Privacy Policy

1. Who we are

Modellot is operated by the company Modellot AB, registered in Sweden. We provide a data governance platform accessible at modellot.com.

For all privacy-related matters contact us at privacy@modellot.com.

2. What data we collect

• Account data — full name, email address, company name, country, and team size provided at registration.
• Authentication data — hashed passwords and session tokens. We never store passwords in plain text.
• Usage data — business models, data contracts, and configurations you create within the platform.
• Technical data — IP address, browser type, and session identifiers collected automatically.
• Communication data — emails you send to us, including support requests.
• Waitlist data — email address provided when joining our pre-launch waitlist.

We do not collect sensitive personal data as defined under GDPR Article 9, and we do not use your data for automated decision-making or profiling.

3. How we use your data

• Contract performance (Art. 6(1)(b)) — to provide the Modellot platform and deliver the services you have subscribed to.
• Legitimate interests (Art. 6(1)(f)) — to improve the platform, prevent fraud, and ensure security.
• Consent (Art. 6(1)(a)) — for marketing communications where you have explicitly opted in. You can withdraw at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable Swedish and EU law.

4. AI processing

Modellot uses AI to help you understand and document your business data. When you use AI-assisted features, your business description is processed by Anthropic Ireland, Limited via their API.

• Anthropic Ireland is our contracting entity as an EEA-based customer — simplifying the data transfer picture.
• Processing is governed by a Data Processing Addendum (DPA) automatically incorporated into Anthropic's Commercial Terms of Service.
• Anthropic does not use your data to train AI models. This is explicitly prohibited in the DPA.
• Anthropic will notify us within 48 hours of any security breach involving your data.
• Your data is deleted by Anthropic within 30 days of termination of our agreement.
• EU AI Act — Modellot's use of AI is limited to business context extraction. Every AI-generated output is reviewed and confirmed by you before use — no automated decisions are made on your behalf. This places Modellot's AI use in the minimal risk category under the EU AI Act. General Purpose AI obligations fall on Anthropic as the model provider, not on Modellot as a deployer.

We recommend avoiding inclusion of personally identifiable information in your business descriptions where it is not necessary.

5. Data storage and transfers

Your data is stored on servers located in Europe (EU). Our primary AI processing relationship is with Anthropic Ireland, Limited — an EEA entity — which means the core AI processing does not constitute a transfer outside the EEA.

Where any subprocessors are located outside the EEA, Standard Contractual Clauses (SCCs) — as defined in European Commission Implementing Decision (EU) 2021/914 — are in place as the transfer mechanism.

6. Third-party processors

• Anthropic Ireland, Limited — AI processing for business context extraction. DPA in place. Data not used for model training. EEA entity.
• Hosting provider — infrastructure and database hosting (EU — Frankfurt, Germany)
• Resend — transactional email delivery including account verification and notifications
• Payment processor — billing and subscription management (when applicable)

We do not sell your personal data. We do not share your data with advertisers.

7. Data retention

• Account data — retained for the duration of your account plus 3 years after deletion, per Swedish accounting law.
• Usage data — deleted within 30 days of account deletion upon request.
• Technical logs — retained for 90 days for security and debugging.
• Billing records — retained for 7 years per Swedish tax law.
• Waitlist data — retained until you opt out or 12 months after collection, whichever is sooner.

8. Your rights under GDPR

• Right of access (Art. 15) — request a copy of your personal data.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion, subject to legal retention obligations.
• Right to data portability (Art. 20) — request your data in a structured, machine-readable format.
• Right to restriction (Art. 18) — request restricted processing in certain circumstances.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent — withdraw consent at any time without affecting prior processing.

To exercise any right, contact privacy@modellot.com. We respond within 30 days. You may also lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

9. Cookies

• Strictly necessary — authentication tokens required for the platform to function. Cannot be disabled.
• Functional — preferences such as theme settings stored in your browser.

We do not use advertising cookies or third-party tracking cookies.

10. Changes to this policy

We may update this policy from time to time. We will notify you by email of material changes and update the date above. Continued use of Modellot after notification constitutes acceptance.