Privacy Policy

1. Who We Are

"Partikl" means the Partikl platform operated by [Aleksei Umanchenko] I/E (Individual Entrepreneur, Registration No: 346991687), registered in Georgia.

For the purposes of EU data protection law (GDPR), Partikl is the data controller for Account data and the data processor for Customer Content you upload and process through the Service.

Contact for privacy matters: privacy@partikl.io

2. Scope of This Policy

This Privacy Policy applies to:

• Visitors to partikl.io and its subdomains
• Registered Account holders
• Users of the Partikl API
• Contacts who communicate with us by email

This Policy does not apply to Customer Content that you process through Partikl Pipelines. You are the controller of that data. Our obligations as processor are described in the Data Processing Agreement (DPA) at partikl.io/legal/dpa.

3. What We Collect and Why

3.1 Account Data

What: Name, email address, company name (optional), country.

Why: To create and manage your Account, communicate with you about the Service, and comply with legal obligations.

Legal basis: Contract (necessary to provide the Service); Legitimate interest (communications and security).

3.2 Billing and Payment Data

What: Billing address, payment method type (card last 4 digits only), invoice history, subscription status.

Note: Full payment card data is processed directly by our payment processor and is never stored on Partikl infrastructure.

Why: To process payments, manage subscriptions, and comply with tax and accounting obligations.

Legal basis: Contract; Legal obligation.

3.3 Usage Data

What: Aggregated and anonymized metrics including: API request counts, Processing task counts, storage consumption, bandwidth consumption, error rates, and feature usage patterns.

What we do NOT collect: Individual request content, per-user behavioral profiles, browsing history, or any data that identifies individual usage patterns.

Why: To operate the Service, enforce plan limits, calculate billing, and understand aggregate Service performance.

Legal basis: Contract; Legitimate interest.

3.4 Technical Data

What: IP address (for security and fraud prevention), User-Agent string, API client version, session token identifiers (not content).

Why: To detect unauthorized access, prevent abuse, enforce rate limits, and maintain security.

Retention: IP addresses are retained for 90 days for security purposes, then deleted or anonymized.

Legal basis: Legitimate interest (security and fraud prevention).

3.5 Communications Data

What: Emails and messages you send us, support ticket content, feedback you submit.

Why: To respond to your requests and improve the Service.

Legal basis: Legitimate interest; Contract.

3.6 What We Do Not Collect

We do not collect:

• The content of your Customer Content files (images, videos, documents)
• Sensitive personal data (health, biometric, financial beyond billing, political, religious)
• Data from your end users (the people who access content served through your application)
• Location data beyond country-level derived from IP
• Any data through cookies (we do not use cookies)

4. How We Use Your Data

4.1 Service Operation

We use your data to:

• Authenticate your Account and API requests
• Process payments and manage subscriptions
• Enforce plan limits and calculate Overage
• Deliver support and respond to inquiries
• Send transactional notifications (billing, security alerts, account status)

4.2 Service Improvement

We use aggregated, anonymized usage data to:

• Understand which features are used and which have problems
• Make infrastructure and capacity planning decisions
• Improve Service performance

This analysis is performed on aggregated data and does not involve profiling of individual users.

4.3 Security and Compliance

We use Technical Data to:

• Detect and prevent unauthorized access
• Identify and respond to abuse
• Comply with legal obligations and law enforcement requests

4.4 No Sale of Data

We do not sell, rent, or trade your personal data to any third party for their independent marketing or commercial purposes. Ever.

4.5 No AI Training

We do not use your personal data or Customer Content to train, fine-tune, benchmark, or evaluate any machine learning model, whether operated by us or by any third party.

4.6 Marketing Communications

We may send you product updates, feature announcements, and occasional promotional communications. You can unsubscribe from marketing emails at any time using the link in any such email.

Transactional emails (billing, security, account status) cannot be unsubscribed as they are necessary for the Service.

5. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data on the following legal bases:

Where we rely on Legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on Legitimate interest at any time (see §9.5).

6. Cookies and Local Storage

6.1 No Cookies

Partikl does not use cookies of any kind — neither essential, analytical, functional, nor advertising cookies.

6.2 Local Storage

The Service stores a session authentication token in your browser's local storage. This token is strictly necessary to authenticate your API requests and dashboard sessions. It contains no personal data beyond a cryptographic session identifier.

Because this storage is strictly necessary for the Service to function, it does not require your consent under EU ePrivacy law.

6.3 Analytics

Website and application analytics, where used, are implemented using privacy-preserving, cookieless tools (self-hosted Umami or equivalent). These tools collect aggregated, anonymized data only and do not identify individual users. No consent is required.

7. Data Location and Transfers

7.1 Default Data Location

By default, Account data and Customer Content are stored in EU-based infrastructure (Netherlands region).

7.2 Per-Namespace Data Location

Where the Service supports configurable data residency, you may select a preferred storage region for each Namespace in your dashboard. Available regions are listed in the documentation.

