALYTICS, SPECIFY AND OBTAIN CONSENT]
  • Marketing: [IF APPLICABLE]

You can manage cookie preferences in your browser settings.

11. Children's Privacy

Our Service is NOT intended for children under 16 years of age (minimum age under GDPR Art. 8). We do not knowingly collect data from children. If you believe a child has provided personal data, please contact us immediately.

12. International Transfers

Your data is primarily processed within the European Economic Area (EEA). Where we transfer data to third countries (e.g., USA), we ensure adequate protection through:

  • EU-US Data Privacy Framework
  • Standard Contractual Clauses (SCCs)
  • Technical encryption measures

13. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Significant changes will be communicated via email.

15. Contact Information

For privacy-related questions or to exercise your rights:

Email: [TODO: privacy@yourcompany.com]
Address: [TODO: YOUR AUSTRIAN STREET ADDRESS, POSTAL CODE, CITY]
Phone: [TODO: +43 XXX XXXXXXX]

Legal Reference: This privacy policy complies with GDPR (EU Regulation 2016/679), Austrian Data Protection Act (DSG), and Austrian Telecommunications Act (TKG) §96.

Back to Home