Privacy Policy
This Privacy Policy describes how Euriklis LTD (the "Company", "we") collects, processes, retains and protects personal data and computational content submitted to the Euriklis platform ("Service").
We operate under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Bulgarian Personal Data Protection Act, and all related European Union law on personal data and intellectual property.
1. Data Controller
Euriklis LTD, registered in the Republic of Bulgaria. Contact for privacy matters: legal@euriklis.com
If we appoint a Data Protection Officer, their contact will be published here.
2. Our Commitment to EU Law
Euriklis guarantees full compliance with all laws, regulations and administrative acts of the European Union concerning the protection of personal data and intellectual property. Where national law of an EU Member State sets a higher standard, the higher standard applies.
3. What Data We Collect
Account data. Email address, password (stored only as a salted hash), optional display name.
Billing data. Subscription tier, billing events, Stripe customer identifier. Card details are processed by Stripe and never reach our servers.
Service usage. API key identifiers (hashed), request timestamps, ECU (Euriklis Computational Units) consumption counters, error codes.
Technical data. IP address, user-agent string, TLS-session metadata. Retained for security and abuse detection only.
4. Data Minimisation
We process only what is necessary to deliver the Service and discard the rest.
Computational inputs. The data you submit for processing (matrices, vectors, datasets, procedure definitions) is not retained beyond what is required to complete the computation. Once the job is finished, the inputs are discarded.
Intermediate state. Discarded together with the inputs, with one exception described below.
ECU-truncated jobs. If a computation is interrupted because your ECU allowance is exhausted mid-pipeline, we retain the result of the last completed stage instead of the final result, so you do not lose the work already paid for. You may resume or download it at any time.
Estimated parameters and model weights. If your computation produces fitted coefficients, neural-network weights, or similar estimated artifacts, we retain them only when you explicitly opt in via the request flag or your dashboard. The default is no retention.
Final results that are returned to you are subject to the retention rules in Section 10.
5. Purpose and Legal Basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account creation, computation execution, billing | Contract (Art. 6(1)(b)) |
| Fraud prevention, abuse detection, network security | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Financial record keeping | Legal obligation (Art. 6(1)(c)) |
6. No Disclosure to Third Parties
Definitions of computational procedures submitted by users and the results of their execution will not be disclosed to any third party, with the following narrow exceptions:
(a) where disclosure is required by Section 2 above (compliance with binding EU law); and
(b) under the conditions of Section 7 (misuse enforcement).
7. Misuse Detection and Enforcement
The Company reserves the right to analyse whether a submitted procedure is malicious or unlawful, and to consult competent EU legal institutions on the matter.
Where credible reports of unlawful or malicious use of the Service are received from third parties that are not EU legal persons, the Company will conduct its own analysis, consult the competent EU institutions, and reserves the right to partially or fully restrict a person's access to a specific computational resource.
Data produced during the use of computational procedures will be disclosed only pursuant to a binding court order or equivalent legal act issued by the judicial or legal authorities of the European Union.
8. Sub-processors
We use the following sub-processors, each bound by GDPR-compliant data processing terms:
- Stripe Payments Europe Ltd (Ireland) — payment processing
- Hosting and infrastructure providers within the European Economic Area
A current list is available on request to legal@euriklis.com.
8a. Data Processing Agreement (GDPR Art. 28)
Where you submit data that contains personal data of your own end-users, customers, employees or other identified or identifiable natural persons, you act as the data controller and Euriklis LTD acts as a data processor within the meaning of GDPR Article 28.
In that role, we will:
- process such personal data only on your documented instructions, as expressed through your API requests and account settings;
- ensure that personnel authorised to access the data are bound by confidentiality;
- implement the technical and organisational security measures described in Section 12;
- engage sub-processors only on equivalent contractual terms and notify you of changes;
- assist you in responding to data-subject rights requests and in fulfilling your obligations under GDPR Articles 32–36;
- delete or return the personal data at the end of the Service, at your choice.
A standalone Data Processing Agreement incorporating the European Commission's Standard Contractual Clauses is available to business customers on request to legal@euriklis.com. Submission of personal data of third parties before signing a DPA is at your own risk and we recommend executing the DPA before sending any production workloads containing personal data.
9. International Data Transfers
All personal data is processed within the European Economic Area. We do not transfer personal data outside the EEA unless the recipient is bound by an adequacy decision or Standard Contractual Clauses approved by the European Commission.
10. Retention Periods
| Category | Retention |
|---|---|
| Computational inputs | Discarded on job completion |
| Computational results | 30 days (user-extendable or earlier deletable) |
| Account data | Duration of account + 6 months after deletion |
| Billing records | 10 years (statutory) |
| Security and abuse logs | 12 months |
11. Your Rights (GDPR Art. 15–22)
You have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate data;
- request erasure ("right to be forgotten");
- request restriction of processing;
- request data portability in a machine-readable format;
- object to processing based on legitimate interest;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with your national supervisory authority — in Bulgaria, the Commission for Personal Data Protection (CPDP, cpdp.bg).
Requests are addressed within one month per GDPR Art. 12(3). Send them to legal@euriklis.com.
12. Security
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- API keys stored only as SHA-256 hashes
- Principle of least privilege on internal systems
- Personal-data breach notification to the supervisory authority within 72 hours per GDPR Art. 33
13. Cookies
The Service uses a minimal set of strictly necessary cookies (authentication session, CSRF protection). Optional analytics cookies require your explicit consent and can be revoked at any time.
14. Children
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children.
15. Changes to This Policy
Material changes will be announced at least 30 days in advance via email and on this page. The effective date above is updated with each revision; a change log is maintained on request.
16. Contact
Questions, requests under GDPR Art. 15–22, or notices of suspected misuse:
Euriklis LTD · legal@euriklis.com