This Privacy Policy explains how Artless Passion (“Artless Passion”, “we”, “us”, “our”) collects, uses, discloses, and safeguards personal data in connection with the Artless Passion Numineus service and our websites. It is written for institutional and enterprise customers (universities, research institutes, companies) and their authorized users.

Where we process Customer Content on your instructions, we act as a Processor and our Data Processing Addendum (DPA) governs. For Account, Billing, Marketing and Security/Telemetry data we act as Controller. If there is a conflict between this Policy and the DPA for Customer Content, the DPA prevails.

–––––––––––––––––––––––––––––––––––

1. Who we are & how to contact us
   Controller (for Account/Website/Telemetry data): Artless Passion, Sweden (EU/EEA)
   Email (privacy requests): privacy@artlesspassion.org
   Data Protection Officer (DPO): dpo@artlesspassion.org
   EU Representative: Not applicable (EU-established controller)
   UK Representative: Not applicable (no UK establishment)
   If you reside in the EEA, you may contact your local authority (e.g., IMY in Sweden).

2. Scope
   This Policy applies to: (i) authorized users of our services; (ii) website and dashboard visitors; and (iii) prospects who interact with us (events, demos). It does not cover third-party services you connect (e.g., SSO/IdP, storage, analytics); those have their own policies.

3. Roles (Controller vs. Processor)
    • Controller: Account and Billing Data, Service Telemetry/Security Logs, marketing preferences, and support metadata we create.
    • Processor: Customer Content you or your institution submit to or generate from the service (prompts, files, outputs, metadata) processed strictly on your documented instructions and the DPA.
    • Customer as Controller: Customers decide what personal data (if any) to include in Customer Content and are responsible for providing notices and establishing a lawful basis.

4. Data we collect
    a) Account & Billing Data (Controller): name, institutional email, role, SSO identifier, billing contacts, purchase orders, VAT/tax IDs, transaction records.
    b) Service Telemetry & Security Logs (Controller): IP address, device and browser info, timestamps, session IDs, feature usage, performance/error logs, security signals (e.g., anomaly flags, abuse prevention).
    c) Customer Content (Processor): prompts, files, spectra, reaction schemes, tables, code, notes, outputs, and minimal metadata needed to provide the service. Do not include special categories of personal data unless strictly necessary and permitted by law and the DPA.
    d) Support & Communications (Controller/Processor): tickets, attachments, emails, and related metadata. We are Controller for support metadata; if you attach Customer Content we process it as Processor.
    e) Marketing & Events (Controller): newsletter sign-ups, webinar registrations, conference interactions, and campaign attribution. Marketing is opt-in where required and can be withdrawn at any time.

We obtain data from you or your institution (e.g., SSO/IdP), from your devices (telemetry), and from limited third parties (resellers, payment processors, fraud-prevention/security tools).

1. Purposes & legal bases (EEA/UK focus)
    • Provide and maintain the service (including core ML inference, routing, scaling) – Contract performance; legitimate interests (operate service).
    • Authenticate users and authorize access (incl. SSO/IdP) – Contract; legitimate interests (security).
    • Secure, monitor, and prevent abuse – Legitimate interests; legal obligations where applicable.
    • Customer support – Contract; legitimate interests (support).
    • Billing and account management – Contract; legal obligations (tax/accounting).
    • Product quality and safety – Legitimate interests using aggregated/anonymized telemetry; any use of Customer Content for improvement occurs only if enabled by Customer in writing or via settings.
    • Marketing (B2B) – Consent where required; otherwise legitimate interests.

No Selling / No Targeted Advertising: We do not sell personal data or engage in cross-context behavioral advertising as defined by U.S. state privacy laws.

1. AI/ML use and automated decisions
    • Inference by default: We use Customer Content to perform inference and return outputs. We do not train or fine-tune models on Customer Content unless the Customer has explicitly enabled this in admin settings or the contract.
    • Quality & safety signals: We may use de-identified, aggregated signals (e.g., error rates, safety flags) to improve reliability. If any dataset could be re-identifiable, we obtain prior written instructions/consent from the Customer.
    • Automated decision-making: Our service provides decision support, not solely automated decisions with legal or similarly significant effects. If a Customer builds automation, the Customer is responsible for compliance (e.g., GDPR Art. 22 assessments).
    • Optional third-party models/APIs: If enabled by the Customer, those providers process data under their own terms and our DPA/Subprocessor list.

