1. INTRODUCTION

This Privacy Policy & Data Protection Statement explains how XplAInIT ("we", "our", or "the Service") collects, uses, and protects your personal data when you use our IT diagram analysis service. We are committed to protecting your privacy and ensuring the security of your information in accordance with Regulation (EU) 2016/679 (GDPR) and Slovak Act No. 18/2018 Coll. on Personal Data Protection.

2. DATA CONTROLLER

The data controller for your personal data is:

3. DATA WE COLLECT

When you use our Service, we may collect the following types of data:

3.1 Uploaded Documents

We process IT diagrams you upload (UML, BPMN, ArchiMate, and other technical documents) solely for the purpose of providing analysis results. These documents may contain technical and business information about your organization's processes and systems.

3.2 Authentication Data

We collect authentication credentials (username and password) necessary to control access to the Service and ensure only authorized users can upload documents.

3.3 Technical Data

We automatically collect certain technical information such as IP addresses, browser type, access times, and system logs necessary for service operation and security.

4. HOW WE USE YOUR DATA

We use your personal data exclusively for the following purposes:

4.1 Service Delivery

To analyze your uploaded IT diagrams and provide business-friendly insights in Slovak language. This processing is necessary for the performance of our service contract with you (GDPR Art. 6(1)(b)).

4.2 Service Improvement (Anonymized Only)

We may use fully anonymized data derived from uploaded documents to improve our AI analysis capabilities and service quality. Anonymization removes all identifying information about your organization, projects, and business processes. Anonymized data cannot be traced back to you or your organization.

4.3 Authentication & Security

To verify your identity, control access to the Service, and protect against unauthorized access (GDPR Art. 6(1)(f) - legitimate interests in security).

5. DATA SECURITY & PROTECTION

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Access Control: HTTP Basic Authentication protects service access
• Encryption in Transit: All data transmission uses HTTPS/TLS encryption
• Private Infrastructure: Service hosted on private Railway.com infrastructure
• No Third-Party Access: Only the data controller (Peter Jasenovec) has access to your data
• Secure Processing: AI processing performed via secure Anthropic Claude API
• Limited Retention: Uploaded documents are processed and not permanently stored unless required for service delivery

6. OUR COMMITMENT TO YOUR PRIVACY

We solemnly commit that:

• ✓Your uploaded documents and analysis results are NOT shared with any third parties except as necessary for service operation (AI processing via Anthropic API under their privacy terms)
• ✓Your data is NOT sold, rented, or disclosed to any other organizations or individuals
• ✓Your data is NOT used for marketing purposes
• ✓Only fully anonymized data (with all identifying information removed) may be used to improve service functionality
• ✓Only the data controller (Peter Jasenovec) has access to your original uploaded documents and authentication data

7. THIRD-PARTY SERVICE PROVIDERS

To provide our Service, we use the following trusted third-party processors who are bound by their own privacy policies:

• Anthropic (Claude AI API): Processes uploaded diagrams to generate analysis. Subject to Anthropic's privacy policy.
• Railway.com: Provides hosting infrastructure. Subject to Railway's privacy policy.
• n8n: Workflow automation platform running on our infrastructure.

These processors are carefully selected and process data only as instructed by us in accordance with GDPR requirements.

8. YOUR RIGHTS UNDER GDPR

Under the GDPR and Slovak data protection law, you have the following rights:

• Right of Access (Art. 15): Request information about what personal data we process about you
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request limitation of processing under certain circumstances
• Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw any consent you have given at any time

To exercise any of these rights, please contact the data controller at the address provided in Section 2. We will respond to your request within one month as required by GDPR Article 12.

9. DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Uploaded Documents: Processed temporarily and not permanently stored unless you request storage
• Analysis Results: Delivered to you via the interface; not stored on our servers long-term
• Authentication Data: Retained as long as your account is active
• System Logs: Retained for security purposes for a maximum of 90 days

Upon account deletion or service termination, all your personal data will be permanently deleted within 30 days, except where longer retention is required by law.

10. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) when using third-party services (e.g., Anthropic Claude API). These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions under GDPR Article 45
• Other appropriate safeguards ensuring your data protection rights

11. RIGHT TO LODGE A COMPLAINT

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on our website with an updated effective date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.