Privacy Policy

Last updated: April 22, 2026

Conclavik is a closed-access analytical tool operated by Altanest SAS, a company registered in France. This policy describes how we collect, use, and protect your personal data when you, as an existing authorised user, use the Conclavik service (conclavik.com and its API).

1. Data We Collect

  • Account data: email address and authentication profile (managed by Clerk SSO), API key.
  • Usage data: questions submitted to the API, model selections, timestamps, and run consumption.
  • Payment data: processed by Stripe. We do not store credit card numbers. We store Stripe customer IDs and transaction records.
  • Technical data: IP addresses in server logs (retained for 30 days), request metadata.
  • Cryptographic attestation records: for each completed analysis, we retain SHA-256 content hashes, Ed25519 digital signatures, processing parameters (model versions, engine version, process type), panel agreement scores, timestamps, and cost metadata. These records contain no question text, analysis content, or personally identifiable information. They are retained indefinitely to support your compliance and audit requirements.

2. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Contractual necessity (Art. 6(1)(b)): processing your account data, API usage, and payments is necessary to provide the service you requested.
  • Legitimate interest (Art. 6(1)(f)): processing technical data (IP addresses, request metadata) for security, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): retaining transaction records as required by French tax and commercial law.

3. How We Use Your Data

  • To provide and operate the Conclavik API service.
  • To process payments and manage your account balance.
  • To detect abuse, prevent fraud, and maintain security.
  • To improve our service and fix issues.

We do not sell your personal data. We do not use your submitted questions to train AI models. Questions are processed by third-party AI providers (Anthropic, OpenAI, Google, xAI) according to their respective API terms of service.

4. Data Retention & Deletion

Account data is retained as long as your account is active. You have full control over your data:

  • Delete individual runs: remove any analysis run and its results from your dashboard at any time.
  • Delete your account: permanently erase your account, all runs, results, and uploaded documents via the dashboard ("Danger Zone"). A verification code is sent to your email for confirmation. Billing records (amounts, dates, and transaction IDs) are anonymized and retained for 10 years as required by French commercial law (Code de commerce, Art. L123-22).
  • Automatic purge: all completed analysis data is automatically purged after 90 days by default. Ephemeral jobs are purged immediately after retrieval.

Deleted data is permanently removed from our servers and cannot be recovered. Server logs (containing IP addresses) are retained for 30 days for security purposes. Cryptographic attestation records, which contain only content hashes, processing parameters, and digital signatures (no question text or analysis content), are retained indefinitely to support compliance verification, even after content deletion.

5. Third-Party Processors

We share data with the following third-party processors, each bound by data processing agreements:

  • Clerk (authentication): manages user sign-in, session tokens, and OAuth flows.
  • Stripe (payments): stripe.com/privacy
  • Anthropic, OpenAI, Google, xAI (AI model providers): questions are sent to these providers for processing via their APIs.
  • Hetzner (hosting): servers located in Germany (EU).
  • Resend Inc., transactional email delivery (analysis report notifications).
  • DuckDuckGo and Microsoft Bing, web search providers, activated only when you enable the web search option for an analysis. Derived search queries (not your full question) are sent to these services.

5a. Use of AI Service Providers

When you submit a query, Conclavik transmits the question text and routing parameters to four large language model providers under their paid commercial API tiers: Anthropic, OpenAI, Google, and xAI (all United States). We do not transmit your account email, payment data, or other directly identifying information to these providers. Where your query itself contains personal data, that content is transmitted as part of the prompt; you are responsible for the content you submit.

Anthropic, OpenAI, and Google contractually do not train models on customer API content under their commercial terms. xAI's published Grok API terms do not contain an explicit no-training commitment; we rely on the absence of identifying information in standard query bodies and monitor changes to its terms.

The Customer is the data controller for any personal data submitted within queries. Conclavik acts as data processor with respect to such input data, processing it solely to execute the requested multi-model analysis. Conclavik acts as data controller for system data (account information, billing records, request logs).

6. International Data Transfers

Your account data and analysis results are stored on servers in Germany (EU). Question content is transmitted to AI providers whose servers are located in the United States; these transfers rely on the Standard Contractual Clauses (SCCs) and equivalent safeguards under GDPR Art. 46 incorporated in each provider's commercial terms.

7. Your Rights (GDPR)

Under the EU General Data Protection Regulation, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Request deletion of your data.
  • Export your data in a portable format.
  • Object to or restrict processing.

To exercise any of these rights, contact us at the address below.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority, at cnil.fr, or with any other competent EU supervisory authority.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Art. 34), describing the nature of the breach, its likely consequences, and the measures taken to address it.

9. Automated Decision-Making

Conclavik does not make automated decisions that produce legal effects or similarly significantly affect you (GDPR Art. 22). The AI analysis outputs are informational tools provided for your consideration; they do not constitute binding decisions, and no automated profiling of users is performed.

10. Security

Authentication is managed by Clerk SSO. All traffic is encrypted via TLS (HTTPS). API keys are generated with cryptographically secure random generators. Sensitive data is encrypted at rest with AES-256. API endpoints are protected by rate limiting to prevent abuse. Access to infrastructure is restricted to authorized personnel only.

11. Cookies & Analytics

Clerk SSO sets a small number of strictly necessary cookies required to maintain your authenticated session; under Article 82 of the French Data Protection Act and CNIL guidance, these are exempt from prior consent. We do not use advertising or third-party tracking cookies. For audience measurement we run a self-hosted Umami instance which does not set cookies, does not fingerprint users, and stores no IP addresses (only a hashed country-level signal).

12. Minors

Conclavik is not directed at children and is intended for users aged 18 and over. We do not knowingly collect personal data from children under 16 (the age of digital consent in France under Article 8 GDPR / Art. 45 LIL). If you believe we have done so, contact contact@conclavik.com for deletion.

13. Contact

Altanest SAS
SIREN: 877 916 916 · TVA: FR67 877 916 916
20 Rue Guillaume Fichet, 74000 Annecy, France
Email: contact@conclavik.com