LinguaChain

Log inSign up

Privacy Policy

Last updated: [EFFECTIVE DATE]

This Privacy Policy explains how PinkRooster (the "controller", "we", "us") processes personal data when you use LinguaChain. It is written to comply with the General Data Protection Regulation (GDPR) and the Dutch UAVG. Effective date: [EFFECTIVE DATE].

1. Controller identity and contact

The data controller is PinkRooster, registered office [REGISTERED ADDRESS].

  • General controller contact: [CONTROLLER CONTACT EMAIL]
  • Privacy-specific inbox (GDPR rights requests): [PRIVACY CONTACT EMAIL]
  • Data Protection Officer: [DPO CONTACT (if applicable)]

2. Data categories collected

We process the following categories of personal data:

  • Account data. Email address, display name, hashed password (via ASP.NET Identity), OAuth provider identifier (for Google or GitHub sign-in), the IsAdmin flag, and your email-verified status.
  • Authentication data. JWT session metadata, the IP address used at login, and associated timestamps.
  • Usage data. Translation source text, translation output, and job metadata such as language pair, timing, token counts, and error logs.
  • Billing data. The BillingTransactions ledger — character deltas, pack names, idempotency keys, and timestamps. We do not store card data; card processing is handled by our payment processor [PAYMENT PROCESSOR].
  • Operational logs. Warning-level and higher events captured in the public."Logs" table, annotated with UserId, RequestPath, and TraceId for diagnostics.

3. Purposes and legal bases

We process personal data for the following purposes and on the following GDPR Article 6 bases:

  • Contract performance — Art. 6(1)(b). Creating and managing your account, delivering translations, processing billing, and providing customer support.
  • Legitimate interests — Art. 6(1)(f). Fraud prevention, abuse detection, security logging, and service improvement. We balance these interests against your rights and restrict processing accordingly.
  • Consent — Art. 6(1)(a). Any future marketing communications would be sent only with your prior consent. We do not currently collect such consent.

4. Sub-processors

We rely on the following sub-processors to deliver the service:

Sub-processorPurposeData processedCountryTransfer basis
[AI PROVIDERS WITH COUNTRY + TRANSFER BASIS]Translation, NLP analysis, quality judgment, summarisationSource text, translation outputs[COUNTRY][SCCs / adequacy]
[HOSTING PROVIDER + COUNTRY + BASIS]Container and database hostingAll data at rest and in transit[COUNTRY][SCCs / adequacy]
[SMTP PROVIDER + COUNTRY + BASIS]Transactional email (verification, password reset, receipts)Email addresses, message bodies[COUNTRY][SCCs / adequacy]
Google LLCOAuth sign-in for users who choose Google; supplies email, name, verified-email flagOAuth identifiers and profile fieldsUnited StatesAdequacy via EU-US Data Privacy Framework
GitHub Inc.OAuth sign-in for users who choose GitHub; supplies account id, email, verified emailOAuth identifiers and profile fieldsUnited StatesAdequacy via EU-US Data Privacy Framework

We update this list when we add or replace a sub-processor.

5. International transfers

Transfers of personal data to sub-processors outside the European Economic Area rely on the transfer basis shown in each row above — either Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision such as the EU-US Data Privacy Framework. Copies of the SCCs are available on request at [PRIVACY CONTACT EMAIL].

6. Retention

  • Completed translation jobs are retained for 30 days, then purged automatically by our cleanup worker.
  • Accounts are retained while active. You can delete your account at any time via /app/profile; on deletion, associated data is removed or anonymised.
  • Billing records are retained in accordance with Dutch tax bookkeeping rules (currently 7 years where applicable), even after account deletion.
  • Operational logs are rotated according to our retention policy and are not kept longer than necessary for security and diagnostics.

7. Your rights (GDPR Articles 15–22)

You have the following rights regarding your personal data:

  • Access (Art. 15). Obtain a copy of the personal data we hold about you.
  • Rectification (Art. 16). Correct inaccurate or incomplete data.
  • Erasure (Art. 17). Request deletion where the legal conditions are met.
  • Restriction (Art. 18). Ask us to pause processing in specified cases.
  • Portability (Art. 20). Receive your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21). Object to processing based on legitimate interests.
  • Automated decisions (Art. 22). Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects; see section 10.

To exercise a right, email [PRIVACY CONTACT EMAIL]. We respond within 30 days. If you are unsatisfied with our handling, you can lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl).

8. Security measures

We apply industry-standard technical and organisational measures, including:

  • TLS encryption for all data in transit;
  • Password hashing via ASP.NET Identity;
  • AI-provider API keys encrypted at rest through ApiKeyProtector using ASP.NET Data Protection, with the keyring persisted on a dedicated volume;
  • Support for JWT rotation and revocation;
  • An audit trail in the Logs table for warning-level and higher events;
  • Admin endpoints gated by a server-side IsAdmin claim check, separate from end-user scopes.

No system is perfectly secure, but we continually review and improve these measures.

9. Cookies

We use one strictly-necessary session cookie for authentication. It is essential for the service to function and does not track you across other sites.

We do not use third-party analytics, advertising, or tracking cookies in v1 of the service. If this changes, we will give 30 days' notice and introduce a cookie-consent banner before any non-essential cookies are set.

10. Automated decision-making

Translation and quality scoring are performed by AI models, so they are "automated" in the technical sense, but they are advisory only. They do not produce decisions that have legal effects on you or that significantly affect you in a similar way. A human — you — decides how to use the output.

11. Changes and contact

We may update this Privacy Policy. Material changes will be communicated at least 30 days in advance via an in-app banner and an email to the address on file.

For any privacy question or to exercise your rights, contact [PRIVACY CONTACT EMAIL].