Effective Date: 19th March 2025 Data Controller: Tommy Pengelly Email: hello@pikel.co Note: As a solo developer, I do not maintain a public office address. Please reach out via email with any data protection concerns or requests. At Pikel (“we,” “us,” “our”), your privacy is important to us. This Privacy Policy explains how we collect, use, protect, and process personal data across our products—including WhatsKey and DARA (Decision and Adaptive Reasoning Architecture)—and the broader Pikel platform. It also outlines your rights and how to contact us if you have questions or concerns about your data. 1. Scope This Privacy Policy applies to all users of our websites, browser extensions, applications, and services (collectively, the “Services”), regardless of how you access or use them. By using our Services, you acknowledge that you have read and understood this Privacy Policy. 2. Data We Collect Extension Use (WhatsKey): - Metadata: Document metadata such as type, use case, tags, and auditing rules. - Hashed URLs: Hashed versions of document URLs to assist with session tracking. Platform Use (Pikel Platform): - User-Generated Content: Highlights, comments, feedback, and audit logs. - Interaction Data: Records of when you interact with certain platform features. Account & Personal Data: - Account Information: Name, email address, login credentials, etc. - Device/Browser & IP: For security and session tracking. - Communications: Correspondence, support tickets, or feedback submitted by you. We distinguish between personal data and document-related metadata. Document data is either anonymized or pseudonymized when used for internal analytics and model improvement, and is never re-identified or used for marketing. 3. Purposes & Legal Bases for Processing Providing Core Services - Purpose: Enabling inline auditing, highlighting, compliance checks, account functionality. - Legal Basis: Contractual necessity (Article 6(1)(b) GDPR). Improving & Training Systems - Purpose: Training our AI models and improving services, using anonymized or pseudonymized metadata. - Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) or consent if required. Personalization & Session Tracking - Purpose: Personalizing your experience and maintaining session continuity. - Legal Basis: Legitimate interest (Article 6(1)(f) GDPR), or contractual necessity if tied to account services. Communications & Updates - Purpose: Sending product updates, support messages, newsletters (where applicable). - Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) for transactional emails; consent (Article 6(1)(a) GDPR) for marketing where required by law. Security & Fraud Prevention - Purpose: Monitoring for suspicious activities, enforcing platform rules. - Legal Basis: Legitimate interest (Article 6(1)(f) GDPR). 4. How We Use and Protect Your Data - Anonymization: All document metadata used for system training or improvement is anonymized and stripped of personally identifiable information wherever feasible. We do not re-identify anonymized data or use it for profiling individuals. - Data Security: We follow industry-standard practices (e.g., encryption, firewalls) to protect data in transit and at rest. However, no method of transmission is 100% secure, and we cannot guarantee absolute security. 5. Data Retention - Retention Periods: We keep personal and document data only as long as necessary for the purposes described above, or as required by law or legitimate business needs. - Criteria for Retention: We consider factors such as the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and applicable legal obligations. - Deletion Requests: Upon request, we will delete or anonymize your data in accordance with applicable law, subject to any legal retention requirements. 6. Third-Party Disclosures - Service Providers: We do not sell your personal data. We may share data with third-party providers for infrastructure, analytics, and support (e.g., hosting, customer service tools), strictly under contractual obligations to protect your data. - Legal Requirements: We may disclose data if required by law, court order, or to protect our rights. 7. International Transfers - Global Operations: If your data is processed outside the EU or your local jurisdiction, we implement safeguards (e.g., Standard Contractual Clauses, adequacy decisions, or equivalent) to ensure an adequate level of protection. - Contact for Details: You can request more information about these safeguards by contacting us (see Section 11 below). 8. Cookies & Tracking - Current Use: We do not currently use cookies on our Services. - Future Use: If we introduce cookies or similar tracking technologies later, we will update this policy and request consent where required by law (e.g., EU ePrivacy Directive/GDPR). - Control Mechanisms: You can manage cookies in your browser settings or through consent banners if implemented. 9. Your Rights Under GDPR & Applicable Laws Subject to local laws, you have the following rights regarding your personal data: - Right of Access: Obtain a copy of your personal data. - Right to Rectification: Correct incomplete or inaccurate data. - Right to Erasure (“Right to be Forgotten”): Request deletion of data under certain circumstances. - Right to Restrict Processing: Limit processing if data is inaccurate, unlawful, or no longer needed. - Right to Data Portability: Receive data in a structured, commonly used, machine-readable format. - Right to Object: Object to processing carried out under legitimate interests or to direct marketing. - Right to Withdraw Consent: Any consent-based processing can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal. - Right to Lodge a Complaint: You can lodge a complaint with your local data protection authority or relevant supervisory authority if you believe your rights are being infringed. 10. Children’s Privacy Our Services are not directed at children under the age of [13/16, depending on jurisdiction]. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us so we can delete it. 11. Contact Us For questions about this Privacy Policy, to exercise your rights, or to request more details about international transfers, please contact us at: Tommy Pengelly Email: hello@pikel.co Note: As an individual developer, I do not maintain a public office address. Please contact me by email with any privacy-related questions or requests, including those under GDPR. Last Updated: 19th March 2025