Privacy Policy
Last updated: April 1, 2026 Controller: Ejentum, Greece Contact: info@ejentum.com
This policy describes how Ejentum collects, uses, and protects your personal data when you use the Ejentum Logic API and related services at ejentum.com.
1. What We Collect
Account Data
When you create an account, we collect:
- Email address (for authentication and communication)
- Password (stored as a cryptographic hash, never in plain text)
API Usage Data
When your agent calls the Logic API, we process:
- Query text (the natural language task description you send)
- Mode selection (single or multi)
- Request metadata (timestamp, API key identifier, response code, latency)
Billing Data
When you subscribe to a paid plan:
- Subscription status and plan tier (stored by Ejentum)
- Payment method and card details (stored exclusively by Stripe; Ejentum never sees or stores your card number)
Automatically Collected Data
- API gateway logs (request/response metadata for rate limiting, abuse prevention, and debugging)
- Authentication tokens (session cookies for the web application)
We do not use tracking cookies, analytics pixels, or third-party advertising scripts.
2. How We Use Your Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email, password | Account authentication | Contract performance (Art. 6(1)(b)) |
| Query text, mode | Retrieve and return reasoning scaffolds | Contract performance (Art. 6(1)(b)) |
| Request metadata | Rate limiting, quota enforcement, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Gateway logs | Debugging, audit, service reliability | Legitimate interest (Art. 6(1)(f)) |
| Billing data | Process payments, manage subscriptions | Contract performance (Art. 6(1)(b)) |
We do not use your query content to train models, improve retrieval, or any purpose beyond fulfilling the API request. Your queries are processed, the scaffold is returned, and query content is not retained beyond gateway logging.
3. Sub-Processors
We use the following third-party services to operate the platform:
| Processor | Role | Data Processed | Location |
|---|---|---|---|
| Supabase | Authentication, database | Email, password hash, API keys, usage counts | EU (Frankfurt) |
| Stripe | Payment processing | Card details, billing address, subscription status | US / EU |
| Zuplo | API gateway, rate limiting | Request metadata, query text (in transit) | Edge (global) |
| Hetzner | Server infrastructure | All backend processing | EU (Germany) |
Each sub-processor is bound by their own data processing agreements. Stripe is PCI DSS Level 1 certified and handles all payment card data directly.
4. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, credentials) | Until you delete your account |
| API keys | Until revoked by you or account deletion |
| Gateway logs (request metadata) | 30 days |
| Query text in logs | 30 days |
| Billing records | As required by tax law (up to 7 years for transaction records) |
| Subscription status | Until account deletion or as required by law |
After retention periods expire, data is permanently deleted or anonymized.
5. Your Rights (GDPR)
As a data subject under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (receive your data in a structured format) (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time where consent is the legal basis
- Lodge a complaint with your national data protection authority
To exercise any of these rights, contact us at info@ejentum.com. We will respond within 30 days.
To delete your account and all associated data, email info@ejentum.com with the subject "Account Deletion Request."
6. International Transfers
Our primary infrastructure is hosted in the European Union (Germany, via Hetzner and Supabase Frankfurt). API gateway requests may be processed at Zuplo's global edge nodes. Stripe processes payment data in both EU and US facilities under their own data processing agreement and Standard Contractual Clauses.
7. Security
We implement the following security measures:
- Encryption in transit (TLS/HTTPS for all connections)
- Password hashing (cryptographic hash, never stored in plain text)
- API key authentication (Bearer token scheme)
- Rate limiting (100 requests per minute per API key)
- Gateway-level request validation (malformed requests rejected before reaching backend)
- Authorization header stripping (credentials removed before forwarding to internal services)
No system is perfectly secure. If you discover a security vulnerability, please report it to info@ejentum.com.
8. Cookies
We use minimal cookies required for the web application to function:
- Authentication session token (required for login state)
- No tracking cookies
- No third-party analytics cookies
- No advertising cookies
9. Children
Ejentum is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact info@ejentum.com and we will delete it.
10. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or by posting a notice on ejentum.com at least 30 days before the changes take effect.
11. Contact
For questions about this policy or to exercise your data rights:
Ejentum Email: info@ejentum.com Location: Greece