Privacy Policy
Effective Date: July 07, 2025 | Last Updated: July 16, 2025
Key Privacy Features
- 100% self-hosted – All data stays on our servers
- Open source stack – Transparent, auditable technology
- End-to-end encryption – Your data is always protected
- No third-party access – We don’t share your data
- GDPR compliant – Highest privacy standards
Company Information
WAYSCloud AS
Universitetsgata 2, 0164 Oslo
Organization Number: 833735462
Postal Address: PO Box 2075 Vika, 0125 Oslo, Norway
Contact: gdpr@wayscloud.net | +47 22 25 80 00
Scope: This policy applies to individual users of Cinclus AI. Business customers using our API services are governed by separate data processing agreements where WAYSCloud AS acts as data processor.
1. Introduction
This Privacy Policy describes how WAYSCloud AS («we,» «us,» or «our») collects, uses, and protects your personal information when you use Cinclus AI services (accessible at cinclus.ai and chat.cinclus.ai) («Service»).
Our commitment to privacy is built on open source principles and complete self-hosting – we maintain full control over your data using transparent, auditable technologies.
2. Information We Collect
2.1 Information You Provide Directly
Account Registration
- Email address – Required for account creation and communication
- Mobile number – Used for account security and verification
- Name (First and Last) – For account identification
- Country – For service localization and compliance
Service Usage
- Uploaded documents – Files uploaded for knowledge base integration
- Supported formats: PDF, Word (doc/docx), Excel (xls/xlsx), PowerPoint (ppt/pptx), plain text, Markdown, XML, EPUB, and more
- Documents are processed and stored encrypted for RAG functionality
- Document embeddings – Vector representations of your documents for semantic search
- Text inputs – Prompts and queries submitted to the AI service
- Chat conversations – Conversation history with AI models
- Knowledge bases – Collections of documents organized for retrieval
- Support communications – Information provided when contacting customer support
2.2 Information Collected Automatically
Technical Information
- Anonymized IP address – For security and geographic statistics
- Device information – Browser type, operating system, screen resolution
- Access logs – Time stamps, pages visited, features used
- Performance data – Response times, error rates, usage patterns
Analytics Data
We use privacy-focused, self-hosted analytics solutions:
- Usage statistics – Feature adoption, user flow patterns
- Performance metrics – Load times, error frequencies
- Demographic data – General geographic regions (country-level)
- All analytics anonymized – No personal identifiers collected
- Self-hosted solution – Analytics data never leaves our infrastructure
See section 2.3 for detailed cookie information.
2.3 Cookie Information
We use minimal cookies essential for service operation:
Essential Cookies
- Session management – Maintaining your login state
- Security tokens – CSRF protection and request validation
- User preferences – Language settings, UI preferences
Analytics Cookies (Self-hosted)
- Visitor tracking – Anonymized visitor identification
- Session tracking – Session management with automatic timeout
- No third-party cookies – All analytics handled internally
All analytics data is anonymized and cannot identify individual users.
2.4 Content Safety Measures
For child safety and legal compliance, we implement:
- Hash-based CSAM detection – Images are checked against known illegal content databases
- Automated content filtering – Detection of potentially harmful or illegal content
- No storage of flagged content – Only hash values and metadata retained for safety purposes
2.5 Important Note on Document Storage
Unlike temporary file uploads for immediate processing, documents uploaded to knowledge bases are permanently stored (in encrypted format) to enable the RAG functionality. You maintain full control to delete these documents at any time through the service interface.
