Privacy Policy

This Privacy Policy explains how Infinized B.V. ("Infinized", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Infinized AI Control Plane ("Platform") and our related services.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy should be read in conjunction with our Terms of Service.

The data controller responsible for your personal data is:

When you use the Platform to process personal data of your own end users or customers through your AI agents, you act as the data controller for that data, and Infinized acts as a data processor on your behalf. In such cases, a Data Processing Agreement (DPA) governs the processing relationship.

We use your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the Platform, including routing AI model requests, executing governance policies, and delivering agent functionality.
• Account Management: To create and manage your account, authenticate your identity, and manage your subscription and billing.
• Communication: To send you service-related notifications, security alerts, billing information, and responses to your inquiries. With your consent, to send marketing communications about new features and updates.
• Platform Improvement: To analyze usage patterns, diagnose technical issues, and improve the Platform's performance, reliability, and user experience. This analysis uses aggregated and anonymized data wherever possible.
• Security & Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, abuse, and violations of our Terms of Service.
• Legal Compliance: To comply with applicable legal obligations, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims.
• Audit & Governance: To maintain audit trails and governance logs as required by the Platform's functionality and your configured policies.

Under the GDPR (Article 6), we process your personal data based on the following legal grounds:

We may share your data with the following categories of recipients:

• Third-Party AI Providers: When your agents route requests to AI model providers (such as OpenAI, Anthropic, Mistral, or Google), your prompts and relevant context are transmitted to those providers for processing. This sharing is initiated by your agent configurations and is necessary to deliver the AI functionality you have configured. Each provider processes this data under their own privacy policies.
• Payment Processors: We share billing information with our payment processing partners to process transactions securely. These processors are PCI-DSS compliant and act as independent data controllers for payment data.
• Infrastructure Providers: We use EU-based cloud infrastructure providers to host the Platform. These providers act as data processors under our instructions and are bound by Data Processing Agreements.
• Analytics Providers: We use analytics tools to understand how the Platform is used. Where possible, we use privacy-friendly, EU-hosted analytics solutions. Data shared with analytics providers is anonymized or pseudonymized.
• Legal & Regulatory: We may disclose data to law enforcement, regulatory authorities, or courts when required by law, to protect our legal rights, or to prevent harm.
• Corporate Transactions: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

All third-party recipients are required to protect your data in accordance with applicable data protection laws and our contractual requirements.

Infinized's Platform infrastructure is hosted entirely within the European Union. Your account data, usage data, and Platform metadata remain within the EU.

AI Provider Data Transfers

When you configure your agents to use Third-Party AI Providers, your prompts and context data may be transferred to and processed in countries outside the European Economic Area (EEA), depending on the provider you select. For example:

• OpenAI and Anthropic may process data in the United States.
• Mistral offers EU-hosted processing options.
• Google may process data in various global locations.

These transfers are initiated by your agent configurations. You are responsible for assessing whether the transfer of data to a particular AI provider is appropriate for your use case and compliant with your data protection obligations.

Safeguards

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) with our sub-processors.
• Adequacy decisions by the European Commission, where applicable.
• Supplementary technical and organizational measures to protect data in transit and at rest.

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Under the GDPR, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at contact@infinized.com.

We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Role-based access controls (RBAC) with the principle of least privilege. Multi-factor authentication for all administrative access.
• Infrastructure Security: EU-hosted infrastructure with network segmentation, firewalls, intrusion detection, and DDoS protection.
• Monitoring: Continuous security monitoring, logging, and alerting for suspicious activities.
• Vulnerability Management: Regular security assessments, penetration testing, and timely patching of known vulnerabilities.
• Incident Response: Documented incident response procedures. In the event of a personal data breach, we will notify affected individuals and the relevant supervisory authority within 72 hours as required by the GDPR.
• Employee Training: All employees with access to personal data receive regular data protection and security training.
• Tenant Isolation: Data is isolated at the organization level. Cross-tenant data access is architecturally prevented.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

We use cookies and similar tracking technologies on the Platform and our website. Cookies are small text files stored on your device that help us provide and improve our services.

Types of Cookies We Use

• Essential Cookies: Required for the Platform to function properly, including authentication, session management, and security. These cookies cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website and Platform, allowing us to improve the user experience. These are only set with your consent.
• Preference Cookies: Remember your settings and preferences, such as language and display options. These are only set with your consent.
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness. These are only set with your explicit consent.

You can manage your cookie preferences at any time through the cookie consent banner on our website or by adjusting your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

The Platform is not intended for use by individuals under the age of 18 (or the age of legal majority in their jurisdiction). We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe we may have collected data from a child, please contact us at contact@infinized.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable laws. When we make changes:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will notify you by email and/or by displaying a prominent notice within the Platform.
• Material changes will take effect 30 days after notification, unless a longer period is required by law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

Supervisory Authority

If you are not satisfied with our response to your data protection inquiry, you have the right to lodge a complaint with the Dutch Data Protection Authority: