Privacy Policy - Smartegy.ai

1. Introduction

The developer and rights holder of Smartegy.ai (hereinafter: "Service") is Chain Advisory Kft., and its joint operator is Erba 96 Kft. (hereinafter collectively: "Data Controllers", "we", "us"). We are committed to protecting users' personal data. The purpose of this Privacy Policy is to inform you about how we collect, use, store and protect your personal data in accordance with the European Union's General Data Protection Regulation (GDPR - Regulation 2016/679/EU) and Hungarian data protection legislation (Act CXII of 2011 on Informational Self-Determination and Freedom of Information). Chain Advisory Kft. and Erba 96 Kft. are joint controllers under Article 26 of the GDPR.

2. Data Controllers Information

Developer and rights holder: Chain Advisory Kft.
Registered office: 1037 Budapest, Táborhegyi út 18/f, Hungary
Company registration: 01-09-326168
Tax number: 26361518-2-41

Joint controller and operator:

Erba 96 Kft.
Registered office: 1142 Budapest, Stubnyai utca 4., Hungary
Company registration: 01-09-561901
Tax number: 12175590-2-42

Email: [email protected]
Website: https://smartegy.ai

Data Protection Officer (DPO):

Name: Erik Árokszállási
Email: [email protected]

3. Definitions

Personal data: any information relating to an identified or identifiable natural person.
Data processing: any operation performed on personal data (collection, recording, storage, modification, retrieval, use, deletion, etc.).
Data subject: the natural person whose personal data is being processed.
Data processor: an organization that processes personal data on behalf of the Data Controller.
Business data: corporate/business information uploaded by the Data Subject to the Service or analyzed by the Service.

4. Scope of Personal Data Processed

4.1. Registration and Account Data

Full name, email address, password (encrypted), company name, phone number, job title/position, company address.

4.2. Service Usage Data

Login data and timestamps, usage statistics, query history, generated reports and analyses, IP address, browser type and version, device information.

4.3. Business Data

Information uploaded by you or derived from business databases connected to the system, which we use for AI-based analysis. This data is processed exclusively in your isolated environment.

4.4. Communication Data

Correspondence with customer support, feedback and opinions.

5. Purposes and Legal Bases for Data Processing

Purpose	Legal Basis	Retention Period
Creating and managing user account	Performance of contract (GDPR Art. 6(1)(b))	Until account deletion
Providing service (AI-based analytics)	Performance of contract (GDPR Art. 6(1)(b))	Until account deletion
Customer service and support	Legitimate interest (GDPR Art. 6(1)(f))	2 years
Billing and accounting	Legal obligation (GDPR Art. 6(1)(c))	8 years (accounting law)
Service improvement	Legitimate interest (GDPR Art. 6(1)(f))	Unlimited if anonymized
Security purposes, fraud prevention	Legitimate interest (GDPR Art. 6(1)(f))	1 year
Marketing communications (if consented)	Consent (GDPR Art. 6(1)(a))	Until withdrawal

6. Data Processors and Third Parties

We use the following data processors in operating the Service:

6.1. Hosting Provider

Provider: Scaleway S.A.S. (France)
Purpose: Providing Service infrastructure (dedicated server)
Data location: European Union (France)
Privacy Policy: https://www.scaleway.com/en/privacy-policy/
Contracts and DPA: https://www.scaleway.com/en/contracts/

6.2. Geo-Redundant Backup Storage

Smartegy.ai performs automatic daily backups of every customer instance, database, audit log, and stored data. Backups are stored geo-redundantly at Hetzner Online GmbH's German data center, entirely within the European Union.

Provider: Hetzner Online GmbH
Registered office: Industriestr. 25, 91710 Gunzenhausen, Germany
Commercial register: Ansbach Registration Office, HRB 6089
EU VAT No.: DE 812871812
Purpose: Geo-redundant storage of daily automatic backups
Data location: Germany (EU)
Hetzner Privacy Policy
Hetzner Legal Notice

6.3. AI Provider

Provider: Amazon Web Services EMEA SARL (AWS Bedrock)
Purpose: Artificial intelligence-based analytics and response generation (Anthropic Claude models)
Region: eu-central-1 (Frankfurt, Germany)
Privacy Notice: https://aws.amazon.com/privacy/
Service Terms: https://aws.amazon.com/service-terms/
Data Processing Addendum (DPA): https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf
Data Privacy FAQ: https://aws.amazon.com/compliance/data-privacy-faq/

Data flow during AI processing:

To provide the Service, your business data is processed by the AI system in its original form. This is necessary for the system to produce accurate analyses, queries, and reports. The data flow is as follows: your query and the relevant business data are transmitted via an encrypted channel (TLS 1.3) to the AWS Bedrock service, which generates the AI response, and the result is returned to your isolated environment.