3. How We Use Your Information
3.1 Service Provision
Legal Basis: Contract Performance – GDPR Art. 6(1)(b)
- Providing access to AI models and features
- Processing your requests and generating responses
- Managing your user account and preferences
- Enabling core service functionality
3.2 Service Improvement
Legal Basis: Legitimate Interest – GDPR Art. 6(1)(f)
- Analyzing anonymized usage patterns
- Identifying and fixing technical issues
- Developing new features based on user needs
- Optimizing model performance and accuracy
3.3 Security and Compliance
Legal Basis: Legal Obligation & Legitimate Interest – GDPR Art. 6(1)(c) & (f)
- Preventing fraud and unauthorized access
- Detecting and preventing illegal content (CSAM)
- Complying with applicable laws and regulations
- Protecting our infrastructure and users
3.4 Communication
Legal Basis: Contract Performance & Legitimate Interest – GDPR Art. 6(1)(b) & (f)
- Sending service-related notifications
- Responding to support requests
- Informing about important updates or changes
- Technical alerts and security notices
4. Data Sharing and Disclosure
We maintain a strict policy on data sharing to protect your privacy.
4.1 We Do Not Sell Your Data
We never sell, rent, or trade your personal information to third parties.
4.2 Limited Sharing Scenarios
Infrastructure Partners
As a fully self-hosted solution, we minimize external dependencies. We only work with:
- Data center providers – Physical infrastructure in European locations
- Network providers – Internet connectivity and DDoS protection
- Hardware vendors – Server and storage equipment
- Communication infrastructure – Self-hosted email servers for notifications
These partners:
- Have no access to your data
- Are bound by strict confidentiality agreements
- Provide only infrastructure services
Legal Requirements
We may disclose information only when legally required:
- Court orders – Valid legal proceedings
- Law enforcement – With proper authorization
- Child safety – CSAM detection obligations
- Public safety – National security requirements
All requests are carefully evaluated for legal validity. We notify users of disclosure requests where legally permitted.
4.3 Data Localization and Control
- Self-hosted infrastructure – All services run on WAYSCloud’s own servers
- European data centers – All processing within WAYSCloud’s isolated European infrastructure
- No third-party dependencies – Complete independence from external cloud providers
- GDPR compliance – Full adherence to European data protection standards
- No international transfers – Your data never leaves the European Economic Area
5. Data Retention
Our retention policies balance service functionality with privacy protection.
5.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 30 days | Service provision |
| Uploaded documents | Stored permanently in encrypted format | Knowledge base functionality |
| Document embeddings | Stored permanently in encrypted vector database | RAG search capability |
| Chat conversations | Stored in encrypted database | Conversation history and context |
| Activity logs | 90 days | Security and debugging |
| Analytics data | 24 months (anonymized) | Service improvement |
| Support tickets | 2 years | Customer service quality |
| Legal compliance data | As required by law | Legal obligations |
5.2 Data Storage Architecture
- Open source foundation – All components built on enterprise-grade open source technologies
- Self-hosted infrastructure – Complete control with all data stored on WAYSCloud’s own servers
- Encrypted databases – All user data, chat history, and document metadata encrypted at rest
- Vector storage – Document embeddings stored in encrypted vector databases for semantic search
- Document storage – Uploaded files stored with encryption
- Multi-layer encryption – AES-256 encryption applied at multiple levels
5.3 Deletion Practices
- Account deletion removes all associated data within 30 days
- Individual documents can be deleted from knowledge bases
- Chat history can be cleared by user
- Automated cleanup of temporary processing data
- Secure overwriting of deleted data
6. Your Rights Under GDPR
6.1 Access Rights
- Request a copy of your personal data
- Receive information about how we process your data
- Obtain details about data sharing and retention
6.2 Control Rights
- Rectification – Correct inaccurate or incomplete data
- Erasure – Request deletion of your data («right to be forgotten»)
- Restriction – Limit how we process your data
- Portability – Receive your data in a portable format
- Objection – Object to certain processing activities
6.3 How to Exercise Your Rights
- Self-service – Access account settings for immediate changes
- Email request – Contact gdpr@wayscloud.net with your request
- Response time – We respond within 30 days of receipt
- Verification – We may request identity verification for security
6.4 Data Control Features
You have direct control over your data through the service interface:
