Privacy Policy.

1. Who we are

Logitelia ("Logitelia", "we", "us", "our") is an AI-native services company. We are the data controller for personal data we collect through this website and the services described on it. You can reach us at info@logitelia.com or for privacy-specific questions at dpo@logitelia.com.

2. Scope of this policy

This policy describes the personal data we collect, how we use it, the legal basis under which we process it, who we share it with, how long we keep it, and the rights you have. It applies to:

• visitors to logitelia.com and its subdomains;
• prospects who contact us via the contact form, email, or scheduled call;
• clients who subscribe to one or more of our AI agents teams;
• recipients of our newsletter or other transactional communications.

3. What personal data we collect

We collect personal data in three categories:

Information you provide directly. When you fill out the contact form or book an intro call, you give us your name, company, email, the team you are interested in, and the message you write. If you become a client, we additionally collect billing information (company name, VAT/tax ID, billing address) and the operational data you share with us as part of the engagement.

Information collected automatically. When you visit the site, our hosting provider (Vercel) logs your IP address, the page you visited, the referring URL, your browser type, and the timestamp. We use this for security (rate limiting, abuse detection) and aggregate analytics. We do not currently run third-party analytics with persistent cookies.

Information from third parties. If you book a call via Cal.com, that platform shares your name, email, and chosen time with us. If you sign in via a third-party identity provider in the future, that provider shares the identifiers required to authenticate you.

4. How we use your personal data

• To respond to your inquiry when you contact us, and to share information you ask for.
• To provide the services you subscribed to, including running the AI agents teams you engage and granting access to the client portal.
• To process payment for subscriptions, via our payment processor.
• To send transactional communications such as service updates, security notices, billing confirmations, and changes to this policy.
• To send marketing communications only with your explicit consent, with a clear unsubscribe option in every message.
• To improve our services, by analysing aggregated, non-identifiable usage patterns.
• To meet legal obligations, including tax, accounting, and any applicable regulatory requirements.

5. Legal basis for processing (GDPR)

Our processing of your personal data is grounded in one or more of the following legal bases under the EU General Data Protection Regulation:

• Contract. Processing necessary to perform a contract with you (running your subscribed services, billing, support).
• Legitimate interests. Processing necessary for our legitimate interests in operating the business, securing the service against abuse, and contacting prospects in a B2B context — balanced against your rights and reasonable expectations.
• Consent. Processing that requires your explicit opt-in (marketing email, optional analytics).
• Legal obligation. Processing required by tax, accounting, or regulatory rules.

6. Who we share your data with

We share personal data only with the categories of recipients listed below. We do not sell personal data.

• Infrastructure providers: Vercel (hosting, EU region), Cloudflare (CDN and bot mitigation).
• LLM providers: Anthropic, OpenAI, and Google (when the agent calls into their APIs as part of delivering your service). Each provider operates under a signed agreement that prohibits training on your data.
• Email and scheduling: Resend (transactional email delivery), Cal.com (call scheduling), our domain email provider for inbound mail.
• Payment processing: our payment processor (Stripe or equivalent), which receives the billing information necessary to process subscriptions.
• Captcha: Cloudflare Turnstile, which validates that contact form submissions come from a human.
• Professional advisors: lawyers, accountants, and auditors when their work requires limited access.
• Authorities: if required by law, court order, or legitimate regulatory request.

Where any of these recipients are located outside the European Economic Area, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

7. Data residency and international transfers

Our primary infrastructure runs in the European Union. Customer data sent to LLM providers is routed to their EU endpoints where available. We may use US-based subprocessors (such as Stripe) where their service is required and we rely on EU-approved transfer mechanisms.

When you contract with us, the specific data residency posture for your engagement is documented in your Data Processing Agreement. If your business has stricter residency requirements, we will configure your engagement to meet them or honestly tell you that we cannot.

8. AI provider terms and training

The LLM providers we use (Anthropic, OpenAI, Google) operate their API products under terms that prohibit training their models on our customers' data. Specifically:

• Inputs and outputs from API calls are not used for model training under the API-tier agreements.
• Providers retain limited copies of API traffic for abuse monitoring and quality, typically for 30 days, with restricted access.
• Our own systems do not train on customer data without explicit consent.

These terms are reflected in your Data Processing Agreement when you become a client.

9. How long we keep your data

We keep personal data only as long as needed for the purpose we collected it:

• Contact form submissions: kept while we evaluate and respond, then archived for up to 24 months in case you re-engage; deleted earlier on request.
• Client data: kept for the duration of your subscription plus 30 days, then transferred to read-only archive for an additional 60 days, then deleted unless a longer retention period is required by law or by explicit written request.
• Billing records: kept for the period required by tax law in your applicable jurisdiction (typically 7-10 years).
• Marketing communications: while your consent is active and for a reasonable period after withdrawal to demonstrate compliance.
• Server logs: typically 30 days for the rolling access log, longer for security incident records.

10. Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent data protection law, you have the following rights:

• Access: ask us what personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: ask us to delete your data when it is no longer needed or your consent is withdrawn.
• Restriction: ask us to limit processing while a dispute is resolved.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: where processing relies on consent, you can withdraw it at any time.
• Complain: lodge a complaint with your national data protection authority.

To exercise any of these rights, contact dpo@logitelia.com. We respond within 30 days, often sooner.

11. Cookies and similar technologies

This site uses a minimal set of technologies:

• Functional storage: a localStorage entry to remember your preferred language. No identifier is stored.
• Captcha: Cloudflare Turnstile may set short-lived cookies to validate form submissions are from humans.
• Security cookies: our infrastructure may set short-lived cookies for rate limiting and bot protection.

We do not currently use cross-site tracking cookies or third-party advertising pixels. If we add analytics in the future, we will use privacy-first tooling (such as Plausible or self-hosted Umami) that does not require cookie banners, and we will update this policy before deployment.

12. Security

We take reasonable technical and organisational measures to protect personal data, including:

• encryption in transit (TLS 1.3) and at rest where applicable;
• access controls and role-based permissions on internal systems;
• HSTS, strict Content Security Policy, and other security headers on the public site;
• per-tenant isolation of client data;
• audit logging of every agent action, available to the client through the portal;
• secret management via a dedicated password manager;
• regular review of subprocessors and their security posture.

No system is perfectly secure. If you become aware of a vulnerability or a breach affecting your data, please contact security@logitelia.com.

13. Children

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Automated decision-making

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Article 22. AI agents may process data on behalf of our clients as part of delivering the services they subscribed to, with human operator review and the safeguards set out in each client's Data Processing Agreement.

15. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify clients by email and update the "Last updated" date at the top. Continued use of the services after an update constitutes acceptance of the revised policy. The current version is always available at this URL.

16. How to contact us

For privacy questions, requests to exercise your rights, or to report a concern:

• Email: dpo@logitelia.com
• For general queries: info@logitelia.com
• For security: security@logitelia.com

You may also contact your national data protection authority — for example, the Ukrainian Ombudsman's office for residents of Ukraine, the BfDI in Germany, the CNIL in France, the AEPD in Spain, the ICO in the United Kingdom.