Privacy Policy

Last Updated: December 31, 2025

Effective Date: December 31, 2025

1. Introduction

Welcome to Vicaya ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights under the European Union's General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our multi-LLM consensus platform available at:

vicaya.eu (main European site)
vicaya.app (international)
vicaya.nl (Netherlands localized)

2. Data Controller

Data Controller: globeone
Email: [contact email to be added]
Location: European Union

For any questions regarding this Privacy Policy or your personal data, please contact us at the email address above.

3. Information We Collect

3.1 Information You Provide

Account Information:

Username
Email address
Password (encrypted)
Display preferences (theme, language)
User location (optional, for service optimization)

API Keys:

Third-party LLM provider API keys (OpenAI, Anthropic, Google, xAI)
These are encrypted using Fernet encryption before storage
We cannot access the plaintext of your API keys

Query Data:

Text queries you submit to the LLM council
Query timestamps
Selected LLM providers
Query history

3.2 Automatically Collected Information

Technical Data:

IP address
Browser type and version
Device information
Operating system
Access times and dates
Pages visited and features used

Cookies and Similar Technologies:

Session cookies (essential for authentication)
Preference cookies (theme, language settings)
See our Cookie Policy for detailed information

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR Article 6(1):

Contractual Necessity (Article 6(1)(b)): User account creation, providing LLM consensus services, processing your queries
Legitimate Interests (Article 6(1)(f)): Service improvement, security monitoring, fraud prevention, technical troubleshooting
Consent (Article 6(1)(a)): Marketing communications (if you opt in), optional analytics cookies
Legal Obligation (Article 6(1)(c)): Compliance with EU data protection laws, responding to legal requests

5. How We Use Your Information

We use your personal data for:

Service Provision: Authentication, query processing, consensus generation, history management
Service Improvement: Performance optimization, feature development, bug fixes
Security: Fraud prevention, rate limiting (100 queries/hour), prompt injection protection
Communication: Service notifications, security alerts, response to inquiries

7. Data Retention

Data Type	Retention Period	Reason
Account Information	Until account deletion + 30 days	Account management, legal compliance
API Keys	Until you delete them or close account	Service provision
Query History	90 days or until deletion	User convenience, service improvement
Access Logs	14 days	Security, troubleshooting

Note: You can delete your query history at any time from your account settings.

8. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

Right of Access (Article 15): Request a copy of your personal data
Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
Right to Erasure (Article 17): Request deletion of your personal data ("Right to be Forgotten")
Right to Restriction (Article 18): Request restriction of processing
Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON)
Right to Object (Article 21): Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time
Right to Lodge a Complaint: File a complaint with a supervisory authority

Netherlands Supervisory Authority:
Autoriteit Persoonsgegevens
Website: https://autoriteitpersoonsgegevens.nl/

9. Exercising Your Rights

To exercise any of your rights, please:

Email us at [contact email to be added]
Include your username and registered email address
Specify which right(s) you wish to exercise
Provide necessary verification information

We will respond within 30 days as required by GDPR Article 12(3).

10. International Data Transfers

Primary Data Location: European Union (Netherlands-based VPS)

Transfers to Third Countries:

When you use third-party LLM providers based outside the EU, your query text is transferred to the United States.

Safeguards: Standard Contractual Clauses (SCCs), Privacy Shield (where applicable)

Your Control: You provide explicit consent by selecting these providers.

11. Data Security

We implement appropriate technical and organizational measures:

Encryption in Transit: HTTPS/TLS for all connections
Encryption at Rest: API keys encrypted using Fernet encryption
Encrypted Credentials: systemd-creds for server-side secrets
Secure Authentication: Password hashing using Django's PBKDF2 algorithm
Rate Limiting: Protection against brute force attacks
Prompt Injection Protection: Security validation of all queries

12. Children's Privacy

Vicaya is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

13. Cookies and Tracking Technologies

We use cookies and similar technologies. See our separate Cookie Policy for detailed information about:

Types of cookies we use
Purpose of each cookie
How to manage cookie preferences

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email (30 days advance notice). Continued use after changes constitutes acceptance.

Version History:

v1.0 - December 31, 2025 - Initial policy

15. Contact Information

For any privacy-related questions or concerns:

Email: [contact email to be added]
Website: https://vicaya.eu
GitHub: https://github.com/globeone/Vicaya