Privacy Policy

Effective Date: August 20, 2025

1. Introduction

This Privacy Policy explains how Infinea Consulting Tanácsadó és Fejlesztő Korlátolt Felelősségű Társaság ("we", "us", "our") collects, processes, and protects personal data when you access or use the Product Classifier Service (“Service”), in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller: Infinea Consulting Tanácsadó és Fejlesztő Korlátolt Felelősségű Társaság

Address: Andor utca 21/c fszt. 1., 1119 Budapest, Hungary

Contact Email: support@productclassifier.com

3. Categories of Personal Data Collected

We collect and process the following categories of Personal Data:

• Account Data: email address, country, company name, company billing address, and VAT number.
• Usage Data: identifiers for accounts, projects, and plans; usage information in credits and USD; dates and duration of classification requests; request source (Playground or API); status; determined product categories; and login code metadata (creation and expiry timestamps, attempts, usage status).
• Settings and Preferences: selected taxonomy, custom instructions provided for AI processing, and API keys.
• Cookies: identifiers necessary to facilitate authentication, session management, and account access.
• Browser and Device Information: anonymized data such as IP address, browser type, operating system, and device identifiers for analytics.
• Notifications Status: logs of trial- and limit-related email communications.
• Communication Data: copies of customer correspondence, including email support requests.
• Customer-Uploaded Content: product descriptions or data inputs provided via the interface or API for classification purposes.
• Payment and Billing Information: subscription details and transaction-related data processed for invoicing and account status.

4. Legal Bases for Processing

We process your personal data only when we have a valid legal basis under GDPR. The specific legal basis depends on the type of data and the purpose for which we process it:

Performance of a Contract

We process personal data when necessary to provide the Service to you and fulfil our contractual obligations. This includes:

• Creating and managing your account
• Providing product classification services through our web interface and API
• Processing payments and managing subscriptions
• Sending transactional emails related to your account and usage

Legitimate Interest

We process personal data based on our legitimate interests to operate, improve, and secure the Service, while ensuring these interests do not override your fundamental rights. This includes:

• Analysing usage patterns to improve service performance and develop new features
• Preventing fraud and maintaining security
• Providing customer support and responding to inquiries
• Monitoring system performance and troubleshooting technical issues

Consent

We process personal data based on your explicit consent for:

• Sending marketing communications and promotional materials
• Using optional analytics cookies beyond those strictly necessary for service operation
• Any other processing activities where we specifically request your consent

Legal Obligation

We process personal data when necessary to comply with applicable laws and regulations, including:

• Maintaining financial records for tax and accounting purposes
• Responding to lawful requests from authorities
• Complying with data protection regulations and user rights requests

5. Sources of Personal Data

We collect personal data from various sources to provide and improve our Service. Understanding where your data comes from helps ensure transparency in our data processing activities:

Data You Provide Directly

We collect information that you voluntarily provide when using our Service:

• Registration information submitted through our sign-up form (email, company details, country)
• Account preferences and settings you configure within the Service
• Product descriptions and classification requests submitted through our web interface or API
• Custom instructions for AI processing that you create and save
• Communications you send to us, including support requests and feedback

Data Collected Automatically

When you use our Service, we automatically collect certain information:

• Usage data including classification requests, timestamps, and processing duration
• Technical information such as IP address, browser type, and operating system for analytics purposes
• Session data and authentication status through necessary cookies
• Service interaction patterns to understand how features are used

Data from Third-Party Sources

We receive limited data from integrated third-party services:

• Payment and subscription information from Paddle, our payment processor
• Support ticket history and correspondence from HelpScout, our customer support platform
• Analytics data from Google Analytics regarding general usage patterns

6. Purposes of Processing

We process your personal data for specific, legitimate purposes necessary to provide our Service and meet our legal obligations. Each processing activity is linked to one or more of the legal bases outlined in Section 4:

Account Management

We process your personal data to create, maintain, and secure your user account. This includes verifying your identity, managing access credentials, maintaining your account settings, and ensuring the security of your account through features like login codes and session management.

Service Provision

Our primary purpose for processing data is to deliver the core product classification functionality you expect from our Service. This encompasses processing your classification requests through both our web interface (Playground) and API, applying your custom instructions to improve classification accuracy, managing your selected taxonomies, and tracking usage to ensure you stay within your plan limits.

Customer Support

We process personal data to provide effective customer support and technical assistance. This includes responding to your inquiries and support tickets, troubleshooting technical issues you may encounter, providing guidance on using our Service effectively, and maintaining records of our communications to ensure consistent support.

Billing and Payments

For users on paid plans, we process data necessary for financial transactions and account management. This includes processing subscription payments through our payment processor, issuing invoices and maintaining billing records, managing plan upgrades and downgrades, and tracking usage for usage-based billing calculations.