2. Sensitive data, research, and education
    • Do not submit special category data (e.g., health, genetic, biometric) unless strictly necessary and permitted by law and the DPA.
    • HIPAA/FERPA: We are not a HIPAA Business Associate or FERPA School Official by default. We will sign the appropriate addendum only with enterprise customers and then process such data strictly as a Processor/BA/School Official.
    • Student data: Institutional customers must ensure appropriate notices/consents and lawful bases before using the service with student data.

3. Sharing & disclosures
   We disclose personal data only as necessary:
    • Subprocessors: cloud hosting, SSO/IdP, email delivery, logging/monitoring, support tools (current list and purposes available at artlesspassion.org/subprocessors).
    • Affiliates and vetted contractors: bound by confidentiality and data-protection terms.
    • Legal and safety: to comply with law or protect rights/safety, or to respond to lawful requests (see Section 14).
    • Corporate transactions: as part of a merger, acquisition, or reorganization, with safeguards and notice.
    • At Customer’s direction: e.g., to a storage destination or collaboration partner the Customer configures.

We do not permit our Subprocessors to use personal data for their own marketing.

1. International transfers
   Where data is transferred internationally, we use appropriate safeguards: EU Standard Contractual Clauses (2021) and UK IDTA/Addendum as applicable, plus transfer impact assessments and additional technical/organizational measures. Where an adequacy decision or recognized data bridge exists, we may rely on it.

2. Security
   We implement appropriate technical and organizational measures, including encryption in transit and at rest, least-privilege access with MFA, network isolation, vulnerability management, logging/monitoring, secure SDLC, personnel controls where appropriate, and incident response procedures. Independent attestations (e.g., ISO/IEC 27001, SOC 2) may be available under NDA. We notify affected customers without undue delay of personal-data breaches as required by law and our DPA.

3. Retention & deletion
    • Customer Content (Processor): retention is governed by Customer settings and the DPA. By default we retain as configured by the Customer and delete or return Customer Content upon termination or written request within the contractually agreed period unless law requires retention.
    • Account/Billing/Telemetry (Controller): retained only as long as necessary for operations or legal obligations, then deleted or anonymized. Backup deletions propagate on the next scheduled cycle.

4. Your rights
   EEA/UK/Switzerland: Subject to law, you may request access, rectification, erasure, restriction, and portability; object to processing based on legitimate interests; and withdraw consent at any time. You can also lodge a complaint with your data-protection authority (e.g., IMY in Sweden). Where we process data as a Processor, contact your institution; we will support them.
   
   United States (state laws): Depending on your state, you may have rights to know/access, correct, delete, obtain a portable copy, and opt out of “sale,” “sharing” (cross-context behavioral advertising), or “targeted advertising.” We do not sell personal data or engage in cross-context behavioral advertising.
   
   Brazil (LGPD), Canada (PIPEDA/Quebec Law 25), Australia (Privacy Act), Singapore (PDPA), China (PIPL): You may have analogous rights (access, correction, deletion/erasure, portability, objection/withdrawal). For cross-border transfers subject to local approvals, we use appropriate mechanisms or contractual measures.

How to exercise your rights: email privacy@artlesspassion.org. We will verify your identity and respond within applicable timeframes. If we act as Processor, we will promptly notify and assist the Customer.

1. Cookies & similar technologies
   We do not use cookies or similar tracking technologies on our websites or services, except those strictly necessary for secure operation (such as session authentication, if enabled by your institution).

2. Government and law-enforcement requests
   We review all requests, require a valid legal basis, limit disclosure to what is legally required, and notify affected customers unless prohibited by law or where notice would create a clear risk of harm. We publish periodic transparency information where lawful.

3. Third-party links & integrations
   Our services may include links to third-party sites or optional integrations. Their privacy practices are governed by their own policies. Customers control whether to enable integrations and are responsible for data flows they configure.

4. Changes to this Policy
   We may update this Policy to reflect legal, technical, or business developments. We will post changes on this page and, where changes are material, provide prominent notice before they take effect. The “Last Updated” date shows the latest revision.

5. Contact
   Questions or concerns about this Policy: privacy@artlesspassion.org
   DPO: dpo@artlesspassion.org

Definitions (plain language):

 “Account Data” means business contact/profile data used to create and administer user accounts.
 “Customer” means the institutional entity that licenses our service and authorizes users.
 “Customer Content” means data/files/materials submitted to, stored in, or generated by the service at the Customer’s direction, including outputs.
 “Controller/Processor” have the meanings in GDPR/UK GDPR (analogous roles apply under other laws).
 “Personal Data/Personal Information” means information relating to an identified or identifiable individual.
 “Service Telemetry” means technical and usage data generated by use of the service for security, reliability, and performance.
 “Subprocessor” means a third party engaged by us (as Processor) to process Customer Content.

Questions? privacy@artlesspassion.org