Privacy

Privacy Notice

1. Introduction

This Privacy Notice explains how Satori Analytics IKE ("Satori," "we," "us," or "our") processes personal data when you use our Enterprise GPT AI product (the "Service"). This notice applies to employees and authorized users of organizations that have subscribed to our Service through Microsoft Azure Marketplace.

Satori Analytics IKE is ISO 27001 certified, demonstrating our commitment to information security management.

2. Who We Are

Data Controller: Your employer or organization (the "Client Organization") is the data controller and determines what personal data is processed and for what purposes.

Data Processor: Satori Analytics IKE acts as a data processor, processing personal data on behalf of and under the instructions of your Client Organization.

Data Protection Officer:
Email: [email protected]

3. What Personal Data We Process

We process the following categories of personal data:

3.1 User Account Information

Full name
Email address
Job role or title
Security rights and access permissions

This information is collected through your organization's authentication system (Microsoft Entra ID or equivalent OAuth provider) when you access the Service.

3.2 Usage Data

Pseudonymized user identifiers (only your organization's administrators can link these identifiers to your actual identity)
Timestamps of system access and queries
Query content (the questions you ask the system)
System responses based on your organization's documents
User feedback (ratings, comments, or other feedback you provide)

3.3 Document Content

The Service processes documents uploaded by your Client Organization. These documents may contain various types of personal data depending on your organization's business activities. We have no control over or responsibility for the content of these documents, which is determined entirely by your organization.

Important: Our Service is not intended for processing special categories of personal data (such as health data, biometric data, racial or ethnic origin, or similar sensitive information). Your organization's contract with us prohibits the upload of such data.

4. How We Process Your Personal Data

4.1 Purpose of Processing

We process your personal data to:

Provide conversational AI responses based on your organization's documents
Control access to documents and information based on your role and permissions within your organization
Analyze system performance and accuracy
Identify and fix technical issues
Detect and prevent misuse of the Service
Improve Service functionality for your organization

4.2 Legal Basis

We process your personal data based on the contractual relationship between Satori and your Client Organization. The processing is necessary to perform the services your organization has purchased.

4.3 Technical Processing Details

Document Analysis: The Service indexes and vectorizes uploaded documents to enable conversational queries. This processing occurs entirely within your organization's Azure environment.

Query Processing: When you submit a query, the Service uses Azure OpenAI services (deployed in your organization's Azure subscription) to analyze relevant documents and generate responses. The system respects your access permissions and only provides information from documents you are authorized to view.

Feedback Collection: The Service collects both active feedback (when you rate responses or provide comments) and passive feedback (through analysis of system logs) to improve accuracy and performance for your organization only. Improvements made through feedback analysis benefit solely your organization and do not affect other clients' systems.

User Pseudonymization: Within system logs, your identity is pseudonymized using a unique identifier. Only your organization's administrators can link this identifier back to your actual identity.

5. Data Retention

5.1 Documents

Documents uploaded by your organization are retained indefinitely until your organization chooses to delete them. You or your organization's administrators control document retention.

5.2 System Logs

System logs (including query content, responses, timestamps, and pseudonymized user identifiers) are automatically deleted after 30 days. Your organization may request a different retention period.

5.3 User Accounts

When you leave your organization, your historical queries and feedback remain in the system under your pseudonymized identifier until your organization requests deletion of your account data.

5.4 Backups

Since the Service operates entirely within your organization's Azure subscription, backup and disaster recovery follow standard Azure practices as configured by your organization. Satori has no involvement in backup management.

6. Who Can Access Your Personal Data

6.1 Your Organization

Your organization's administrators have full access to all data processed through the Service, including the ability to de-pseudonymize user identifiers and view all queries, responses, and documents.

6.2 Satori Personnel

Satori engineers have limited "control plane" access to your organization's Azure environment for support, maintenance, and troubleshooting purposes. This access is:

Limited to system configuration, infrastructure management, and operational logs
Subject to logging and audit trails
Restricted to pseudonymized user identifiers (we cannot see your actual identity)
Does not include "data plane" access to your organization's uploaded documents or their substantive content

Our engineers can see system logs containing queries and responses, but only in connection with pseudonymized user identifiers that we cannot link to actual individuals.

6.3 No Subprocessors

Satori does not engage any subprocessors. All Azure services used by the Service (including Azure OpenAI, Azure AI Search, Azure Cosmos DB, and Azure MySQL) are subscribed to directly by your organization and operate within your organization's own Azure environment under your organization's agreement with Microsoft.

7. Where Your Data Is Stored

All personal data is stored and processed within your organization's Azure subscription.

We strongly recommend that all personal data of EU/EMEA data subjects are held in EU data centers. Your organization controls the specific Azure regions used for data storage.

