Privacy Policy

How we collect, use, and protect your personal data.

Table of Contents

Last Updated

Last Updated: 2025, May 10

The platform sferal.ai is an AI-powered system designed to assist organizations in managing, processing, and automating their data and workflows. sferal.ai is managed by SFERAL ("we", "us", "our"), a legal entity registered in Romania, having its registered office at Strada Gara Herăstrău, No. 4C, Floor 2, Unit Zona 1, Bucharest, District 2. We are committed to protecting your privacy and ensuring the secure processing of your personal data, in accordance with the EU General Data Protection Regulation (GDPR) and other applicable global data protection laws.

Scope of This Policy

This policy applies to all personal data processed by Sferal.ai in connection with the provision of its services to individuals, companies – B2B, and public bodies – B2G (clients) using the platform.

It covers data processed:

  • As a controller – when we determine the purposes and means of processing (e.g., for account management, billing, support).
  • As a processor – when we process data on behalf of our clients (e.g., document content, internal flows configured by clients).

Data Processing Overview – Purposes, Legal Bases for Processing, Retention Period

Depending on the nature of your interaction with and use of our platform, we process the following categories of personal data. Each processing activity is carried out based on the applicable legal grounds and for the retention periods specified in the table below:

Name, Surname, Email Address, Telephone Number

  • Purpose: Used for creating user accounts, communication, and customer support.
  • Legal Basis: Contract performance (GDPR Art. 6(1)(b)); Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: While the account is active, plus 2 years after deletion.

Job Title and Company/Organization

  • Purpose: Identifies users in B2B contexts and enables tailored communications.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 2 years from the last user interaction.

Billing and Invoicing Details

  • Purpose: Compliance with financial and legal obligations.
  • Legal Basis: Legal obligation (GDPR Art. 6(1)(c)).
  • SFERAL’s Role: Controller.
  • Retention: 5 years from July 1st of the year after the financial year in which documents were issued.

Login Credentials

  • Purpose: Responds to user inquiries and provides customer support.
  • Legal Basis: Contract performance or legitimate interest (GDPR Art. 6(1)(b)/(f), B2B).
  • SFERAL’s Role: Controller.
  • Retention: 1 year from the date of communication.

IP Address and Geolocation

  • Purpose: Used for security, analytics, and optimizing regional services.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 12 months.

Device and Browser Type, Log Data, Usage Activity

  • Purpose: Platform optimization and diagnostics.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 12 months.

Cookies and Tracking Technologies

  • Purpose: Analytics, marketing, and site functionality (see Cookie Policy for details).
  • Legal Basis: Consent (GDPR Art. 6(1)(a)); Legitimate interest (strictly necessary cookies, Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: As per Cookie Policy (typically 6–24 months).

Platform Reviews, Chats, and Surveys

  • Purpose: Service improvement and feedback analysis.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 2 years.

Voice/Video Content (Support, CCTV, Training)

  • Purpose: Quality assurance, training, and security monitoring.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)); Legal obligation for CCTV (GDPR Art. 6(1)(c)).
  • SFERAL’s Role: Controller.
  • Retention: CCTV: 30 days, Support calls: 1 year, Training: 2 years

Name, Email Address, Professional Information (for Direct Marketing)

  • Purpose: Sending marketing emails or platform notifications (newsletters, offers, updates).
  • Legal Basis: Consent (GDPR Art. 6(1)(a)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: Until consent is withdrawn or 2 years after the last interaction.

Cookies and Tracking Data (Pixel Data, On-site Behavior)

  • Purpose: Behavioral advertising, audience analytics, ad performance measurement.
  • Legal Basis: Consent (GDPR Art. 6(1)(a)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: As per Cookie Policy (typically 6–24 months).

Survey Responses and Feedback Data

  • Purpose: Market research and product improvement.
  • Legal Basis: Consent (GDPR Art. 6(1)(a)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 2 years.

Inputs and Outputs (Prompts, Generated Content)

  • Purpose: To provide AI services, generate results, and integrate with third-party tools.
  • Legal Basis: Contract performance (GDPR Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller for platform inputs/outputs; Processor when acting on behalf of clients (document processing).
  • Retention: As agreed in the Data Processing Agreement (DPA): While the subscription is active for paying clients, 15 days for non-paying clients.

All Platform Usage and System Interaction Data

  • Purpose: Debugging and identifying/fixing errors.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: Up to 12 months, or longer if necessary for issue resolution.

System Logs, IP Addresses, Usage Metadata, Access Credentials, Document Metadata

  • Purpose: To prevent/investigate fraud, abuse, policy violations, unauthorized access, and to protect rights.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)).
  • SFERAL’s Role: Controller.
  • Retention: Up to 5 years as needed for evidence or compliance, or longer if required.

User Communication Records, Account Identifiers, Logs

  • Purpose: Investigating and resolving disputes.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 3 years after case closure or last interaction.

Security Events, Authentication Data, User Activity Logs

  • Purpose: Investigating and resolving security issues.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)).
  • SFERAL’s Role: Controller.
  • Retention: Up to 3 years, depending on the issue, or longer if needed.

All User and Usage Data, Identification and Contact Data

  • Purpose: Used in corporate transactions (mergers, acquisitions, asset sales) for due diligence or transfer.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: As required for the transaction duration and legal retention requirements.
  • Purpose: Compliance with legal or regulatory obligations.
  • Legal Basis: Legal obligation (GDPR Art. 6(1)(c)).
  • SFERAL’s Role: Controller.
  • Retention: As long as necessary for legal or regulatory compliance.

Client Representatives’ Data (B2B/B2G)

  • Purpose: Contract execution and professional communications.
  • Legal Basis: Legal obligation (GDPR Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 5 years from contract termination.

Job Applicants’ Data (CVs, Letters, Qualifications)

  • Purpose: Recruitment and candidate evaluation.
  • Legal Basis: Contract performance (GDPR Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)).
  • SFERAL’s Role: Controller.
  • Retention: 6 months from final decision unless consented for longer; non-selected candidates’ CVs are deleted immediately.

Document Content Uploaded by Paying Clients

  • Purpose: Automated data extraction and document analysis.
  • Legal Basis: Processor agreement (GDPR Art. 28).
  • SFERAL’s Role: Processor.
  • Retention: As agreed in DPA; default is while the subscription is active.

Document Content Uploaded by Non-Paying Clients

  • Purpose: Automated data extraction and document analysis.
  • Legal Basis: Processor agreement (GDPR Art. 28).
  • SFERAL’s Role: Processor.
  • Retention: 15 days.

When We Act as Data Processor

When processing on behalf of clients, the client (Controller) determines the lawful basis (e.g., consent, legitimate interest). Clients are solely responsible for ensuring that personal data in their workflows, documents, or processes is collected and processed lawfully.

AI-Specific Purposes

AI training and model refinement may be performed only with prior, explicit consent from the client.

AI-based automation and inference are used to assist in categorizing, extracting, and analyzing data. Such processing is necessary for the performance of the services as contracted by the client.

Subprocessors and Data Sharing

i) To ensure the functionality, performance, and security of our platform, we engage carefully selected third-party service providers (“subprocessors”) who may process personal data on our behalf. These subprocessors support us in areas such as AI model processing, analytics, infrastructure, customer communication, and payments.

We only engage subprocessors that provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of your rights.

Each subprocessor is contractually bound to process data in compliance with the GDPR and applicable local laws, including signing Standard Contractual Clauses where applicable.

Subprocessor Updates Clause: Changes to subprocessors will be communicated by updating this Privacy Policy. Continued use of the platform after such an update constitutes acceptance of the new subprocessor. If you object, you must cease use of the platform immediately.

Categories of Subprocessors and Their Roles:

Intercom

• Role/Function: Handles customer communication and support interactions. • Data Location: European Union (EU). • Adequacy Mechanism: EEA-based (meets data protection standards of the European Economic Area).

Hotjar

• Role/Function: Provides user behavior analytics to understand how users interact with the service. • Data Location: EU. • Adequacy Mechanism: EEA-based.

OpenAI

• Role/Function: Performs AI text processing tasks, such as Named Entity Recognition (NER), summaries, and other AI-powered features. • Data Location: Non-EU (USA). • Adequacy Mechanism: DPF* (Data Privacy Framework – compliance for data transfers between EU and USA).

Anthropic

• Role/Function: Provides generative AI processing capabilities (e.g., creating and analyzing content). • Data Location: Non-EU (USA). • Adequacy Mechanism: DPF*.

Mistral AI

• Role/Function: Processes data with EU-based large language models (LLMs). • Data Location: EU. • Adequacy Mechanism: EEA-based.

TogetherAI

• Role/Function: Provides cloud compute backend for AI model processing. • Data Location: Non-EU (USA). • Adequacy Mechanism: DPF*.

Magnetic IT

• Role/Function: Delivers infrastructure and security services. • Data Location: EU. • Adequacy Mechanism: EEA-based.

