Privacy Policy - SecQuestionnaires

Last Updated: February 4, 2026

Data Controller: [Company/Individual Name], based in the European Union

SecQuestionnaires ("we", "our", "the service") respects your privacy and is committed to protecting your personal data. This privacy policy describes how we collect, use, and protect your information in accordance with the European Union General Data Protection Regulation (GDPR) 2016/679.

1. Data We Collect

1.1 Account Data

When you create an account, we collect and store:

• Email: for authentication and service communications
• Name: as provided during registration
• Password: stored in cryptographic hash format (bcrypt) - we never store passwords in plain text
• Registration date: for administrative purposes

1.2 Usage Data

We monitor service usage to manage plan limits:

• Number of questionnaires processed
• Date and time of each processing
• Number of rows processed per questionnaire
• We do not store the content of questionnaires or KB documents

1.3 Payment Data

For paid plans, we collect via Stripe:

• Email and name to associate payment with account
• Internal User ID for reference
• We do not store credit card numbers or complete payment data - these are managed exclusively by Stripe

1.4 Technical Data

• Session cookies: to maintain authentication (NextAuth)
• IP address: for rate limiting and abuse prevention (not stored permanently)

2. How We Use Your Data

2.1 Primary Purposes

• Service delivery: processing questionnaires using artificial intelligence
• Account management: authentication, plan limits, billing
• Service communications: important service notifications (not marketing)
• Security: abuse prevention, rate limiting, account protection

2.2 Legal Basis (GDPR)

• Contract performance (Art. 6(1)(b) GDPR): delivery of requested service
• Consent (Art. 6(1)(a) GDPR): where applicable, with ability to withdraw
• Legitimate interest (Art. 6(1)(f) GDPR): security and fraud prevention
• Legal obligations (Art. 6(1)(c) GDPR): tax and legal compliance

3. File Storage and Deletion

3.1 Temporary Files (KB and Questionnaires)

Documents you upload (knowledge base and Excel questionnaires) are:

• Temporarily saved on secure servers during processing
• Automatically and immediately deleted after processing completes
• Session-isolated: other users cannot access your files
• Not stored beyond the time strictly necessary to generate the result

Maximum retention period: Files are deleted within 1 minute of processing completion. In case of technical error, they are automatically deleted within 15 minutes via the server cleanup system.

3.2 Output Files

The completed questionnaire is:

• Generated and sent immediately to your browser
• Not stored on our servers after sending
• Downloadable only by you during the active session

4. AI Processing

4.1 Provider and Model

We use Anthropic Claude (model: Claude Haiku 4.5) to process questionnaires:

• Server location: United States and European Union (multi-region deployment)
• Contract type: Standard API
• AI training: According to Anthropic's policy, data sent via API is not used for training AI models
• Retention: Anthropic retains API data for a maximum of 30 days for trust & safety purposes, then deleted

4.2 Data Sent to Claude

When you process a questionnaire, we send to Claude servers:

• Text extracted from your KB documents
• Questionnaire questions
• We do not send: email, password, payment data, or other account personal information

4.3 Extra-EU Data Transfer

Data processed by Claude may be transferred to the United States. This transfer is necessary for service delivery and is based on:

• Standard Contractual Clauses (SCC) approved by the European Commission
• Security guarantees implemented by Anthropic in compliance with GDPR

Important note: KB documents and questionnaires generally do not contain personal data of individuals (they are business documents), but may contain confidential organizational information.

5. Third-Party Sharing

We share data only with the following service providers:

5.1 Anthropic (Claude AI)

• Purpose: Questionnaire processing with AI
• Data shared: Text extracted from KB and questionnaire questions
• Location: USA/EU
• Guarantees: SCC, no training, 30-day max retention

5.2 Stripe (Payments)

• Purpose: Subscription and payment management
• Data shared: Email, name, user ID
• Location: USA/EU
• Guarantees: PCI-DSS compliant, SCC

5.3 Vercel (Application Hosting)

• Purpose: Web application hosting
• Data shared: All data necessary for service delivery
• Location: Primary servers in Paris (EU)
• Guarantees: GDPR compliant, ISO 27001 certification

5.4 Neon (Database)

• Purpose: Account data and usage logs storage
• Data shared: Email, name, password hash, usage metadata
• Location: AWS US East (United States)
• Guarantees: SCC, encryption at-rest and in-transit

5.5 We Do Not Share Otherwise

• We do not sell your data to third parties
• We do not rent email lists or user data
• We do not share data for marketing or advertising purposes
• Exception: we may share data if required by law, court order, or to protect our legal rights

