Privacy Policy & Data Protection Statement

1. Introduction

This Privacy Policy & Data Protection Statement explains how XplAInIT ("we", "our", or "the Service") collects, uses, and protects your personal data when you use our IT diagram analysis service. We are committed to protecting your privacy and ensuring the security of your information in accordance with Regulation (EU) 2016/679 (GDPR) and Slovak Act No. 18/2018 Coll. on Personal Data Protection.

2. Data Controller

The data controller for your personal data is:

3. Data We Collect

When you use our Service, we may collect the following types of data:

3.1 Uploaded Documents

We process IT diagrams you upload (UML, BPMN, ArchiMate, and other technical documents) solely for the purpose of providing analysis results.

3.2 Authentication Data

We collect authentication credentials (username and password) necessary to control access to the Service.

3.3 Technical Data

We automatically collect certain technical information such as IP addresses, browser type, access times, and system logs necessary for service operation and security.

4. How We Use Your Data

4.1 Service Delivery

To analyze your uploaded IT diagrams and provide business-friendly insights. This processing is necessary for the performance of our service contract with you (GDPR Art. 6(1)(b)).

4.2 Service Improvement (Anonymized Only)

We may use fully anonymized data derived from uploaded documents to improve our AI analysis capabilities. Anonymized data cannot be traced back to you.

4.3 Authentication & Security

To verify your identity, control access to the Service, and protect against unauthorized access (GDPR Art. 6(1)(f)).

5. Data Security & Protection

We implement appropriate technical and organizational measures:

• Access Control: HTTP Basic Authentication protects service access
• Encryption in Transit: All data transmission uses HTTPS/TLS encryption
• Private Infrastructure: Service hosted on private Railway.com infrastructure
• No Third-Party Access: Only the data controller has access to your data
• Secure Processing: AI processing performed via secure Anthropic Claude API
• Limited Retention: Uploaded documents are processed and not permanently stored

6. Our Commitment to Your Privacy

• Your uploaded documents and analysis results are NOT shared with any third parties except as necessary for service operation
• Your data is NOT sold, rented, or disclosed to any other organizations
• Your data is NOT used for marketing purposes
• Only fully anonymized data may be used to improve service functionality
• Only the data controller has access to your original uploaded documents

7. Third-Party Service Providers

• Anthropic (Claude AI API): Processes uploaded diagrams to generate analysis
• Railway.com: Provides hosting infrastructure
• n8n: Workflow automation platform running on our infrastructure

8. Your Rights Under GDPR

• Right of Access (Art. 15): Request information about what personal data we process
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of your personal data
• Right to Restriction (Art. 18): Request limitation of processing
• Right to Data Portability (Art. 20): Request your data in machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

9. Data Retention

• Uploaded Documents: Processed temporarily and not permanently stored
• Analysis Results: Delivered via the interface; not stored long-term
• Authentication Data: Retained as long as your account is active
• System Logs: Retained for a maximum of 90 days

10. International Data Transfers

Your data may be transferred to countries outside the EEA when using third-party services. These transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions under GDPR Article 45, and other appropriate safeguards.

11. Right to Lodge a Complaint

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website with an updated effective date.