Data protection guarantees:

No model training: The AWS Bedrock service does NOT use your data for training, fine-tuning, or improving AI models. This is contractually guaranteed by the AWS Data Processing Addendum (DPA).

No data retention: AWS Bedrock does NOT store input data (prompts) or generated responses after processing is complete. Data exists in the AWS system only for the duration of response generation.

EU-only processing: All AI processing takes place exclusively in the AWS eu-central-1 region (Frankfurt, Germany). Data is never transferred outside the European Union under any circumstances.

Data isolation: Each customer operates in their own isolated environment (Docker container). Your data is not accessible to other customers.

Encrypted transmission: All communication between the server and AWS Bedrock is protected by TLS 1.3 encryption.

Important note: Business data is NOT anonymized by default during AI processing, as masking and hiding personal data from the LLM requires custom, client-specific solutions due to the inherent nature of LLM technology. Data protection is ensured through isolation, encryption, EU-only processing, and the prohibition of model training.

Custom anonymization option:

If the client insists on data anonymization, it can be implemented based on a jointly developed plan. The process is as follows: (1) We discuss with the client the scope and details of the data to be anonymized. (2) We develop a detailed anonymization plan, which may include the use of pseudonyms, masking techniques, or other data protection solutions. (3) The plan defines the process: who does what - i.e., what modifications are needed on the data source side and how we can assist with the implementation. (4) The plan describes in detail the functional limitations that anonymization will impose on usage, and what special usage practices must be followed (e.g., using pseudonyms in queries, special identifier systems, etc.). It is important to note that anonymization always entails certain usage restrictions, which the client will be informed of when accepting the plan.

Database access and data protection:

It is important to clarify that the AI system (LLM) does NOT have direct access to the client's database. The LLM only sees the database structure (schema) — i.e., table names, columns, and data types — as well as the user's request formulated in natural language. Database queries are generated by a specialized agent in SQL format, but query execution takes place exclusively in the locally hosted or the client's own database, not in the LLM. The LLM therefore never sees the entire database — it only knows the structure and the user's query parameters, then receives the query results for formulating the response. Data collection is always performed by a specialized agent based on the LLM's instructions.

Agent-based (agentic) workflow architecture:

Smartegy.ai employs an agent-based (agentic) architecture that ensures secure and deterministic data processing as follows:

USER→ORCHESTRATOR (LLM)→AGENT→LOCAL DB / SERVICE

←←← response ←←←

1The user asks their question in natural language.

2The orchestrator (central LLM) interprets the request and decides which specialized agent to involve (e.g., database query agent, report generator, email sender, etc.).

3The specialized agent executes the task deterministically: SQL queries run in the local database, file generation occurs on the local server, email sending goes through a dedicated service.

4The result is returned to the orchestrator, which formulates the response for the user.

Why is this solution deterministic? The LLM serves exclusively as a reasoning and decision-making component: it decides WHAT needs to be done and HOW to formulate the response. The actual execution (data queries, file generation, email sending) always takes place in local, isolated code that the LLM cannot bypass. The agents have strictly regulated permissions (e.g., the database query agent can only execute SELECT statements, meaning it can only read data, not modify it). This separation ensures that data never leaves the protected environment, and operations always run within controlled boundaries.

6.4. Reseller Partners

The Service may be sold through reseller partners. Reseller partners act as independent data controllers in their own sales and customer relationship processes. As a general rule, reseller partners do not participate in and do not have access to the processing of business data handled during the provision of the Service and data related to the use of the Service, unless the parties agree otherwise in a separate agreement (e.g., support services).

6.6. EU GPU Server

Smartegy.ai runs its specialized AI microservices (forecasting, named entity recognition, neural time-series analysis) on its own high-performance GPU server rented within the EU. These models process data exclusively within the EU territory. The GPU server is not a third-party cloud service, but dedicated hardware under our own supervision.