7.3 International Transfers

Where Customer Content or Account data is processed outside the EEA (for example, by a sub-processor with infrastructure in other regions), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) with sub-processors
• Data Processing Agreements with all sub-processors

7.4 Sub-Processors

We use a limited number of sub-processors to operate the Service. A current list of sub-processors, including their function, location, and DPA status, is maintained at partikl.io/legal/subprocessors.

We will provide 30 days advance notice before adding a new sub-processor that processes personal data. Notice is given via email and dashboard notification. You may object to a new sub-processor within this period.

Current categories of sub-processors include:

8. Security

8.1 Encryption

Customer Content is encrypted at rest using AES-256-GCM or ChaCha20-Poly1305 (configurable per Namespace). Data is encrypted in transit using TLS 1.3. Cached copies at edge locations are also encrypted.

8.2 Access Controls

Access to production infrastructure is restricted to authorized personnel only. Partikl personnel do not access Customer Content in plain text. Access events are logged for audit purposes.

8.3 No Plain-Text Key Storage

Encryption keys are not stored in plain text at any layer of our infrastructure. Key management details are available on our Security page at partikl.io/security.

8.4 Breach Notification

In the event of a data breach affecting your personal data, we will notify you and applicable supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33/34. Notification will describe the nature of the breach, data affected, likely consequences, and measures taken.

9. Your Rights

9.1 Overview

Depending on your location, you have the following rights regarding your personal data. We have built self-service tools in the dashboard so you can exercise most rights without contacting us.

9.2 Right of Access

You have the right to know what personal data we hold about you.

How to exercise: Dashboard → Account Settings → Data → Export My Data. A structured export of your Account data is generated within 24 hours.

9.3 Right to Rectification

You have the right to correct inaccurate personal data.

How to exercise: Dashboard → Account Settings → Profile. Most data can be updated directly. For billing data corrections, contact privacy@partikl.io.

9.4 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data.

How to exercise: Dashboard → Account Settings → Data → Delete Account.

Upon deletion request:

• Customer Content: deleted within 30 days
• Account profile data: deleted within 30 days
• Billing records: retained for the legally required period (see §10.2), then automatically deleted
• Anonymized aggregated usage data: may be retained (it cannot identify you)

Note: deletion of Account data may make it impossible to continue using the Service.

9.5 Right to Object

You have the right to object to processing based on Legitimate Interest.

How to exercise: Email privacy@partikl.io with subject "Objection to Processing." We will assess your objection and respond within 30 days.

9.6 Right to Data Portability

You have the right to receive your personal data in a structured, machine-readable format.

How to exercise: Same as Right of Access (§9.2). Export includes Account data in JSON format and Customer Content in original formats.

9.7 Right to Restrict Processing

You have the right to request that we restrict processing of your data in certain circumstances (for example, while contesting accuracy).

How to exercise: Email privacy@partikl.io. We will respond within 30 days.

9.8 Rights Related to Automated Decision-Making

We do not make automated decisions about you that produce legal or similarly significant effects. Automated content moderation (§6 of the Terms of Service) is subject to human review upon appeal.

9.9 Exercising Your Rights

We aim to respond to all privacy requests within 30 days. In complex cases, we may extend this period by a further 60 days with notice to you.

We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

10. Data Retention

10.1 Account and Content Data

10.2 Billing Data

Billing records, invoices, and transaction data are retained for the period required by applicable law — typically 7 years in EU jurisdictions. After this period, billing data is automatically and permanently deleted.

This retention applies regardless of Account status and cannot be waived as it is required by law.

10.3 Anonymized Data

Aggregated, anonymized usage statistics that cannot identify you may be retained indefinitely for Service improvement purposes.

11. Children's Privacy

The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16 without appropriate consent, we will delete it promptly.

If you believe we have collected data from a child under 16, please contact privacy@partikl.io.

12. Third-Party Links and Addons

12.1 Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites.

12.2 Third-Party Addons

When you install a third-party Addon, that Addon may access Customer Content as configured in your Pipeline. Third-party Addons have their own privacy policies. We are not responsible for the data practices of third-party Addon developers. Review an Addon's declared data access scope before installation.

13. Changes to This Policy

We may update this Privacy Policy from time to time.

Material changes (changes to what data we collect, how we use it, or who we share it with) will be notified to you at least 30 days in advance via email and dashboard notice.

Minor changes (clarifications, formatting, corrections) will be noted in the Legal Changelog at partikl.io/legal/changelog without advance notice.

The effective date at the top of this page indicates when the current version took effect.

14. Contact and Complaints

For privacy questions and requests: privacy@partikl.io

For data breach reports: security@partikl.io

Postal address: 19 Akaki Tsereteli St, Batumi 6010, Georgia Aleksei Umanchenko I/E Individual Entrepreneur

EEA Representative (if applicable): [To be appointed upon EU entity registration]

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority.

Version 1.0.0 — Effective April 5, 2026 See the Legal Changelog for revision history