Privacy Policy

Effective Date: December 7, 2025
Last Updated: December 7, 2025

        Key Points:
        No account required for free tier - zero personal data collected
EU-only data storage and processing (GDPR compliant)
No data selling or sharing with third parties
Full transparency and user control over data

    

1. Introduction

Pauhu AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered services.

We comply with:

General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
EU AI Act - Regulation (EU) 2024/1689
NIS2 Directive - Directive (EU) 2022/2555

2. Data Controller

For the purposes of GDPR, the data controller is:

Pauhu AI
Email: privacy@pauhu.ai
Data Protection Officer: dpo@pauhu.ai

3. Data Collection and Minimization (GDPR Article 5.1.c)

We practice data minimization - collecting only the minimum data necessary for service delivery.

3.1 Free Tier (No Account Required)

Data Type	Purpose	Legal Basis
IP Address (anonymized)	Rate limiting (3 queries/day)	Legitimate interest
Query content (temporary)	Provide AI response	Contract performance
Browser type	Feature compatibility	Legitimate interest

Data Retention: Query content deleted after 24 hours. IP address hashed and retained for 7 days.

3.2 Paid Tier (Account Required)

Data Type	Purpose	Legal Basis
Email address	Account authentication, service notifications	Contract performance
Name	Personalization, invoicing	Contract performance
Payment information	Billing (processed by payment provider)	Contract performance
Usage data	Service delivery, billing, improvement	Contract performance

Data Retention: Account data retained while account active. Usage data retained for 90 days.

4. How We Use Your Data

We use collected data ONLY for:

Providing AI services (translations, analysis, responses)
Account management and authentication
Billing and payment processing
Service improvement and optimization
Compliance with legal obligations
Security and fraud prevention

We do NOT:

Sell your data to third parties
Use your data for advertising
Share your data without your consent (except as required by law)
Train AI models on your private data without permission

5. Data Storage and Security

5.1 EU-Only Data Residency

All personal data is stored and processed EXCLUSIVELY in the European Union:

Cloudflare Workers: EU region
Fly.io servers: Amsterdam (AMS) and Frankfurt (FRA)
Cloudflare R2 storage: EU buckets

No international data transfers. Your data never leaves EU borders.

5.2 Security Measures (ISO 27001, SOC 2)

We implement comprehensive security measures to protect data integrity and confidentiality:

Encryption in transit: HTTPS/TLS 1.3 for all communications
Encryption at rest: Database encryption with industry-standard algorithms
Access controls: Role-based access, least privilege principle
Audit trails: Cryptographic signing, append-only logs, continuous monitoring
Security monitoring: Real-time threat detection and incident response
Regular security assessments: Penetration testing and vulnerability scans
Data integrity verification: Checksums and validation at every processing step

6. Your Rights (GDPR Articles 12-23)

6.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

How: Email privacy@pauhu.ai or use account dashboard "Export Data" button

Response time: Within 30 days

6.2 Right to Erasure (Article 17)

You can request deletion of your personal data ("right to be forgotten").

How: Email privacy@pauhu.ai or use account dashboard "Delete Account" button

Process: Hard delete (permanent removal, not soft delete)

Confirmation: Email confirmation within 48 hours

6.3 Right to Data Portability (Article 20, EU Data Act)

You can receive your data in machine-readable, interoperable formats for easy transfer to other services.

Formats: JSON (structured data), CSV (usage logs), standard APIs

How: Account dashboard "Export Data" or API endpoint

Interoperability: Data formatted to industry standards for seamless migration

6.4 Right to Rectification (Article 16)

You can correct inaccurate personal data.

How: Account settings or email privacy@pauhu.ai

6.5 Right to Object (Article 21)

You can object to processing based on legitimate interests.

How: Email privacy@pauhu.ai with specific objection

6.6 Right to Restrict Processing (Article 18)

You can request temporary restriction of data processing.

How: Email privacy@pauhu.ai

7. Cookies and Tracking

7.1 Essential Cookies

Cookie Name	Purpose	Duration
session_id	Account authentication	Session (30 days)
pauhu_state	Preserve user preferences	Local storage (persistent)
rate_limit	Enforce 3 queries/day limit	24 hours

7.2 Analytics Cookies

We use Cloudflare Analytics (privacy-preserving, no personal data).

You can opt out: Browser settings or privacy@pauhu.ai

8. Third-Party Services

8.1 Payment Processing

Payment information processed by certified payment providers (PCI DSS compliant).

We do NOT store credit card details.

8.2 Infrastructure Providers

Cloudflare (EU region) - CDN, security, analytics
Fly.io (EU region) - Application hosting

All providers are GDPR-compliant with Data Processing Agreements in place.

9. AI-Specific Privacy

9.1 Query Content

Your queries and uploaded documents are:

Processed to generate AI responses
NOT used to train AI models (without explicit consent)
Deleted after session ends (free tier) or 90 days (paid tier)
Never shared with third parties

9.2 Active Forgetting

We implement "active forgetting" - automatic deletion of data after retention period.

This exceeds GDPR minimum requirements.

9.3 Model Transparency (EU AI Act Article 52)

You are always informed when interacting with AI:

Clear "Pauhu AI" branding
"AI-generated" labels on content
No impersonation or deception

10. Children's Privacy

Our services are not directed to children under 16.

If you believe we have collected data from a child under 16, contact privacy@pauhu.ai immediately.

11. Data Breach Notification

In case of a data breach affecting your personal data:

Notification within 72 hours (GDPR Article 33)
Email to affected users
Clear description of breach and remediation steps

12. Changes to Privacy Policy

We may update this policy to reflect:

Changes in legal requirements
New features or services
User feedback

Notification: Email notice 30 days before changes take effect

Version history: Previous versions available on request

13. Contact Us

Privacy Inquiries:
Email: privacy@pauhu.ai

Data Protection Officer:
Email: dpo@pauhu.ai

GDPR Requests:
Email: gdpr@pauhu.ai
Response time: Within 30 days

Complaints:
You have the right to lodge a complaint with your local data protection authority.

14. Legal Basis for Processing

Processing Activity	Legal Basis (GDPR Article 6)
Providing AI services	Contract performance (Article 6.1.b)
Account management	Contract performance (Article 6.1.b)
Billing and payments	Contract performance (Article 6.1.b)
Service improvement	Legitimate interest (Article 6.1.f)
Security and fraud prevention	Legitimate interest (Article 6.1.f)
Legal compliance	Legal obligation (Article 6.1.c)

15. Automated Decision-Making

We use AI for automated content generation, but:

No automated decisions with legal or significant effects
Human oversight available for critical decisions (HumanLayer)
Right to human review (GDPR Article 22)

This Privacy Policy is compliant with GDPR, EU AI Act, and NIS2 Directive.
Document version: 1.0
Effective: December 7, 2025