Data location: European Union

6.7. Google Speech Recognition

Smartegy.ai's speech recognition feature uses the Google Web Speech API, which runs directly in the user's browser. Audio data is not sent to Smartegy.ai servers — processing occurs between the browser and Google. No audio recordings are stored on our servers.

By using the microphone button, the user acknowledges that speech recognition is performed via the Google Web Speech API.

6.8. ElevenLabs (Text-to-Speech)

Smartegy.ai's text-to-speech feature uses the ElevenLabs service. The AI response text is sent to ElevenLabs servers for speech synthesis processing. ElevenLabs deletes the data after use.

The user can disable the text-to-speech feature at any time in their settings.

By using the voice features (microphone button, text-to-speech), the user acknowledges that we use the Google Web Speech API for speech recognition and the ElevenLabs service for text-to-speech.

ElevenLabs Privacy Policy: https://elevenlabs.io/privacy

We have concluded data processing agreements with all data processors to ensure GDPR-compliant data protection.

Important: The Smartegy.ai system operates entirely within the European Union. AI processing takes place in the AWS eu-central-1 (Frankfurt) region. Personal data is NOT transferred outside the EU.

7. Your Rights

Under the GDPR, you have the following rights:

7.1. Right of Access (Article 15)

You have the right to request information about which personal data we process and to receive a copy of it.

7.2. Right to Rectification (Article 16)

You can request the correction of inaccurate personal data or the completion of incomplete data.

7.3. Right to Erasure ("Right to be Forgotten") (Article 17)

You can request the deletion of your personal data if: the data is no longer needed; you withdraw your consent; you object to processing; the processing is unlawful.

7.4. Right to Restriction of Processing (Article 18)

You can request the restriction of processing in certain cases.

7.5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another data controller.

7.6. Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interest.

7.7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you.

To exercise your rights, please contact our Data Protection Officer at [email protected]. We will respond to requests within 30 days. For complex requests, this period may be extended by an additional 60 days.

8. Data Security

To protect your data, we apply the following technical and organizational measures:

Encryption: All data is stored encrypted (AES-256) and transmitted through encrypted channels (TLS 1.3).
Isolated environments: Each customer's data is stored and processed in separate, isolated environments.
Access management: Strict access rules, multi-factor authentication option.
Regular backups: Regular security backups of data are made.
Security audits: Regular security checks and vulnerability assessments.
Incident management: Documented data protection incident management procedure.

Two-Factor Authentication (2FA)

Smartegy.ai strongly recommends enabling two-factor authentication (2FA) for all users. 2FA significantly reduces the risk of unauthorized access. The user bears sole responsibility for any data breach or unauthorized access resulting from not enabling 2FA.

Password Management and User Responsibility

The user is obligated to keep their password confidential and store it securely. If the user shares their password with a third party, discloses it, or stores it carelessly in an insecure manner (e.g., in a plain text file, on paper, on a shared device), the user bears sole responsibility for any resulting unauthorized access and its consequences.

Password Change After First Login

It is strongly recommended to change the system-issued password to a unique, strong password immediately after the first login. If the user fails to change the password, they bear responsibility for any resulting security risks.

9. Cookies

The Smartegy.ai website and application uses only cookies essential for operation:

Session cookies: For login and maintaining secure sessions.
Language settings: To remember your language preference.

We do not use: tracking cookies, marketing/advertising cookies, third-party analytics cookies.

10. Protection of Children's Data

The Service is not intended for children. We do not knowingly collect personal data from persons under 16 years of age. If we become aware that we are processing data of a person under 16, we will delete it immediately.

11. Changes to Privacy Policy

We reserve the right to modify this Privacy Policy. We will notify users of changes through the Service or via email. We will provide at least 30 days' notice for material changes.

12. Right to Lodge a Complaint

If you believe that the processing of your personal data violates GDPR provisions, you have the right to lodge a complaint with the supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: 1363 Budapest, Pf. 9., Hungary
Phone: +36 1 391 1400
Email: [email protected]
Website: https://naih.hu

You may also apply to a court if you believe the processing of your personal data is unlawful.

13. Contact

If you have questions about this Privacy Policy or the processing of your personal data, please contact us:

Chain Advisory Kft. (developer, rights holder)

Address: 1037 Budapest, Táborhegyi út 18/f, Hungary

Erba 96 Kft. (joint controller, operator)

Address: 1142 Budapest, Stubnyai utca 4., Hungary

Email: [email protected]

Data Protection Officer:

Erik Árokszállási
Email: [email protected]