Privacy Policy

Introduction

ArtinLeap safeguards your privacy under:

• EU Regulations: GDPR (Regulation (EU) 2016/679), EU AI Act (2024), and ePrivacy Directive.
• US Laws: CCPA (Cal. Civ. Code § 1798.100 et seq.), VCDPA (Virginia), CPA (Colorado), and FTC AI Guidelines (15 U.S.C. § 45).
• Global Standards: ISO/IEC 27001 (Security), OECD AI Principles.
• Provider-Specific Policies: Including Google API Services User Data Policy, Microsoft API terms, Atlassian Developer Terms, and Slack Platform Policy.

‍

1. Collection of Personal Information

Lawful Bases Under GDPR (Art. 6): Consent, Contract, Legal Obligation, Legitimate Interest.

Data Collected:

• Directly: Name, email, job applications (GDPR Art. 4(1)).
• Integrated Service Data (for ecitonX): Content and metadata from third-party services you explicitly connect to ecitonX (e.g., emails and attachments from Google Gmail/Outlook, calendar events from Google Calendar/Outlook Calendar, files from Google Drive/OneDrive, tasks and project details from Atlassian Jira/Confluence, messages from Slack). This data is accessed solely to provide the specified functionalities of ecitonX.
• Automatically: IP address, device info, Browse activity (ePrivacy Directive Art. 5(3)).
• AI Interactions (for ecitonX): Metadata and content processed through ecitonX's AI agent from your interactions, including specific requests and the data processed from integrated services (e.g., content summarized, emails drafted, meeting invitations created). This data is processed only for the purpose of executing your explicit instructions and providing the intended service functionality.

‍

2. Use of Personal Information

Purposes & Legal Bases:

• Service Delivery (Contract, GDPR Art. 6(1)(b)): To operate and provide the core functionalities of ArtinLeap's products, including ecitonX. This involves enabling your AI personal assistant to access, process, and act upon data within connected third-party tools (e.g., Atlassian Jira and Confluence, Google Gmail, Calendar, and Drive, Outlook email, Calendar, and OneDrive, Slack) as per your instructions. This includes features like summarization, content generation, task management, and communication facilitation.
• Personalized AI Features (Contract/Consent, GDPR Art. 6(1)(b)/Art. 6(1)(a)): To enhance and personalize your individual ecitonX experience by learning from your interactions and data within your connected accounts. Crucially, data obtained through Google Workspace APIs (Gmail, Calendar, Drive) and other sensitive integrations is used solely to provide and improve user-facing features for your specific use of ecitonX and is never used to train or improve general, non-personalized AI/ML models or for purposes unrelated to your direct use.
• Marketing (Consent, GDPR Art. 6(1)(a)): Send promotional emails (opt-out via CCPA § 1798.120).
• Compliance (Legal Obligation, GDPR Art. 6(1)(c)): Tax reporting, fraud prevention, and adherence to regulatory requirements, including those of our technology providers.
• Product Improvement (Legitimate Interest, GDPR Art. 6(1)(f)): To analyze and improve the overall performance, stability, and non-personalized aspects of ArtinLeap's products. This involves using aggregated, de-identified, or anonymized usage data that does not originate from sensitive third-party integrations for general model enhancement, research, and development.

‍

3. Disclosure of Personal Information

Recipients:

• Processors: Subcontractors (Processors) under GDPR Art. 28, which may include cloud providers and specialized AI infrastructure providers. We ensure all processors are bound by strict data processing agreements that adhere to our privacy commitments and applicable regulations, including specific limitations on the use of data from integrated services.
• Authorities: Law enforcement per GDPR Art. 6(1)(c) or CCPA § 1798.145, when legally required.
• Integrated Service Providers: Data may be shared with the specific third-party services you connect (e.g., Google, Microsoft, Atlassian, Slack) as necessary to execute actions on your behalf (e.g., sending an email, creating a Jira ticket) or to maintain the connection. We only share data required for the intended functionality and subject to their respective privacy policies.

International Transfers:

• EU→US: EU-US Data Privacy Framework adequacy decision or Standard Contractual Clauses (SCCs) (GDPR Art. 46).
• Global: ISO 27001-certified vendors and other robust safeguards ensuring adequate data protection during international transfers, particularly for data accessed via sensitive integrations.