Service Improvement

We analyse aggregated and anonymised usage data to enhance our Service performance and develop new features. This helps us understand how users interact with different features, identify areas for improvement and optimization, develop new functionalities based on user needs, and ensure the reliability and speed of our classification algorithms.

Communications

We process contact information to send you important communications about our Service. This includes transactional emails about your account status and usage, notifications about changes to our Service or policies, responses to your support requests, and, where you have provided consent, marketing communications about new features or offerings.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Our retention periods are designed to balance service functionality with data minimization principles:

Usage and Activity Data

Itemized usage data containing detailed information about individual classification requests, timestamps, and processing details is retained for 45 days. After this period, the detailed data is either deleted or aggregated into summary statistics. This allows you to review recent activity while ensuring we don't retain detailed operational data longer than necessary.

Aggregated usage data showing summary statistics, total usage counts, and general patterns is retained until account cancellation. This aggregated data helps us provide usage reports, billing summaries, and service analytics without maintaining individual transaction details.

Account Information

Core account data including your email address, company information, preferences, and settings is retained until account deletion. When you request account deletion, we initiate a process to remove your personal data from our active systems within 30 days, subject to any legal retention requirements.

Financial and Legal Records

Billing and payment records are retained in accordance with applicable tax and accounting laws, typically for 7 years after the transaction date. This includes invoices, payment confirmations, and related financial documentation required for legal compliance.

Third-Party Data Processors

Data shared with our third-party processors (listed in Section 8) is retained according to their respective Data Processing Agreements (DPAs). We ensure all processors comply with GDPR requirements and do not retain your data longer than necessary for providing their services to us.

Backup and Security

For security and disaster recovery purposes, some data may exist in backup systems for up to 90 days after deletion from primary systems. These backups are encrypted and access is strictly limited to recovery scenarios.

8. Processors and Third-Party Recipients

We engage carefully selected third-party service providers (processors and sub-processors) to assist us in providing the Service. These processors act on our behalf and under our instructions, processing personal data only as necessary to perform their specific functions. All processors are bound by Data Processing Agreements (DPAs) that ensure they comply with GDPR requirements and maintain appropriate security measures.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. The following categories of processors have access to your personal data solely to provide services to us:

• Hosting provider:

  • Render https://render.com/dpa

• Payment processor:

  • Paddle https://www.paddle.com/legal/data-processing-addendum

• Email delivery tools:

  • ImprovMX https://improvmx-public-assets.s3.eu-west-3.amazonaws.com/improvmx_dpa.pdf
  • Mailersend https://www.mailersend.com/legal/data-processing-addendum

• Database providers:

  • MongoDB https://www.mongodb.com/legal/data-processing-agreement
  • Qdrant https://cloud.qdrant.io/dpa

• AI tools:

  • OpenAI https://openai.com/policies/data-processing-addendum/
  • Gemini https://cloud.google.com/terms/data-processing-addendum

• CRM system:

  • HelpScout https://www.helpscout.com/company/legal/dpa/

• Analytics:

  • Google Analytics – https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20200816.html

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States. We ensure all international transfers comply with GDPR requirements through appropriate safeguards.

Processors Operating Outside the EEA

Many of our processors listed in Section 8 operate from or store data in locations outside the EEA:

United States:

• Render (hosting infrastructure)
• MongoDB Atlas (database services)
• Qdrant (vector database)
• OpenAI (AI processing)
• Google/Gemini (AI processing and analytics)
• HelpScout (customer support)

United Kingdom:

• Paddle (payment processing)

Mixed EU/International Infrastructure:

• Mailersend (Lithuanian company with global infrastructure)
• ImprovMX (email services)

Safeguards for International Transfers

We protect your data during international transfers through:

1. Data Processing Agreements (DPAs): All processors sign DPAs containing Standard Contractual Clauses (SCCs) approved by the European Commission. Links to each processor's DPA are provided in Section 8 above.
2. Adequacy Decisions: For transfers to the UK (Paddle), we rely on the European Commission's adequacy decision recognizing the UK's data protection framework as essentially equivalent to the EU's.
3. Technical Measures: All data transfers are encrypted in transit using industry-standard protocols (TLS 1.3 or higher).
4. Contractual Obligations: The DPAs referenced in Section 8 require all processors to maintain GDPR-equivalent protection levels regardless of their location.

Your Rights

You have the right to:

• Review the DPAs linked in Section 8 to understand the safeguards in place
• Request additional information about specific international transfers
• Lodge a complaint with your supervisory authority if you have concerns

For more information about international transfers, please contact us at support@productclassifier.com.

10. Data Subject Rights

Under GDPR, you have specific rights regarding your personal data. We are committed to facilitating the exercise of these rights in a transparent and timely manner.

Your Rights Explained

Right to Access (Article 15 GDPR) You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it's processed. This includes the purposes of processing, categories of data, and recipients.

Right to Rectification (Article 16 GDPR) If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it. We will update your information promptly and notify any third parties who have received the incorrect data.

