Privacy Policy

Augment

Last updated December 18, 2025

This Privacy Policy explains how we collect and use personal data when you access or use our websites and services, including Augment.hr, KPD2025, EULEX.ai and any related domains, subdomains, applications, and pages we operate (together, the "Services").

1. Professional use only

Our Services are designed for professional users (e.g., legal professionals) acting in a business or professional capacity. They are not intended for consumers in a consumer capacity and are not intended for children.

We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps to delete it.

2. Roles: Controller and Processor

2.1 When we act as a Controller

We act as a data controller for personal data we process for our own purposes, such as:

  • operating and securing the Services;
  • managing accounts, authentication, and access;
  • administering invitation / beta access;
  • providing customer support;
  • improving the Services through analytics and diagnostics;
  • complying with legal obligations and protecting our legal rights.

2.2 When we act as a Processor (Customer Content)

Where an organisation (e.g., your employer) provides you access to the Services, we may process certain information on that organisation's instructions, such as prompts, documents, and other materials you upload or submit within the application ("Customer Content"). In those cases, your organisation is the controller and we are the processor, and the organisation's agreement with us (including any data processing terms) governs that processing.

If you submit a data subject request relating to Customer Content where we act as processor, we may refer you to the relevant controller and/or forward your request as appropriate.

3. Personal data we collect

3.1 Data you provide

Invitation / access request data (e.g., via "request invite" forms):

  • first name, last name, organisation, email address, position/title (used to validate professional eligibility and administer invite access).

Account and profile data:

  • name, email address, organisation, position/title;
  • account credentials (or authentication tokens if you use single sign-on).

Application and AI interaction data:

  • prompts and queries you submit;
  • documents/files you upload for analysis or drafting;
  • generated outputs;
  • ratings/feedback on outputs (where enabled);
  • timestamps and internal user identifiers.

Communications:

  • information you provide when you contact us (e.g., email content and metadata).

Please avoid submitting special category data (e.g., health data, biometric data, political opinions) and avoid uploading confidential third-party information unless you have a lawful basis and it is strictly necessary for your intended use. Where appropriate, we may remove, restrict, or delete such content for compliance and safety.

3.2 Data we collect automatically

Technical and log data:

  • IP address, user agent, device and browser information, and request logs;
  • IP address at registration and IP address of the most recent login.

Usage and diagnostic data:

  • feature usage and performance metrics, to keep the Services functioning, secure, and to improve reliability.

Cookies and similar technologies:

  • essential cookies required for sign-in/session management and core functionality;
  • analytics cookies (where enabled by your preferences).

4. Single sign-on

If you choose to sign in using third-party identity providers (such as Google or LinkedIn), we receive personal data from them such as your name and email address, and any other information you authorise via the provider permissions (scopes). You can usually control what is shared via your provider account settings.

5. How we use personal data

We use personal data to:

  1. Provide and operate the Services, including account creation, authentication, and delivering requested functionality such as research responses, document drafting, and document analysis.
  2. Administer invitation/beta access and verify professional eligibility where relevant.
  3. Maintain security, prevent abuse, and troubleshoot, including monitoring, fraud prevention, and service integrity.
  4. Improve and develop the Services, including product analytics, diagnostics, and performance optimisation.
  5. Provide customer support and respond to enquiries.
  6. Comply with legal obligations and protect legal rights (e.g., enforcing terms, handling claims, responding to lawful requests).

We do not sell personal data. We do not use personal data for consumer advertising profiling.

6. Legal bases (GDPR)

We rely on the following legal bases under the GDPR (as applicable):

  • Performance of a contract (Article 6(1)(b)): to provide the Services under our Terms of Service and manage your account.
  • Legitimate interests (Article 6(1)(f)): to secure the Services, prevent abuse, administer invite access, improve functionality, and communicate regarding service matters.
  • Consent (Article 6(1)(a)): where required for non-essential cookies and where we send marketing communications (if applicable).
  • Legal obligation (Article 6(1)(c)): where we must retain or disclose data to comply with law.

Where we rely on legitimate interests, you may object as described in Section 11.

