This Privacy Policy explains how AI Crafters Solutions, SLU ("we", "us", or "our") collects, uses, discloses, and protects personal data when you access or use the Andron.ai workflow automation platform and related services (the "Service").

1. Who we are (Data controller)

For the purposes of the EU General Data Protection Regulation (GDPR), AI Crafters Solutions, SLU is the data controller for personal data described in this Privacy Policy.

2. Controller and processor roles

Account and business data: We act as data controller for personal data related to account registration, billing, support, and marketing.

Customer content processed in workflows: You act as the data controller, and we act as a data processor on your behalf.

Where we act as a processor, our processing is governed by our Data Processing Agreement (DPA), which forms part of our contractual terms.

3. Personal data we collect

3.1 Account information

Full name
Email address
Company name and organization details
Profile information and preferences
Authentication credentials (hashed)

3.2 Usage data

Workflow definitions and configurations
Execution logs and audit trails
Feature usage and interaction patterns
API calls and integration usage
Error reports and diagnostics

3.3 Technical data

IP address and approximate geolocation
Browser type and version
Operating system and device information
Network and connection data
Log files and timestamps

3.4 Payment and billing data

Payment information is processed by our third-party payment processors. We do not store full credit card numbers. We may store billing contact details and transaction references.

3.5 Customer content

Personal data that you or your users submit to the Service for processing within workflows.

4. How we use personal data

We use personal data to:

Provide, operate, and maintain the Service
Execute and manage workflows
Authenticate users and manage accounts
Provide customer support
Improve performance, reliability, and features
Communicate service updates and security notices
Send educational or marketing communications (where permitted)
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations

5. Legal bases for processing (GDPR Article 6)

We process personal data based on one or more of the following legal grounds:

Contract: Processing necessary to provide the Service.
Legitimate interests: To operate, secure, and improve the Service, and to communicate with business users.
Consent: For marketing communications or where required by law.
Legal obligation: To comply with applicable laws and regulations.

You may withdraw consent at any time where processing is based on consent.

6. Cookies and tracking technologies

We use cookies and similar technologies to operate, analyze, and improve the Service, and to maintain secure sessions.

For more information about the cookies we use and how to manage preferences, please see our Cookies

7. How we share personal data

We may share personal data with:

Service providers and subprocessors: Cloud infrastructure (e.g., Digital Ocean, Supabase), authentication (e.g., Supabase Auth), analytics, email delivery, and payment processors who process data on our behalf under contractual safeguards.
Legal authorities: Where required by law or to protect our rights.
Business transfers: In connection with a merger, acquisition, or sale of assets.
With your instructions or consent: When you request integrations or data sharing.

We do not sell personal data.

A current list of subprocessors is available upon request or on our website.

8. International data transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). Where this occurs, we rely on appropriate safeguards, including:

Adequacy decisions by the European Commission,
Standard Contractual Clauses (SCCs),
And, where applicable, the EU-US Data Privacy Framework.

9. Data security

We implement appropriate technical and organizational measures designed to protect personal data, including:

Encryption in transit (TLS) and at rest where applicable,
Role-based access controls and multi-factor authentication,
Network security and monitoring,
Regular security assessments.

However, no system can guarantee absolute security.

10. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy:

Active accounts: Data is retained while the account is active.
After account closure: Personal data is deleted or anonymized within 30 days, unless legal obligations require longer retention.
Backups: Backup copies may persist for a limited period for disaster recovery.

Customer content is handled according to our DPA.

11. Your data protection rights

Under GDPR and applicable laws, you have the right to:

Access your personal data,
Rectify inaccurate or incomplete data,
Request deletion of your data,
Restrict processing,
Object to processing based on legitimate interests,
Receive your data in a portable format and transmit it to another controller,
Withdraw consent at any time,
Lodge a complaint with your local data protection supervisory authority.

To exercise your rights, contact us at privacy@andron.ai. We will respond within 30 days.

12. Automated decision-making

We do not use personal data to make solely automated decisions that produce legal or similarly significant effects on you without human involvement, unless necessary to provide the Service and permitted by law.

13. Data breach notification

In the event of a personal data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

14. Children's privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from individuals under 18.

15. Marketing communications

Where permitted by law, we may send you marketing communications. You may opt out at any time using the unsubscribe link in emails or by contacting us at privacy@andron.ai.

16. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and notify you of material changes through the Service or by email.

17. Contact us

If you have questions about this Privacy Policy or our data practices, contact us:

If required by law, we will appoint a Data Protection Officer (DPO) and publish their contact details here.