Privacy Policy

Controller: Festina AI d.o.o.

Privacy contact / DPO: contact@festina.ai

This policy covers festina.ai, related subdomains, and our products and services (the “Service”). “Personal data” means any information that identifies or can identify an individual. “Processing” means any operation performed on personal data.

• Account Data — name, email, hashed password, role, language, settings.
• Customer Content — documents, files, prompts, context, and metadata you upload or generate in the Service.
• Usage & Technical Data — IP, device identifiers, logs, browser type, timestamps, pages and features used, crash and performance reports.
• Payments — processed by our payment provider; we do not store full card details.
• Cookies & Similar Technologies — essential, functional, analytics, and (where permitted) marketing cookies.

Sources: you, your organization, automatic collection via the Service, and service providers (e.g., analytics, hosting) in line with applicable law.

• No training on your content without opt‑in. We do not use Customer Content to train foundation models unless you explicitly agree.
• Processing for features only. We may derive embeddings or cache context to provide retrieval, summarization, and similar features within your workspace.
• Automated decisions. We do not make decisions with legal or similarly significant effects without appropriate human oversight.
• Model providers. Where we use third‑party infrastructure (e.g., cloud or LLM providers) they act as processors under our instructions and contractual safeguards.

• Service providers (processors). Hosting/CDN, security, email, analytics, payments, and LLM infrastructure.
• Public authorities. When required by law, and only after a careful legal review; we narrow scope and challenge unlawful requests.
• Business transfers. In a merger, acquisition, or reorganization, with appropriate safeguards.

See also: Data Processing Addendum (DPA) and Subprocessor List.

Where personal data is transferred outside the EU/EEA/Switzerland/UK we use appropriate safeguards (e.g., Standard Contractual Clauses, UK IDTA/Addendum, adequacy decisions) plus technical and organizational measures.

• Account data: kept for your account lifetime + up to 24 months after deactivation (unless you request earlier deletion where applicable).
• Security logs & diagnostics: 6–24 months, depending on type.
• Billing records: retained per applicable law

Backups may persist for a limited period and are purged on a rolling schedule.

• Encryption in transit (TLS) and at rest.
• Least‑privilege access, role‑based controls, and audit logs.
• Network segmentation, monitoring, and vulnerability remediation.
• Employee confidentiality and security training.

No system is 100% secure, but we continuously improve our controls.

• Access and obtain a copy of your personal data
• Rectify inaccurate data
• Erase data (where applicable)
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where processing is based on consent)

Exercise your rights via contact@festina.ai. You can also contact your local supervisory authority.

California residents have rights to know, delete, correct, and to opt out of “selling” or “sharing” personal information as defined by the CPRA. To submit a request, contact contact@festina.ai.

If we operate a “Do Not Sell or Share My Personal Information” mechanism, it will be available in the site footer.

The Service is not intended for individuals under 16. We do not knowingly collect personal data from children without required consent.

We act as a controller for account/usage data. We act as a processor when processing your Customer Content solely under your instructions (see DPA).

We will post any changes on this page with an updated “Last updated” date. Material changes will be highlighted.

Questions or requests: contact@festina.ai

This document is a policy overview and not legal advice. Please consult your counsel for your specific situation.