Privacy Policy
Date Published
Deeptagger Privacy Policy
Effective Date: 17 August 2025
Who we are: FIE Artur Loss (Estonia) ("Deeptagger", "we", "us")
Scope & Roles
This Policy applies to personal data we process as a controller (e.g., your Account Data, billing/contact info, website analytics, marketing communications) and to personal data we process as a processor on behalf of a Customer when they send content to our Services (Customer Content).
As between Deeptagger and Customer, Customer is the controller of Customer Content; we act as processor and process that data only per Customer’s instructions and our Data Processing Addendum (DPA). For Account Data and our own business operations, Deeptagger is the controller.
Personal Data We Collect
Data you provide
Account Data: name, work email, password hash, company/organization, job role, billing address, tax/VAT IDs, administrative/billing contacts.
Payments: We utilize third-party payment processors, which receive tokens and limited billing details (excluding full card numbers).
Support & Sales: messages, attachments, and contact details you send to support or sales.
Preferences & consents: newsletter opt-ins, cookie preferences, language, region.
Data we collect automatically
Usage & telemetry: API calls, requests/responses metadata, timestamps, feature use, performance metrics, errors/crash reports.
Device & log data: IP address, browser type/version, OS, device identifiers, referrer URL, pages visited, and session events.
Cookies & similar technologies: see Section 10 (Cookies) and our Cookie Notice for details and choices.
Data from third parties
Identity & contact from your employer or SSO provider (e.g., domain-based signup, SAML/OAuth claims).
Business info from distributors/resellers or public sources (e.g., company websites, registries) for B2B onboarding and compliance screening.
Customer Content
Customer Content is the data (documents, images, fields, prompts, and outputs) that a Customer sends to the Services. We do not control what Customer chooses to send. We process it only to provide the Services, per the DPA and Customer’s settings.
How We Use Personal Data
We use personal data for these purposes:
Provide the Services (create/manage accounts, authenticate users, process usage and billing, support, deliver APIs): contract (Art. 6(1)(b)) and legitimate interests (service operation, Art. 6(1)(f)).
Security & integrity (fraud prevention, abuse/spam prevention, incident detection/response, access controls, auditing): legitimate interests and legal obligations.
Service improvement & analytics (usage analytics, performance tuning, UX research using de-identified data): legitimate interests.
Communications (transactional notifications, product updates, responding to inquiries): contract/legitimate interests.
Marketing (newsletters, events, promotions): consent (where required) or legitimate interests (B2B direct marketing, subject to opt-out).
Compliance (tax, accounting, sanctions screening, legal requests): legal obligations.
Derived Data & Model Improvement
Derived Data: We generate aggregated statistics, telemetry, performance metrics, error logs, and de-identified fields from the operation of the Services. As stated in our ToS, we own Derived Data and use it to run, secure, and improve our Services, develop new features, produce benchmarks/analytics, and share aggregated, de-identified insights (e.g., “customers process X million pages per day”). We do not re-identify individuals.
Model training: We do not use Customer Content to train models made available to other customers unless (i) such content has been de-identified and included as Derived Data, or (ii) the Customer has expressly opted in (e.g., via Order or DPA). Enterprise Customers may opt out of any improvement use beyond service operation.
Sharing Personal Data
We share personal data in these limited circumstances:
Vendors/Sub-processors that help us run the Services (e.g., cloud hosting, storage, email delivery, analytics, payments, support tools). We use reputable cloud, billing, and support providers in the EEA and other jurisdictions, with appropriate data-transfer safeguards. We require appropriate confidentiality, security, and data-protection terms. We maintain a current list of sub-processors and will publish it on our website. We also provide notice of material changes as set out in the DPA.
Payments. Some billing data may be processed by our payment processor(s) as independent controllers under their own privacy policies (e.g., fraud prevention, regulatory compliance).
Affiliates that help us provide the Services.
Legal & safety reasons, including to comply with law, enforce our agreements, protect rights, security, and customers, or respond to lawful requests.
Business transfers (merger, acquisition, financing, or sale of assets). We will continue to protect personal data and provide notice of any material changes.
With your direction or consent, including when you enable a third-party integration; those third parties process personal data under their own terms and privacy policies.
International Transfers
We process and store personal data in the EEA and in other countries where we or our sub-processors operate (for example, the United States). For Customer Content, cross-border transfers and safeguards are governed by the Data Processing Addendum (DPA), including any applicable transfer mechanisms. For Account Data that we control, we use appropriate transfer arrangements as required by law.
Data Retention
Account Data: retained while your account is active and for a reasonable period thereafter (typically up to 24 months) to maintain records and comply with law.
Customer Content: retention is controlled by Customer while the account is active. After the effective date of termination, we provide a 30-day export window (on request) and then delete Customer Content from active systems; limited data may remain in backups for a short period consistent with our backup policies and legal holds.
Telemetry/logs: typically retained for up to 12 months for security, troubleshooting, and audit; certain high-volume edge logs may be retained for 30–180 days.
Derived Data: aggregated/de-identified telemetry and statistics may be retained and used as permitted by the ToS and are not deleted upon account closure.
We may retain information as needed to comply with legal obligations, resolve disputes, and enforce agreements.
Security
We maintain administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, least-privilege practices, and monitoring. Incident notifications: We will notify affected Customers and/or authorities as required by law if we learn of a personal-data breach. No system is 100% secure; we encourage you to use strong passwords and enable multi-factor authentication where available.
Your Rights
Depending on your location, you may have rights to:
Access your personal data and obtain a copy.
Rectify inaccurate or incomplete data.
Erase (delete) your data (subject to lawful exceptions).
Restrict or object to processing (including direct marketing).
Data portability (receive your data in a portable format and transmit it to another controller).
Withdraw consent where processing is based on consent.
Appeal certain automated decisions or profiling that produce legal or similarly significant effects.
To exercise your rights, contact privacy@deeptagger.com. We respond within one month of receipt; we may extend by up to two further months for complex or numerous requests and will inform you of the reasons for any delay. We may request information to verify your identity. You can lodge a complaint with your local supervisory authority.
Cookies & Similar Technologies
We use cookies and similar technologies to run the site, remember preferences, perform analytics, and (where applicable) support marketing. Where required, we ask for consent via a cookie banner. You can change your choices at any time in our Cookie Settings. We will publish a Cookie Notice and link it from our site once available; until then, this section describes our core cookie practices.
Communications & Marketing
Transactional emails (e.g., password resets, billing) are part of the Services, and you cannot opt out of those.
Marketing communications (e.g., newsletters) are optional; you can opt out via the unsubscribe link or by contacting us.
Third-Party Services & Links
The Services may integrate with or link to third-party services. Those services process personal data under their own terms and privacy policies. We are not responsible for third-party privacy practices. See also ToS §9 (Third-Party Services).
Changes to this Policy
We may update this Policy from time to time. When we do, we will update the Effective Date above and, for material changes, provide additional notice (e.g., email, in-product message). Your continued use of the Services after the effective date means you acknowledge the updated Policy. If an update concerns processing that previously relied on your consent, we will seek renewed consent where required.
How to Contact Us
If you have questions about this Policy or our privacy practices, contact privacy@deeptagger.com.