6.1 Processing activities overview

Purpose Types of personal data Legal basis (GDPR) Retention
To administer invitation access (request-invite) and verify professional eligibility First name, last name, organisation, email, position/title Legitimate interests (Art. 6(1)(f)) Duration of invite/onboarding process; then per account lifecycle if account is created
To create and manage user accounts and provide access Account identifiers, name, email, organisation, position/title, authentication tokens/credentials Contract (Art. 6(1)(b)) While the account is active + 90 days after closure
To enable single sign-on (Google/LinkedIn) Name, email, provider user ID/token, any additional profile fields you authorise Contract (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f)) (secure, convenient sign-in) While the account is active + 90 days
To provide the core AI-based service (research answers, drafting, document analysis) Prompts, uploaded files/documents, generated outputs, timestamps, user ID, ratings/feedback Contract (Art. 6(1)(b)) While service is provided + 90 days after termination
To provide customer support and respond to enquiries Communications content and metadata (email correspondence) Legitimate interests (Art. 6(1)(f)) and/or Contract (Art. 6(1)(b)) (depending on context) "Business communications": as long as needed for the relationship and record-keeping.
To ensure network and information security and prevent abuse IP address, user agent, request logs, registration IP, last login IP; security events Legitimate interests (Art. 6(1)(f)) Server logs typically 30 days
To run product analytics and improve the Services (non-marketing) Usage/diagnostic data, events, performance metrics; may include user ID and technical identifiers Legitimate interests (Art. 6(1)(f)) While the account/service is active + (where relevant) 90 days; backups up to 90 days
To manage backups and disaster recovery Data included in systems backups (may include account and service content) Legitimate interests (Art. 6(1)(f)) Backups retained up to 90 days
To comply with legal obligations (e.g., accounting/tax once billing exists) Contractual documentation; invoice/billing data (when introduced) Legal obligation (Art. 6(1)(c)) As required by applicable law
To establish, exercise, or defend legal claims and enforce terms Relevant account, usage, communications, and contract records Legitimate interests (Art. 6(1)(f)) As long as necessary for claims/defence; aligned with your record retention practice
Marketing communications (currently not used) N/A (currently) Consent / soft opt-in (where applicable) Until opt-out/withdrawal (if introduced)

7. Sharing and disclosure

We may share personal data with:

7.1 Service providers (processors)

We use third-party service providers to help us operate the Services, such as:

  • Cloud hosting and infrastructure providers (servers located in Ireland/EU);
  • Email and communications providers (business email and transactional/system email delivery);
  • Analytics and monitoring providers (to understand usage and improve performance);
  • Security, CDN, and DDoS/WAF providers (to protect the Services and users);
  • External AI model providers (to process prompts and generate outputs as described in Section 8).

These providers process personal data on our instructions and are required to protect it.

7.2 Legal and safety disclosures

We may disclose personal data if required by law, regulation, court order, or where necessary to protect our rights, users, and the security of the Services.

8. AI processing and external AI providers

Our application uses external AI providers to:

  • generate answers and drafts from your prompts and uploads; and/or
  • analyse documents you submit.

We take steps to minimise personal data where feasible and may apply anonymisation/pseudonymisation when appropriate. We also configure external AI providers with no-training / no-retention settings where available.

You are responsible for ensuring you have appropriate rights and lawful basis to submit any personal data contained in prompts or documents, particularly where that data relates to third parties.

9. International transfers

We aim to store and process data in the European Economic Area (EEA). Some service providers may process personal data outside the EEA depending on their infrastructure and the nature of the service (for example, certain email delivery, analytics, monitoring, or security services).

Where personal data is transferred internationally, we implement appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs);
  • reliance on an adequacy decision where applicable; and/or
  • additional technical and organisational measures.

10. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required by law.

Indicative retention periods:

  • Account data: for the duration of your account, plus 90 days after closure (to support reactivation and continuity).
  • AI interaction data (prompts/uploads/outputs/ratings): for the duration of the service relationship, plus 90 days after termination (to support reactivation and continuity).
  • Server logs: typically 30 days.
  • Backups: retained for up to 90 days; deletion may be delayed until backups rotate.
  • Business communications and contractual records: retained in accordance with our record-keeping needs and legal obligations, and as necessary to establish, exercise, or defend legal claims.
  • Invoice/billing data (if/when applicable): retained as required by applicable accounting and tax laws.

11. Your rights (GDPR)

Subject to applicable law, you may have the right to:

  • access your personal data;
  • rectify inaccurate or incomplete data;
  • erase your personal data;
  • restrict processing;
  • data portability;
  • object to processing (including where based on legitimate interests);
  • withdraw consent (where processing is based on consent).

How to exercise your rights: contact us at dpo@augment.hr.

Identity verification: we may request reasonable information to verify your identity.

Response times: we aim to respond within 30 days; in complex cases we may extend to 60 days where permitted by law. We generally provide information through the same channel your request was received, unless agreed otherwise.

You also have the right to lodge a complaint with a supervisory authority.

12. Cookies

We use cookies and similar technologies to:

  • enable core functionality (e.g., sign-in/session cookies);
  • remember preferences; and
  • run analytics (where enabled).

We provide a cookie preferences tool/banner where you can accept or reject non-essential cookies (such as analytics). You can also manage cookies through your browser settings. Disabling certain cookies may affect functionality.

13. Payments (future)

When we introduce paid plans in the future, payments may be handled by a third-party payment processor. In that case, additional payment-related personal data may be processed (e.g., billing details), and we will update this Policy accordingly.

14. Security

We implement appropriate technical and organisational measures designed to protect personal data, including (as appropriate):

  • encryption in transit and at rest;
  • multi-factor authentication (MFA) for administrative access;
  • segregation of environments and databases;
  • access controls and logging.

We maintain incident response procedures and will notify relevant parties and authorities where required by law.

15. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated version and update the "Last updated" date above.

16. Contact

Augment d.o.o.
Roberta Frangeša-Mihanovića 6
10000 Zagreb
Croatia

Email: privacy@augment.hr