‍

​4. Your Rights

EU Rights (GDPR):

• Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Object (Art. 21).
• No Automated Decisions (Art. 22): We do not use solely automated decision-making that produces legal effects concerning you or similarly significantly affects you.

US Rights:

• CCPA: Opt-out of data sales (§ 1798.120), Know/Delete data (§§ 1798.100, 1798.105).
• VCDPA/CPA: Correct inaccuracies (Va. Code § 59.1-577, Colo. Rev. Stat. § 6-1-1306).

Control over Integrated Data:

• You have full control over which third-party services (e.g., Google Workspace, Atlassian, Microsoft, Slack) you connect to ecitonX and can revoke these connections at any time directly within the application or by contacting us. Upon revocation, we will cease accessing new data from that service and will delete relevant associated data in accordance with our data retention policy and the requirements of the respective service provider.

Exercise Rights: Submit requests via “Contact us” page or email (info@artinleap.com).

‍

5. Data Security

• Technical Measures: Encryption (TLS 1.3 for data in transit, and encryption at rest), strict access controls, regular security assessments, and annual ISO 27001 audits.
• Specifics for Integrated Data: For data accessed through third-party integrations (e.g., Google Workspace, Microsoft Graph API), we implement additional security measures commensurate with the sensitivity of the data and in compliance with the security requirements of the respective API providers. This includes limiting access to data to only what is necessary for the service and ensuring our processing environments meet high security standards.
• Breach Protocol: Notify EU authorities within 72 hours (GDPR Art. 33) and affected users per CCPA § 1798.150, as well as relevant technology providers as required by their terms.

‍

6. Data Retention

• Criteria: GDPR Art. 5(1)(e) (purpose limitation).
  
  • Client Data: 6 years post-contract termination, or as required by legal obligations.
  • Integrated Service Data (for ecitonX): Data obtained from integrated services is retained only for as long as necessary to provide the ecitonX service and fulfill your requests, or until you revoke the integration or request data deletion, whichever comes first. This retention is also subject to the data retention policies of the integrated service providers.
  • Job Applications: 2 years (unless consent extended).
  • Anonymization: Aggregated, anonymized data not sourced from sensitive third-party integrations may be retained indefinitely for general AI training and product improvement, provided it cannot be used to identify individuals.

‍

​7. AI & Transparency

• EU AI Act Compliance:
  
  • Disclosures: Clear notices will be provided when you are interacting with ecitonX's AI, particularly in high-risk contexts (Art. 52).
  • Bias Mitigation: Rigorous testing and mitigation strategies are applied to our AI models to address potential biases (Art. 15).
  • Generative AI: Outputs generated by our AI will be watermarked or clearly identified as AI-generated where appropriate, per IEEE SA 2901-2019.
• ecitonX and Data Handling:
  
  • ecitonX is an agentic AI system designed to interact with your connected tools. When you grant ecitonX access to services like Google Workspace (Gmail, Calendar, Drive), Atlassian, Microsoft, or Slack, we adhere to strict data handling protocols.
  • Limited Use of Integrated Data: Data accessed from these integrated services, particularly from Google Workspace APIs, is processed exclusively for the purpose of providing and improving the user-facing features of ecitonX directly to you. This means your emails, calendar events, documents, and messages are processed by ecitonX's AI agent to fulfill your specific commands (e.g., drafting an email, summarizing a document, scheduling a meeting).
  • No Training of General Models: We categorically state that user content accessed via Google Workspace APIs or other sensitive integrations is not used to train, develop, or improve our general, non-personalized AI/ML models, including foundational models. Your private data remains private and serves only your personalized use of ecitonX.
  • Purpose-Built AI: Any learning or adaptation of our AI models based on your integrated service data is strictly for the purpose of enhancing the personalization and effectiveness of ecitonX for your account only, ensuring the AI better understands and serves your specific needs.

‍

8. Third-Party Links

Disclaimer: We disclaim liability for third-party sites (e.g., LinkedIn, CRM platforms, or direct links within your integrated services) not controlled by ArtinLeap. Review their policies independently.

‍

9. Updates

• Material Changes: We will notify you of any material changes to this Privacy Policy via email or prominent website banners (GDPR Art. 13(3)).
  Archive: Previous policies are available on demand.

‍

10. Contact

• EU: Data Protection Officer (DPO): info@artinleap.com.
• US: Designated representative under CCPA § 1798.130.
• Global: info@artinleap.com.