6. Cookies and Tracking Technologies

6.1 Essential Cookies

We use only strictly necessary cookies for service operation:

• Session cookie (NextAuth): to maintain authentication
• Duration: Until browser closes or logout
• Rejectable: No, essential for service

6.2 No Tracking

• No analytics: we do not use Google Analytics or similar
• No marketing cookies: no third-party cookies for advertising
• No social media tracking: no Facebook, LinkedIn, etc. pixels

7. Data Security

We implement technical and organizational measures to protect your data:

7.1 Technical Security

• Encryption in transit: HTTPS/TLS for all communications
• Encryption at rest: Encrypted database and backups
• Passwords: Hashed with bcrypt (salt + stretching)
• Rate limiting: Protection from brute-force attacks
• Session isolation: Each user's files are isolated
• Input validation: Protection from injection attacks and XSS

7.2 Data Access

• Only authorized personnel have access to production databases
• Access logs for audit trail
• "Least privilege" principle for permissions

7.3 Automatic Deletion

• Temporary files automatically deleted after processing
• Cleanup system verifies correct deletion

8. Data Retention

8.1 Retention Periods

8.2 Inactive Accounts

• We do not delete inactive accounts automatically
• You can request deletion at any time

9. Your Rights (GDPR)

In accordance with GDPR, you have the following rights:

9.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification (Art. 16)

You can correct inaccurate or incomplete data (e.g., modify name in account).

9.3 Right to Erasure (Art. 17 - "Right to be Forgotten")

You can request deletion of your account and all associated data at any time.

Exceptions: We may retain some data if necessary for:

• Legal obligations (e.g., tax billing for 5 years)
• Exercise or defense of legal rights
• Public interest

9.4 Right to Data Portability (Art. 20)

You can request to receive your data in structured, machine-readable format (e.g., JSON, CSV).

9.5 Right to Object (Art. 21)

You can object to processing of your data for direct marketing or legitimate interest purposes.

9.6 Right to Restriction (Art. 18)

You can request to restrict processing in certain circumstances (e.g., contesting data accuracy).

9.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you can withdraw it at any time.

9.8 Right to Lodge a Complaint

You have the right to file a complaint with the competent data protection authority (Garante per la protezione dei dati personali in Italy).

How to exercise your rights: Send a request to [insert privacy contact email]. We will respond within 30 days.

10. International Data Transfers

10.1 Servers in EU

• Vercel: Primary servers in Paris (France - EU)
• Account data remains predominantly in EU

10.2 Extra-EU Servers

Some providers have servers in the United States:

• Neon Database: AWS US East
• Anthropic Claude: Multi-region servers (USA/EU)
• Stripe: USA/EU servers

10.3 Transfer Guarantees

For extra-EU transfers, we rely on:

• Standard Contractual Clauses (SCC) approved by the European Commission
• Security certifications (e.g., ISO 27001, SOC 2) of providers
• Encryption in transit and at rest

11. Minors

SecQuestionnaires is not intended for minors under 16 years of age. We do not knowingly collect data from minors. If we discover we have collected data from a minor, we will proceed with immediate deletion.

If you are a parent/guardian and believe your child has provided data, contact us for deletion.

12. Privacy Policy Changes

We may update this privacy policy periodically to reflect:

• Changes in service
• New regulations
• Improvements in data protection

Substantial change notifications: We will inform you via email or in-app banner at least 30 days before taking effect.

Last update date: indicated at the top of this document.

13. Contact

For questions about this privacy policy, exercising your rights, or privacy-related requests:

Email: [insert privacy/DPO contact email] Address: [insert postal address]

Data Protection Officer (DPO): [if applicable, insert DPO contact]

Supervisory Authority (for GDPR complaints): Garante per la protezione dei dati personali Piazza Venezia, 11 - 00187 Rome, Italy https://www.garanteprivacy.it

14. Summary for Transparency

In brief:

• ✅ We collect only data necessary for the service
• ✅ Your KB and questionnaire files are immediately deleted after processing
• ✅ We do not sell your data
• ✅ No tracking, no analytics, no advertising
• ✅ HTTPS/TLS encryption for all communications
• ✅ Data sent to Claude AI is not used for training
• ✅ You have complete control over your data (access, deletion, portability)
• ✅ Full GDPR compliance
• ⚠️ Some data is transferred to USA (with SCC guarantees)

Version: 1.0 Date: February 4, 2026 Language: English (binding version)