No data is transferred outside the European Union or European Economic Area while in any way accessed or processed by Us.

8. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

8.1 Encryption

In Transit: All communications are encrypted using TLS 1.3
At Rest: All data services are encrypted at rest using Microsoft-managed encryption keys, with the option for your organization to enable additional encryption using customer-managed keys

8.2 Access Controls

Authentication through Microsoft Entra ID or equivalent OAuth providers
Role-based access controls ensuring you can only access information appropriate to your position
Verified cross-client isolation ensuring no data sharing between different client organizations
Logged and auditable access by Satori personnel

8.3 ISO 27001 Certification

Satori Analytics IKE is ISO 27001 certified, demonstrating our adherence to international information security standards.

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

9.1 Right of Access

You may request confirmation of whether we process your personal data and obtain a copy of that data.

9.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected or when you withdraw consent (where processing is based on consent).

9.4 Right to Restriction

You may request that we restrict processing of your personal data in certain circumstances.

9.5 Right to Data Portability

You may request to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

9.6 Right to Object

All processing activities described in this notice are necessary for the performance of the contract between Satori and your organization. However, you may object to processing in specific circumstances, and we will assess whether your interests override the legitimate grounds for processing.

9.7 How to Exercise Your Rights

To exercise any of these rights, please contact your organization's administrators or privacy officer. Your organization is responsible for handling data subject requests. Satori will assist your organization in responding to your request within the timeframes required by GDPR (typically within one month).

You also have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify your Client Organization within 24 hours of becoming aware of the breach. Your organization is responsible for determining whether to notify you directly as required under GDPR.

11. Automated Decision-Making

The Service does not perform automated decision-making or profiling that produces legal effects or similarly significantly affects you. The AI-generated responses are informational tools to assist you in your work, and all significant decisions are made by humans within your organization.

12. International Data Transfers

All data processing occurs within your organization's Azure subscription.

We do not transfer personal data outside the EU/EEA in any way while having access or processing such data.

13. Children's Privacy

The Service is intended for use by employees and authorized users of business organizations. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us immediately.

14. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

Update the "Last Updated" date at the top of this notice
Notify your organization's administrators by email
Your organization will be responsible for informing you of significant changes as appropriate

We encourage you to review this Privacy Notice periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised notice.

15. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

15.1 Categories of Personal Information

We collect and process the categories of personal information described in Section 3 of this Privacy Notice. For California residents, this includes:

Identifiers (names, email addresses, user IDs)
Professional or employment-related information (job titles, roles)
Internet or network activity information (usage data, queries, responses)
Inferences drawn from the above to create user profiles (feedback patterns, usage preferences)

15.2 Business Purposes

We process personal information for the business purposes described in Section 4.1 of this Privacy Notice, including providing the Service, technical support, security, and service improvement.

15.3 Sources of Personal Information

We collect personal information directly from you and your organization, and automatically through your use of the Service as described in Section 3.

15.4 Disclosure of Personal Information

We do not sell or share your personal information for cross-context behavioral advertising. We do not disclose personal information to third parties except as described in Section 6 (limited access by Satori personnel for support purposes with pseudonymized data).

15.5 Retention Period

Personal information retention periods are described in Section 5 of this Privacy Notice.

15.6 Your California Privacy Rights

As a California resident, you have the right to:

Know what personal information we collect, use, disclose, and sell
Access your personal information
Delete your personal information (subject to certain exceptions)
Correct inaccurate personal information
Opt-out of the sale or sharing of your personal information (we do not sell or share)
Limit the use and disclosure of sensitive personal information (where applicable)
Non-discrimination for exercising your privacy rights

15.7 How to Exercise Your Rights

To exercise these rights, please contact your organization's administrators or privacy officer as described in Section 9.7. Your organization is the business under CCPA and is responsible for responding to your requests. As a service provider, we will assist your organization in fulfilling your requests.

15.8 Authorized Agent

You may designate an authorized agent to make requests on your behalf. Your organization may require verification of the agent's authorization and your identity before processing such requests.

15.9 Verification Process

Your organization may need to verify your identity before processing your request to protect your privacy and security. The verification process will depend on the nature and sensitivity of your request.

15.10 Our Role as Service Provider

Under CCPA, Satori Analytics acts as a "service provider" to your organization (the "business"). We process personal information solely on behalf of and under the instructions of your organization. We do not sell personal information, do not retain, use, or disclose personal information for any purpose other than performing the Service, and do not combine personal information with information from other sources.

16. Governing Law

This Privacy Notice and all data processing activities are governed by Greek law and the General Data Protection Regulation (EU) 2016/679.

17. Contact Us

If you have questions about this Privacy Notice or how we process your personal data, please contact:

Satori Analytics IKE
Miltiadou 18 str
Athens, Greece