Privacy Policy

This Privacy Policy relies on GDPR (Regulation (EU) 2016/679) and the Estonian Personal Data Protection Act (IKS). It outlines how we process your personal data securely, transparently, and respectfully.

1. Identity of the Data Controller

The Data Controller responsible for the processing of your personal data is:

s4p OÜ
Registry Code: 102945199
Headquarters: Tornimäe tn 5, 10145 Tallinn, Estonia

2. Legal Bases for Processing

Pursuant to Article 6(1) of the GDPR, we rely on the following legal bases to process your data:

Contract (Art. 6(1)(b)): To provide the Services you requested (Account creation, AI processing, Consultations).
Legal Obligation (Art. 6(1)(c)): To comply with Estonian tax, accounting, and anti-money laundering laws.
Legitimate Interest (Art. 6(1)(f)): For security monitoring, fraud prevention, and ensuring network stability.
Consent (Art. 6(1)(a)): For optional marketing communications and non-essential cookies. You have the right to withdraw consent at any time.

3. Categories of Data Collected

Category	Examples	Purpose
Account & Billing	Name, email, encrypted password, billing address.	Account lifecycle, tax compliance, invoicing.
Telemetry & Usage	IP address, browser type, interaction logs.	Security, rate limiting, abuse detection, system optimization.
AI Inputs (Prompts)	Text, files, or code you submit to the AI tools.	Processing requests to return AI-generated results.
Professional Services	Intake forms, CVs, Career Goals, Calendar availability.	Providing specialized mentoring and consulting services.

4. AI Processing Notice

To provide our AI Tool Suite, we utilize third-party Large Language Models (LLMs) operated by OpenAI (USA) and others.

Zero Data Training: Your Prompts and structural data are NOT used by our sub-processors to train their base models.
Data Protection Agreements (DPA): We have executed strict DPAs with AI providers ensuring your inputs are protected as confidential data.
Transient Processing: Input data is sent via secure API (TLS 1.2+), processed rapidly, and immediately returned. Providers retain logs only for maximum 30 days for abuse monitoring prior to automatic deletion.

5. Professional Services ("Human Data")

When you engage in Consultations or Mentoring, strict privacy fences apply:

No Default Recording: We use Google Meet. Video sessions are not recorded. Recording will only occur with your explicit, documentable consent prior to hitting the "Record" button.
Calendar Isolation: If you connect Google Calendar to sync sessions, we utilize the lowest-privileged API scopes possible. We can only create events for your bookings, we do not scan or read your personal calendar events.
Mentor Access Control: Our Mentors can only access your submitted Intake Forms (your specified topic, context, or CV snippet) during the active period of your consultation block, strictly to prepare for your session.

6. Sub-Processors & Data Sharing

We do not sell your personal data. We only share data with vetted sub-processors essential to operating our enterprise pipeline:

AI Inference: OpenAI, L.L.C. (US) / Anthropic (US)
For generating LLM outputs. Data is transmitted via API and never used for model training.
Payment Processing: Stripe, Inc. (US/IE)
PCI-DSS compliant handling of all cards, invoices, and subscriptions. We never see or store full credit card numbers.
Cloud Infrastructure: Google Cloud EMEA Ltd (IE) / AWS (EU-Central)
For hosting our application servers and databases securely within the EU (Frankfurt/Dublin).

7. International Data Transfers

Where our sub-processors (e.g., OpenAI, Stripe) are based in the United States, we rely on rigid legal transfer mechanisms under Chapter V of the GDPR:

EU-US Data Privacy Framework (DPF): Used for certified companies (like Google LLC and Stripe) ensuring adequate protection levels recognized by the European Commission.
Standard Contractual Clauses (SCCs): In cases where the DPF cannot be relied upon, we execute Module 2 (Controller-to-Processor) of the EC-approved SCCs alongside supplementary security measures (encryption in transit/at rest).

8. Data Retention Schedule

We adhere to the storage limitation principle (Art. 5(1)(e) GDPR):

Account DataLifetime of account + 2 years for legal limitation periods
Tax & Transaction Data7 years (Mandated by Estonian Accounting Act)
AI Prompts30 days by API vendors for abuse prevention
Server Logs90 days for forensic security analysis

9. Your Rights under GDPR

You hold the sovereign right over your data. Under Chapter III of the GDPR, you have the right to:

Right of Access & PortabilityRequest a highly-structured JSON export of all your data residing on our platform.

Right to Erasure ("Right to be Forgotten")Request hard-deletion of your account. Note: We must retain basic transaction data for 7 years for tax compliance.

Right to RectificationCorrect inaccurate data directly in your Account Settings panel.

Right to Object / RestrictOpt-out of specific processing types (like analytics) via the cookie consent manager.

To execute any of these rights, email us from your registered account address at support@s4p.eu. We will fulfill your request securely within 30 days.

10. Right to Lodge a Complaint

If you believe our processing infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. Given our jurisdiction, the lead supervisory authority is:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Website: www.aki.ee

11. Security Measures

We employ enterprise-grade logical and physical security architectures:

TLS 1.3 encryption for all data in transit across our perimeter.
AES-256-GCM encryption for database storage at rest.
Strict Role-Based Access Control (RBAC) preventing unauthorized internal staff access to user data.

12. Contact the Data Protection Officer (DPO)

For all privacy inquiries, data exercise requests, or concerns, contact our DPO directly:

support@s4p.eu