Privacy Policy

1. Introduction

IACGENIUS OÜ ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at https://iacgenius.com (the "Service").

We comply with the EU General Data Protection Regulation (GDPR), Estonian Data Protection Act, and other applicable data protection laws.

2. Data Controller

3. Information We Collect

3.1 Personal Information You Provide

• Account Information: Name, email address, company name
• Billing Information: Payment details (processed by Stripe), billing address, VAT ID
• Project Information: Infrastructure requirements, technical specifications, cloud provider credentials
• Communication Data: Messages, support tickets, feedback
• Professional Information: Job title, company information, LinkedIn profile (if provided)

3.2 Automatically Collected Information

• Usage Data: Pages visited, features used, interaction with the Service
• Device Information: Browser type, operating system, IP address
• Cookies and Tracking: Session cookies, authentication tokens (see Section 9)
• Log Data: Access times, error logs, performance metrics

3.3 Information from Third Parties

• Authentication Provider (Clerk): Account verification data
• Payment Provider (Stripe): Payment status, transaction details
• Cloud Providers: Infrastructure access logs (when you grant access)

4. How We Use Your Information

We process your personal data for the following purposes and legal bases:

4.1 Service Delivery (Contractual Necessity)

• Create and manage your account
• Process payments and billing
• Deliver Infrastructure as Code solutions
• Provide customer support
• Communicate about your projects

4.2 Service Improvement (Legitimate Interest)

• Analyze usage patterns to improve our Service
• Monitor performance and fix bugs
• Develop new features and services

4.3 Legal Compliance (Legal Obligation)

• Comply with tax and accounting requirements
• Respond to legal requests and prevent fraud
• Enforce our Terms of Service
• Maintain records as required by Estonian law

4.4 Marketing (Consent)

• Send service updates and newsletters (with your consent)
• Share relevant product announcements
• You may opt-out at any time via unsubscribe links

5. AI and Data Processing

We use AI services to enhance our Infrastructure as Code development:

5.1 AI Service Providers

We use multiple AI providers for code generation, analysis, and validation:

• Microsoft Azure OpenAI: Primary AI provider for code generation. Hosted in the EU (Europe). GDPR-compliant with enterprise data isolation. Your data is not used to train models.
• OpenAI: AI code generation via GPT models. US-based with Standard Contractual Clauses for GDPR compliance. Your data is not used to train models.
• Anthropic: AI code analysis and generation via Claude models. US-based with Standard Contractual Clauses for GDPR compliance. Your data is not used to train models.
• Microsoft Azure Vision: Diagram and architecture image analysis. Hosted in EU (Germany West Central). Your uploaded images are processed transiently and not retained.

5.2 Infrastructure Validation

• AWS EC2 (eu-central-1, Frankfurt): Terraform code validation engine running on EC2 instances in the EU. Performs terraform validate and Checkov security scanning. No user data is stored on EC2 — code is processed transiently and results returned to the main application.

5.3 Multilingual AI Interaction

While our service and documentation are provided in English only, our AI systems can process technical requirements and infrastructure specifications in multiple languages. When you provide input in languages other than English:

• The AI may translate your input to English for processing
• All deliverables (code, documentation) are provided in English
• Translation processing is subject to the same privacy protections as other AI processing
• No third-party translation services are used - translation is handled by our AI providers

5.4 Data Minimization

• We only send necessary technical specifications to AI services
• Personal identifiers are removed before AI processing
• Sensitive credentials are never sent to AI services

6. Data Sharing and Disclosure

We do not sell your personal data. We share data only with:

6.1 Service Providers

• Clerk (Authentication): Account management and security
• Stripe (Payment Processing): Payment and billing services
• Vercel (Hosting): Website and application hosting
• Microsoft Azure (AI Services): AI code generation (Azure OpenAI) and diagram analysis
• OpenAI (AI Services): AI code generation via GPT models
• Anthropic (AI Services): AI code analysis and generation via Claude models
• Crisp (Live Chat): Customer support chat widget
• BotID (Security): Bot detection and fraud prevention
• Amazon Web Services (Infrastructure): Code validation engine (EC2) in EU
• GitHub (Code Delivery): Private repository hosting for deliverables

All service providers are contractually obligated to protect your data and comply with GDPR. Enterprise customers requiring a Data Processing Agreement (DPA) may request one by contacting support@iacgenius.com.

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights and safety.

7. International Data Transfers

Your data is primarily processed within the European Union (Estonia and EU-based Azure regions).

Some service providers (e.g., Stripe, GitHub) may process data outside the EU. In such cases:

• We use providers with EU Standard Contractual Clauses
• We verify adequate data protection safeguards
• We prioritize providers with EU Data Protection Board approval

8. Data Retention

• Account Data: Retained while account is active + 30 days after closure
• Hub Pro Free Tier: Session data retained for 12 months from last activity
• Hub Pro Cancellation: Session data retained for 90 days after subscription cancellation
• Consulting Project Data: Retained for 2 years after project completion (for warranty support)
• Billing Records: Retained for 7 years (Estonian accounting law requirement)
• Communication Logs: Retained for 3 years (support and legal purposes)
• Analytics Data: Anonymized after 13 months

After retention periods expire, data is securely deleted or anonymized. You will receive email notification before any data deletion occurs.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

• Authentication: Keep you logged in (Clerk session cookies)
• Security: Prevent fraud and protect your account
• Preferences: Remember your settings (theme, language)

9.2 Vercel Analytics (Optional, No Cookies)

We use Vercel Analytics to understand how visitors use our website. This service does not use cookies and operates with the following characteristics:

• Cookie-Free: Uses hash-based identification instead of cookies
• Anonymous Data: Collects only aggregated, anonymous data (page views, device type, country)
• No Personal Identification: Cannot identify you personally
• 24-Hour Retention: All visitor session data is automatically deleted after 24 hours
• Consent-Based: Only loads after you consent via our cookie banner
• GDPR Compliant: Operates in compliance with EU privacy regulations

You can decline analytics tracking via our consent banner. Your choice is stored in browser local storage (not cookies) and will be remembered for 1 year.

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

10. Your Rights Under GDPR

As an EU data subject, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing communications
• Right to Lodge a Complaint: File a complaint with Estonian Data Protection Inspectorate

To exercise your rights, contact us at privacy@iacgenius.com. We will respond within 30 days.

Limitations on Data Deletion

We may retain certain data when:

• Required by Estonian or EU law (e.g., accounting records)
• Necessary for legal claims or compliance
• Contractual warranty obligations are still active

11. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Infrastructure Security: Azure's SOC 2, ISO 27001 certified infrastructure
• Regular Audits: Security assessments and vulnerability scanning
• Employee Training: Data protection and security best practices
• Incident Response: Data breach notification procedures

In the unlikely event of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR.

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Third-Party Links

Our Service may contain links to third-party websites (e.g., AWS, Azure documentation). We are not responsible for their privacy practices. We encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to registered users
• Prominent notice on our website
• In-app notification

Changes become effective 30 days after notification for existing users.

15. Contact Us

For privacy-related questions, data access requests, or to exercise your GDPR rights:

16. Legal Basis Summary