Xalerate AB (org.nr 559575-8698, VAT ID SE559575869801),
Klaratjärnsgatan 1, 654 63 Karlstad, Sweden, is the data controller for all
personal data processed through Just Smarter Eval (the "Service",
also referred to as "Just Smarter" in this document). The Service includes
the batch evaluation runner at /eval, the multi-model chat
interface at /app, and all supporting APIs and dashboards
accessible through justsmarter.ai. For privacy inquiries,
data-subject-rights requests, or questions about this policy, contact
support@justsmarter.ai.
Xalerate AB is not required to appoint a Data Protection Officer under GDPR Art. 37 because our core activities do not involve large-scale regular monitoring or the processing of special categories of data. Privacy inquiries are handled by the company's management.
| Data | Purpose | Retention |
|---|---|---|
| Email address + bcrypt password hash | Authentication | Until account deletion |
| Name (optional) | Display in the UI | Until account deletion |
| Company name, VAT number, billing address, country | Invoicing, VAT compliance | 7 years after the end of the fiscal year of the last invoice (Swedish Bokföringslagen 7 § 2). Account deletion removes the user profile but invoices are retained for this statutory period. |
| Chat history (prompts, AI responses, mode, timestamps) | Conversation feature, so you can access previous chats | Until the user deletes the chat or the account |
| Eval runs (prompts, AI responses, resolved model, token counts, latency, timestamps) and saved datasets (prompt sets + dataset metadata) | Batch evaluation feature, so you can review past runs, re-run saved suites, and export audit artifacts | Until the user deletes the run / dataset or the account |
| Usage records (per-request word/usage counts) | Usage-history dashboard and fair-use enforcement (audit record; not used for billing) | Until account deletion |
| IP address + user-agent string at the moment of consent | Audit trail for consent to the Terms of Service and Privacy Policy — required as proof of consent under GDPR Art. 7(1) | Until account deletion |
| Authentication tokens (refresh, password reset, email verification) | Session management and password/email recovery | Refresh: 30 days, extended by 7 days after revocation for theft-detection, then deleted. Reset and verification: up to 24 hours after use or expiry. |
| Server logs (request IDs, user IDs, IP addresses, error messages) | Debugging, security monitoring, incident response | Retained by our hosting provider (Railway) for up to 30 days |
Just Smarter Eval retains your account data (email address, password hash) and the data you create in the service (conversations, evaluation runs, saved datasets, and per-request usage records) for as long as your account exists. We do not automatically delete or purge inactive accounts. Your data is deleted when you delete your account, or upon a verified erasure request under Article 17 GDPR; deletion cascades across your conversations, evaluation runs, saved datasets, and usage records.
We use the following processors. Each has a data processing agreement that meets the requirements of GDPR Art. 28. You can request a copy of any of these DPAs by emailing support@justsmarter.ai.
| Processor | Purpose | Location | DPA / privacy terms |
|---|---|---|---|
| Brain Orchestra (operated by Xalerate AB, Sweden) | Processor (GDPR Art. 28; the customer is the Controller) — routing and processing of AI-inference content you submit via your connected Brain Orchestra API key | Sweden/EU (Xalerate AB). Inference is processed according to the data-residency tier configured on your Brain Orchestra account — EU-residency tiers process in the EU/EEA; the unrestricted tier may use non-EU providers. | See Brain Orchestra's Data Processing Agreement and subprocessor list. |
| Anthropic PBC (Claude models) | AI text generation | US — DPF certified | anthropic.com/legal |
| OpenAI LLC (GPT-4o, o3, o4-mini) | AI text generation | US — DPF certified | openai.com/enterprise-privacy |
| Google LLC (Gemini) | AI text generation | US — DPF certified | cloud.google.com/terms/dpa |
| Mistral AI SAS | AI text generation (Mistral, Codestral) | EU (France) | mistral.ai/terms |
| Tavily AI, Inc. | Web search (fact-checking pipeline) — receives only the refined query string, no user identifier | US | Direct processor of Xalerate AB; current terms at tavily.com |
| Serper.dev | Google search results (fact-checking pipeline) — receives only the refined query string, no user identifier | US | Direct processor of Xalerate AB; current terms at serper.dev |
| Resend, Inc. | Transactional email (verification, password reset) | US — DPF certified | resend.com/legal/dpa |
| Railway Corp | Application hosting and Postgres database | EU | railway.com/legal/dpa |
We may add or replace processors from time to time. Material changes will be reflected in an updated version of this policy and notified before taking effect (see §10).
Note on the search-evidence pipeline: Tavily and Serper are contracted directly by Xalerate AB (we hold the API keys), not via Brain Orchestra. They receive only the refined query string for the fact-check pass — no user identifier, no chat history, no email. Brain Orchestra is not in the path for these calls.
Under GDPR and Swedish data protection law you have the following rights. You can exercise most of them directly from Settings; for anything else, email support@justsmarter.ai. We respond within 30 days (extendable by 60 days for complex requests per Art. 12(3)).
We use strictly necessary, httpOnly cookies for authentication (access token + refresh token). No tracking cookies, no analytics cookies, no third-party cookies. Browser localStorage is used only for UI preferences and does not contain personal data. See our Cookie Policy for details.
When you use AI models from US-based providers (Anthropic, OpenAI, Google) or US-based infrastructure providers (Resend), your data is transmitted to the United States for processing. Each of these providers is certified under the EU–U.S. Data Privacy Framework (DPF), which the European Commission has recognized as providing an adequate level of data protection under GDPR Art. 45 (Implementing Decision (EU) 2023/1795). As a result, these transfers do not require Standard Contractual Clauses.
When you use Mistral AI models, your prompts are processed within the European Union and no international transfer occurs.
You can restrict all requests to EU-based providers by enabling the "EU only" toggle in the chat settings.
Passwords are hashed with bcrypt (12 rounds). Refresh, password reset, and email verification tokens are SHA-256 hashed before storage. Brain Orchestra API keys you supply are encrypted at rest with AES-256-GCM. All client-to-server connections use TLS 1.2+. The database is hosted on Railway within the EU.
We rate-limit authentication endpoints to mitigate credential-stuffing attacks, and detect refresh-token reuse to mitigate session theft.
If we become aware of a personal data breach that affects your data, we will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours as required by GDPR Art. 33. Where the breach is likely to pose a high risk to your rights and freedoms, we will also notify you directly and explain the steps you can take to protect yourself, per GDPR Art. 34.
We will notify you of material changes and request re-consent where required. Previous versions are retained in our consent audit log and can be requested by email.
For privacy inquiries, data-subject-rights requests, or questions about this policy, contact our privacy team at support@justsmarter.ai. For postal inquiries, use the registered address in §1.
Xalerate AB — org.nr 559575-8698 — VAT ID SE559575869801 — justsmarter.ai