- Document management – Upload, organize, and delete documents in knowledge bases
- Chat history – View and delete conversation history
- Knowledge base control – Create, modify, and delete entire knowledge bases
- Export capabilities – Download your data in portable formats
- Immediate effect – Deletions take effect immediately in the service
6.5 Complaints
If you’re unsatisfied with our response, you may lodge a complaint with:
- The Norwegian Data Protection Authority (Datatilsynet)
- Your local supervisory authority
7. Data Security
7.1 Open Source and Self-Hosting Philosophy
- 100% open source – All components built on auditable open source technologies
- Complete self-hosting – No reliance on third-party cloud services
- Full control – WAYSCloud maintains complete control over all infrastructure
- Transparency – Open source enables security audits and verification
- No vendor lock-in – Your data remains portable and under your control
- Best-in-class selection – We choose the most secure and reliable open source components
7.2 Technical Measures
- Encryption – TLS 1.3 for data in transit, AES-256 for data at rest
- Database encryption – All databases encrypted with industry-standard algorithms
- Access controls – Multi-factor authentication, role-based permissions
- Network security – Firewalls, intrusion detection, DDoS protection
- Infrastructure – Isolated environments within WAYSCloud’s European data centers
- Key management – Secure key storage and rotation procedures
- Open source security – Regular security audits of all open source components
7.3 Organizational Measures
- Staff training – Regular privacy and security awareness programs
- Access limitations – Principle of least privilege
- Incident response – 24/7 monitoring and rapid response procedures
- Vendor management – Security assessments of all subprocessors
7.4 Compliance
- ISO 27001 principles applied
- GDPR full compliance
- Regular audits – Internal and external security assessments
- Penetration testing – Annual third-party security testing
8. Children’s Privacy
- Age restriction – Service not intended for users under 16
- No targeted collection – We don’t knowingly collect children’s data
- Parental rights – Parents may request deletion of their child’s data
- CSAM protection – Active measures to prevent illegal content
9. AI-Specific Considerations
9.1 Model Training
- Your data is NEVER used to train AI models
- We use pre-trained models from reputable providers
- No learning or adaptation based on individual usage
9.2 Retrieval-Augmented Generation (RAG)
Our service uses RAG technology to enhance AI responses with your documents:
- Document processing – Uploaded documents are converted to vector embeddings
- Secure storage – Embeddings stored in encrypted vector databases
- Semantic search – AI retrieves relevant document sections to answer queries
- Source attribution – Responses include references to source documents
- User control – You can add/remove documents from your knowledge bases at any time
- Open source technology – Built entirely on open source components hosted on our infrastructure
9.3 Data Usage in AI Context
- Document embeddings – Mathematical representations that capture semantic meaning
- No raw text storage in vectors – Only numerical representations stored
- Encrypted storage – All databases encrypted at rest
- Isolated processing – Each user’s data processed in isolation
- No cross-user learning – Your documents never influence other users’ results
9.4 Processing Transparency
- All AI processing occurs on WAYSCloud’s European infrastructure
- No third-party AI services have access to your data
- Clear indication when AI is generating responses
- Ability to trace responses back to source documents
9.5 Content Moderation
- Automated safety filters for harmful content
- Human review available for contested decisions
- Transparent appeals process
10. International Users
While our service is globally accessible:
- Data protection follows GDPR standards (highest global standard)
- All processing remains within European data centers
- No data leaves the European Economic Area
- Local laws may provide additional rights
- Service availability may vary by jurisdiction
11. Changes to This Policy
11.1 Update Notifications
- Material changes notified via email and service announcements
- 30-day notice period for significant changes
- Version history maintained for transparency
11.2 Continued Use
Using our service after policy updates constitutes acceptance of changes.
12. Contact Information
12.1 Data Protection Queries
Email: gdpr@wayscloud.net
Phone: +47 22 25 80 00
Mail: WAYSCloud AS, PO Box 2075 Vika, 0125 Oslo, Norway
12.2 Response Commitment
- Acknowledgment within 48 hours
- Full response within 30 days
- Language support: Norwegian, English
12.3 Data Protection Officer
For complex privacy matters, our DPO can be reached at dpo@wayscloud.net
Document Control
Version: 4.0
Next Review: August 1, 2025
