Xalerate AB (org.nr 559575-8698, VAT ID SE559575869801),
Klaratjärnsgatan 1, 654 63 Karlstad, Sweden, is the data controller for all
personal data processed through Just Smarter Eval (the "Service",
also referred to as "Just Smarter" in this document). The Service includes
the batch evaluation runner at /eval, the multi-model chat
interface at /app, and all supporting APIs and dashboards
accessible through justsmarter.ai. For privacy inquiries,
data-subject-rights requests, or questions about this policy, contact
support@justsmarter.ai.
Xalerate AB is not required to appoint a Data Protection Officer under GDPR Art. 37 because our core activities do not involve large-scale regular monitoring or the processing of special categories of data. Privacy inquiries are handled by the company's management.
| Data | Purpose | Retention |
|---|---|---|
| Email address + bcrypt password hash | Authentication | Until account deletion |
| Name (optional) | Display in the UI | Until account deletion |
| Company name, VAT number, billing address, country | Invoicing, VAT compliance | 7 years after the end of the fiscal year of the last invoice (Swedish Bokföringslagen 7 § 2). Account deletion removes the user profile but invoices are retained for this statutory period. |
| Chat history (prompts, AI responses, mode, timestamps) | Conversation feature, so you can access previous chats | Until the user deletes the chat or the account |
| Eval runs (prompts, AI responses, resolved model, token counts, latency, credits, timestamps) and saved datasets (prompt sets + dataset metadata) | Batch evaluation feature, so you can review past runs, re-run saved suites, and export audit artifacts | Until the user deletes the run / dataset or the account |
| Credit balance, usage log, model breakdown | Billing, fair-use enforcement, usage history dashboard | Until account deletion |
| Top-up purchase records | Billing, reconciliation, refunds | 7 years (accounting law — see company/VAT row) |
| Payment card details | Billing via Stripe | We never see your card details; they are collected and stored directly by Stripe, Inc. See stripe.com/privacy. |
| IP address + user-agent string at the moment of consent | Audit trail for consent to the Terms of Service and Privacy Policy — required as proof of consent under GDPR Art. 7(1) | Until account deletion |
| Authentication tokens (refresh, password reset, email verification) | Session management and password/email recovery | Refresh: 30 days, extended by 7 days after revocation for theft-detection, then deleted. Reset and verification: up to 24 hours after use or expiry. |
| Server logs (request IDs, user IDs, IP addresses, error messages) | Debugging, security monitoring, incident response | Retained by our hosting provider (Railway) for up to 30 days |
Free accounts that expire — at the end of the 14-day trial window or upon credit exhaustion, whichever comes first — without upgrading to a paid plan are purged 90 days after expiry. The purge cascades across all conversations, eval runs, saved datasets, and credit-usage records linked to the account; only the consent audit log is retained (with IP and user-agent scrubbed) as proof of legal basis under GDPR Art. 7. This 90-day window allows you to upgrade and recover your work. We notify you by email at trial expiry and again seven (7) days before the purge takes effect. The retention limit is pursuant to GDPR Art. 5(1)(e) (storage limitation): we don't keep data past the point where it has a lawful purpose.
We use the following processors. Each has a data processing agreement that meets the requirements of GDPR Art. 28. You can request a copy of any of these DPAs by emailing support@justsmarter.ai.
| Processor | Purpose | Location | DPA / privacy terms |
|---|---|---|---|
| Brain Orchestra (Xalerate AB) | LLM gateway — routes prompts to AI providers | EU (Sweden) | Same data-controller group; no external transfer |
| Anthropic PBC (Claude models) | AI text generation | US — DPF certified | anthropic.com/legal |
| OpenAI LLC (GPT-4o, o3, o4-mini) | AI text generation | US — DPF certified | openai.com/enterprise-privacy |
| Google LLC (Gemini) | AI text generation | US — DPF certified | cloud.google.com/terms/dpa |
| Mistral AI SAS | AI text generation (Mistral, Codestral) | EU (France) | mistral.ai/terms |
| Tavily AI, Inc. | Web search (fact-checking pipeline) — receives only the refined query string, no user identifier | US | Direct processor of Xalerate AB; current terms at tavily.com |
| Serper.dev | Google search results (fact-checking pipeline) — receives only the refined query string, no user identifier | US | Direct processor of Xalerate AB; current terms at serper.dev |
| Stripe, Inc. | Payment processing | US — DPF certified | stripe.com/legal/dpa |
| Resend, Inc. | Transactional email (verification, password reset) | US — DPF certified | resend.com/legal/dpa |
| Railway Corp | Application hosting and Postgres database | EU | railway.com/legal/dpa |
We may add or replace processors from time to time. Material changes will be reflected in an updated version of this policy and notified before taking effect (see §10).
Note on the search-evidence pipeline: Tavily and Serper are contracted directly by Xalerate AB (we hold the API keys), not via Brain Orchestra. They receive only the refined query string for the fact-check pass — no user identifier, no chat history, no email. Brain Orchestra is not in the path for these calls.
Under GDPR and Swedish data protection law you have the following rights. You can exercise most of them directly from Settings; for anything else, email support@justsmarter.ai. We respond within 30 days (extendable by 60 days for complex requests per Art. 12(3)).
We use strictly necessary, httpOnly cookies for authentication (access token + refresh token). No tracking cookies, no analytics cookies, no third-party cookies. Browser localStorage is used only for UI preferences and does not contain personal data. See our Cookie Policy for details.
When you use AI models from US-based providers (Anthropic, OpenAI, Google) or US-based infrastructure providers (Stripe, Resend), your data is transmitted to the United States for processing. Each of these providers is certified under the EU–U.S. Data Privacy Framework (DPF), which the European Commission has recognized as providing an adequate level of data protection under GDPR Art. 45 (Implementing Decision (EU) 2023/1795). As a result, these transfers do not require Standard Contractual Clauses.
When you use Mistral AI models, your prompts are processed within the European Union and no international transfer occurs.
You can restrict all requests to EU-based providers by enabling the "EU only" toggle in the chat settings.
Passwords are hashed with bcrypt (12 rounds). Refresh, password reset, and email verification tokens are SHA-256 hashed before storage. Brain Orchestra API keys you supply are encrypted at rest with AES-256-GCM. All client-to-server connections use TLS 1.2+. The database is hosted on Railway within the EU.
We use PostgreSQL advisory locks to serialize credit deductions and prevent double-spend, and rate-limit authentication endpoints to mitigate credential-stuffing attacks. Stripe webhook signatures are verified before any event is processed.
If we become aware of a personal data breach that affects your data, we will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours as required by GDPR Art. 33. Where the breach is likely to pose a high risk to your rights and freedoms, we will also notify you directly and explain the steps you can take to protect yourself, per GDPR Art. 34.
We will notify you of material changes and request re-consent where required. Previous versions are retained in our consent audit log and can be requested by email.
For privacy inquiries, data-subject-rights requests, or questions about this policy, contact our privacy team at support@justsmarter.ai. For postal inquiries, use the registered address in §1.
Xalerate AB — org.nr 559575-8698 — VAT ID SE559575869801 — justsmarter.ai