Legal
Privacy Policy
Last updated:
DRAFT - requires legal review. This document is a draft and will be reviewed by a lawyer before public launch.
1. Data controller
The personal data controller is KeyTicket Solutions S.R.L., CUI RO 28376316, registration no. J05/779/2011, headquartered in Oradea, Romania (hereinafter referred to as „Concillio", „we" or „the controller").
For any questions regarding data protection, you can contact us at: privacy@keyticket.eu
2. Data we collect
2.1 Data provided directly by you
- Email address - when you sign up for early access or create an account
- Your profile (optional) - the segment selected at sign-up (Individual, SMB, Company, Legal professional)
- Contact form data - name, email, message
2.2 Data generated through platform usage
- Legal conversations - questions asked and responses generated by the platform
- Uploaded documents - contracts, court decisions or other legal documents uploaded for analysis
- Guided workflow responses - data provided within legal workflows
- Generated documents - appeals, petitions or other documents generated by the platform
2.3 Technical data collected automatically
- IP address - for security and abuse prevention (reCAPTCHA)
- Browsing data - via Google Analytics (only with your consent)
- Interaction data - via Microsoft Clarity (only with your consent) - future
- Telemetry data - via Azure Application Insights (anonymized)
2.4 Cookies
We use the following categories of cookies:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
concillio_consent |
Stores cookie preference | Essential | 1 year |
Google Analytics (_ga, _gid) |
Anonymous traffic analysis | Analytics (consent) | 2 years / 24h |
| Google reCAPTCHA | Anti-bot protection | Functional | Session |
| Microsoft Clarity | Heatmaps and session recordings | Analytics (consent, future) | 1 year |
We do not use advertising or marketing cookies.
3. Processing purposes
| Purpose | Data processed | Legal basis (GDPR) |
|---|---|---|
| Providing the AI legal information service | Conversations, uploaded documents, workflow responses | Performance of contract (Art. 6(1)(b)) |
| Sending launch notifications | Email, segment | Consent (Art. 6(1)(a)) |
| Responding to contact form inquiries | Name, email, message | Consent (Art. 6(1)(a)) |
| Security and abuse prevention | IP (via reCAPTCHA) | Legitimate interest (Art. 6(1)(f)) |
| Anonymous traffic analysis | Browsing data (Google Analytics) | Consent (Art. 6(1)(a)) |
| Improving user experience | Interaction data (Clarity, future) | Consent (Art. 6(1)(a)) |
| Payment processing | Billing data (via KeyID) | Performance of contract (Art. 6(1)(b)) |
4. AI data processing
Concillio uses artificial intelligence models (Azure OpenAI) to provide answers to legal questions and to analyze documents. It is important to understand:
- Conversations and uploaded documents are processed through AI services hosted in the European Union (Azure Region West Europe / Sweden Central).
- Your data is not used for training AI models - Azure OpenAI does not retain or use customer data for training.
- AI responses are generated based on indexed legislation, not from other users' data.
- Personal data in uploaded documents is anonymized before AI processing, where technically feasible.
5. Data sharing
We do not sell your data. We share data exclusively with:
| Third-party service | Purpose | Data location |
|---|---|---|
| Microsoft Azure (OpenAI, AI Search, Cosmos DB, Blob Storage) | Cloud infrastructure, AI processing, data storage | EU (West Europe / Sweden Central) |
| Google reCAPTCHA | Anti-bot protection | Global (Google Policy) |
| Google Analytics | Traffic analysis | EU (with consent) |
| KeyID (KeyTicket Solutions) | Payment processing and invoicing | EU |
| Azure Communication Services | Sending emails | EU |
6. Data retention
| Data category | Retention period |
|---|---|
| User account and profile | For the duration of the account + 30 days after deletion |
| Conversations and AI responses | Configurable by user; default 90 days (B2C), unlimited (B2B) |
| Uploaded documents | Until deleted by user or account closure |
| Contact form / sign-up data | Maximum 24 months from last interaction |
| Audit logs | 12 months (traceability obligation) |
| Anonymized technical data | 14 months |
7. Your rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access - you can request a copy of the personal data we hold about you.
- Right to rectification - you can request correction of inaccurate or incomplete data.
- Right to erasure - the "right to be forgotten" - you can request deletion of personal data, subject to legal retention obligations.
- Right to data portability - you can request transfer of your data in a structured format (JSON).
- Right to object - you can object to processing based on our legitimate interest.
- Right to withdraw consent - at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint - with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
To exercise these rights, send a request to: privacy@keyticket.eu. We respond within 30 days.
You can also file a complaint with ANSPDCP: www.dataprotection.ro
8. Security
We protect your data through the following measures:
- Transmission exclusively via HTTPS (TLS 1.2+)
- At-rest encryption with AES-256 on all storage services
- Data access via Private Endpoints - no data service is exposed on the public internet
- Authentication via Microsoft Entra ID with MFA support
- Consent cookies are marked
Secure,HttpOnlyandSameSite=Lax - Multi-tenant isolation - each client's data is logically separated and cannot be accessed by other users
9. International data transfers
All data is stored and processed in the European Union (Azure Region West Europe, The Netherlands). Google services (reCAPTCHA, Analytics) may transfer data outside the EU pursuant to the EU-US Adequacy Decision or Standard Contractual Clauses (SCC).
10. Policy changes
Any significant changes to this policy will be communicated via site banners at least 14 days before taking effect. The last update date is displayed at the top of the page.
11. Contact
For any questions or requests regarding the processing of your personal data:
- Email: privacy@keyticket.eu
- Controller: KeyTicket Solutions S.R.L., CUI RO 28376316, Oradea, Romania
Also see the Terms and Conditions for using the Concillio platform.