Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for the purposes of the General Data Protection Regulation (GDPR) and applicable data protection laws is:

Silicon Psyche Labs
-
Europe
Contact: -@splabs.io

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account data

Email address and hashed password when you register. We use this to authenticate you and manage your account.

2.2 Analysis data

Text you submit for behavioral analysis, the computed metrics, z-scores, alert levels, and session metadata. This data is stored linked to your account to provide session history, baseline computations, and the forensic ledger functionality.

2.3 Payment data

Payment processing is handled entirely by Stripe, Inc. We store only your Stripe customer ID and subscription status. We never receive, process, or store credit card numbers, bank account details, or other financial instrument data.

2.4 Technical data

API request timestamps and counts for rate-limiting and billing. Server logs may temporarily contain IP addresses for security monitoring; these are automatically purged after 30 days.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing account data and analysis data is necessary to provide the ACT service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): server logs and rate-limiting data for security, fraud prevention, and service reliability.
  • Consent (Art. 6(1)(a)): where we send non-essential communications or use optional cookies beyond the strictly necessary authentication cookie. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): where we are required by law to retain or disclose data.

4. How We Use Your Data

  • Provide and operate the behavioral analysis service
  • Compute personalized baselines from your analysis history
  • Maintain the forensic ledger (SIGTRACK) for your sessions
  • Send account-related transactional emails (welcome, password reset, usage alerts)
  • Enforce plan limits, rate-limiting, and billing
  • Detect and prevent abuse, fraud, and security incidents

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We do not share your data with third parties for marketing purposes. We use the following sub-processors:

Processor Purpose Location
Stripe, Inc. Payment processing USA (EU SCCs in place)
Resend Transactional emails USA (EU SCCs in place)
Hosting provider Infrastructure EU

We may also disclose data when required by law, court order, or to protect our legal rights.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Account data: retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Analysis data and sessions: retained for the lifetime of your account. You can delete individual sessions from your dashboard at any time.
  • Forensic ledger entries: retained as part of your session data. Deleted when the associated session or account is deleted.
  • Server logs (IP addresses): automatically purged after 30 days.
  • Payment records: retained as required by tax and accounting regulations (typically 10 years).

8. Security Measures

  • Passwords are hashed using bcrypt with per-user salts
  • API keys are stored as SHA-256 hashes — we cannot recover the original key
  • All traffic is encrypted via TLS 1.2+
  • Authentication uses httpOnly, Secure, SameSite cookies
  • Database access is restricted to application services only

9. Cookies

We use a single strictly necessary httpOnly cookie (act_token) for authentication. We do not use tracking, analytics, or advertising cookies. For full details, see our Cookie Policy.

10. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights under GDPR:

  • Right of access (Art. 15): request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate personal data.
  • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): request that we limit processing of your data.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at g.canale@cpf3.org. We will respond within 30 days as required by GDPR.

11. Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Italy, the competent authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

12. Children's Privacy

ACT is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For any questions regarding this privacy policy or your personal data, contact:

-
-@splabs.io
Silicon Psyche Labs