Stripe

• Role/Function: Handles payment processing and related financial operations. • Data Location: EU. • Adequacy Mechanism: EEA-based.

n8n

• Role/Function: Provides workflow automation and backend orchestration services. • Data Location: EU. • Adequacy Mechanism: EEA-based.

ii) Sharing with Affiliates and Corporate Group Entities SFERAL may disclose the categories of personal data described in this Policy with its affiliates and other entities within the same corporate group, for purposes connected to the operation of our Services and internal administration.

iii) Corporate Transactions In the event of a corporate restructuring, merger, acquisition, sale of assets, insolvency, or similar event, SFERAL may transfer your personal data as part of the business transaction, in accordance with applicable data protection laws.

iv) Third-Party Services and Integrations Our Services may include integrations with or links to third-party platforms, websites, or applications (such as social media networks). When you interact with these services, your personal data may be collected directly by the third party, and such processing will be governed by the third party’s privacy policy. SFERAL does not control how these third parties process your data and is not responsible for their practices. We encourage you to review their privacy documentation before engaging with such services.

v) Legal Obligations, Safety, and Enforcement of Rights SFERAL {#legal-obligations} may disclose your personal data when required to do so by law or when such disclosure is necessary to comply with legal, tax, or accounting obligations; respond to lawful requests from public authorities; investigate fraud, security incidents, or violations of our Usage Policy; protect the rights, safety, or vital interests of individuals; defend or enforce our legal rights or those of others; or comply with applicable contractual obligations or dispute resolution processes.

International Data Transfers

Safeguards for International Data Transfers: Where subprocessors are located outside the European Economic Area (EEA), we ensure to rely on a valid adequacy decision, as the EU-U.S. Data Privacy Framework (*DPF), or other adequate transfer mechanisms, including the use of Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, supplemental measures to ensure an equivalent level of protection. Also, the data transferred is limited to the minimum required for the service.

Data Subject Rights

As a data subject, you have specific rights under applicable data protection laws, including the General Data Protection Regulation (GDPR). SFERAL is committed to ensuring that your rights are respected and that you can effectively exercise them. Subject to legal conditions, you may exercise the following rights:

Right of Access

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, to access the data and receive additional information regarding the processing.

Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete data.

Right to Erasure ("Right to be Forgotten")

You may request the deletion of your personal data, particularly when the data is no longer necessary for the purposes for which it was collected, or when you withdraw your consent and there is no other legal basis for processing.

Right to Restriction of Processing

You may request the restriction of processing of your personal data in certain circumstances, such as when the accuracy of the data is contested or the processing is unlawful.

Right to Data Portability

Where processing is based on your consent or a contract and is carried out by automated means, you may request to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller.

Right to Object

You may object, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests. You also have the right to object at any time to the processing of your personal data for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of the processing carried out before withdrawal.

Right to Lodge a Complaint

To exercise any of these rights, please contact us at [email protected]. We may require verification of your identity before processing your request. We aim to respond within one month, although this period may be extended under certain circumstances.

Managing Rights Requests (DSRs) for B2B or B2G Clients

When we act as a processor, we do not respond directly to data subject requests. We will:

  • Forward any received DSRs to the client (Controller) without delay
  • Assist clients with technical or procedural responses as agreed in the DPA

Clients are responsible for verifying identity and responding to such requests under applicable laws.

Data Security

To ensure the integrity, confidentiality, and availability of the data processed through our platform, we implement robust technical and organizational security measures at both the infrastructure and operational levels.

Data is encrypted at rest using AES-256 encryption algorithms, while communications between users and our servers are secured via TLS 1.3. We perform automated daily backups stored off-site, along with weekly and monthly backups retained in accordance with our internal data retention policy, to ensure rapid recovery in case of incidents.

Access to personal data and content processed by large language models (LLMs) is strictly controlled based on the principle of least privilege, using a permission management system. Critical operations and interactions with the platform are monitored and logged, and our systems undergo periodic security audits to identify and address potential vulnerabilities.

Our infrastructure is isolated in controlled environments, with access restricted to authorized technical personnel only. Security updates are applied regularly, and the AI models integrated within the platform are designed to uphold data privacy principles and to prevent the transfer of sensitive information to unauthorized third parties.

Children

Our Services are not directed towards, and we do not knowingly collect, use, disclose, sell, or share any information about, children under the age of 16. If you become aware that a child under the age of 16 has provided any personal data to us while using our Services, please email us at [email protected] and we will investigate the matter and, if appropriate, delete the personal data.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we do, we will revise the “Last Updated” date at the top of the document. Where appropriate, we will notify you by email or via the platform. Continued use of the Services after the updated policy takes effect constitutes acceptance of the changes.

Contact

If you have any questions or concerns regarding this policy or your data, you can contact us at:

Email: [email protected]