Right to Erasure - "Right to be Forgotten" (Article 17 GDPR) You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed

Note: We may retain certain data when required by law or for legitimate business purposes such as financial records.

Right to Restrict Processing (Article 18 GDPR) You can request that we limit how we use your data while we verify its accuracy, assess your objection to processing, or if you need the data for legal claims even though we no longer require it.

Right to Data Portability (Article 20 GDPR) For data you've provided to us that we process based on consent or contract, you have the right to receive it in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another service provider.

Right to Object (Article 21 GDPR) You may object to processing based on our legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent Where processing is based on your consent, you may withdraw it at any time. This won't affect the lawfulness of processing before withdrawal. You can withdraw consent for marketing communications through the unsubscribe link in emails or by contacting us.

Rights Regarding Automated Decision-Making We do not currently use automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and ensure appropriate safeguards are in place.

How to Exercise Your Rights

To exercise any of these rights:

1. Contact us at support@productclassifier.com with "Data Rights Request" in the subject line
2. Specify which right(s) you wish to exercise and provide relevant details
3. Verify your identity by providing your account email address and any additional information we may reasonably request
4. Receive confirmation that we've received your request within 48 hours

Our Response Commitment

• We will respond to your request without undue delay and within one month of receipt
• For complex requests, we may extend this by two additional months, but will inform you within the first month
• If we cannot fulfill your request, we will explain why and inform you of your right to complain
• We will not charge a fee unless requests are manifestly unfounded, excessive, or repetitive

Right to Lodge a Complaint

If you're unsatisfied with how we handle your request, you have the right to lodge a complaint with your supervisory authority (see Section 15 for details).

11. Cookies & Similar Technologies

We use cookies and similar technologies to enhance your experience, maintain security, and understand how our Service is used. This section explains what cookies we use, why we use them, and how you can manage your preferences.

What Are Cookies

Cookies are small text files placed on your device when you visit our website or use our Service. They help us recognize your browser, remember your preferences, and improve your experience. We also use similar technologies like local storage for comparable purposes.

Types of Cookies We Use

Essential Cookies (Strictly Necessary) These cookies are required for the Service to function properly and cannot be disabled. They include:

• Session cookies: Maintain your login state and authenticate your access to the Service
• Security cookies: Help prevent unauthorized access and protect against security threats
• Load balancing cookies: Ensure optimal performance by distributing traffic across our servers

Legal basis: Legitimate interest (necessary for providing the Service)

Analytics Cookies We use Google Analytics to understand how users interact with our Service. These cookies collect:

• Pages visited and features used
• Time spent on different sections
• General location (country/city level)
• Browser and device type
• Referral source

This data is aggregated and anonymized.

Legal basis: Consent (you can opt out at any time)

Functional Cookies These cookies remember your preferences and settings, such as:

• Selected taxonomy preferences
• Interface language settings
• Recently used features

Legal basis: Legitimate interest (improving user experience)

Cookie Duration

• Session cookies: Deleted when you close your browser

• Persistent cookies: Remain for specified periods:

  • Authentication tokens: 7 days
  • Preference cookies: 1 year
  • Analytics cookies: 2 years

Managing Your Cookie Preferences

You have several options for managing cookies:

1. Browser settings: Most browsers allow you to block or delete cookies. Note that blocking essential cookies will prevent you from using the Service.
2. Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on to prevent data collection.
3. Do Not Track: We respect Do Not Track browser signals for analytics cookies.

Third-Party Cookies

We use the following third-party services that may set cookies:

• Google Analytics: For usage analytics (see their privacy policy)
• Paddle: For payment processing (only on payment pages)

We do not allow third-party advertising cookies on our Service.

Updates to Cookie Usage

We may update our cookie usage as we develop new features. Any significant changes will be communicated through an update to this Privacy Policy. For questions about our use of cookies, contact us at support@productclassifier.com.

12. Security Measures

We take the security of your personal data seriously and implement comprehensive technical and organizational measures to protect it against unauthorized access, accidental loss, destruction, or alteration.

Technical Security Measures

Encryption

• All data transmissions between your browser and our servers are encrypted using TLS 1.3 or higher
• Sensitive data at rest, including API keys and authentication tokens, is encrypted using AES-256 encryption
• Database connections use encrypted channels to prevent interception

Access Controls

• Regular access reviews and immediate revocation for terminated personnel
• API access secured through unique authentication tokens with configurable permissions

Infrastructure Security

• Hosted on secure cloud infrastructure with SOC 2 compliance (Render)
• Web application firewall (WAF) to protect against common attacks
• Regular security patches and updates applied to all systems
• Isolated environments for production, staging, and development

Organizational Security Measures

Security Policies and Procedures

• Comprehensive information security policy reviewed annually
• Incident response plan for rapid containment of security events
• Vendor security assessments for all processors handling personal data

Monitoring and Logging

• Continuous monitoring of systems for suspicious activities
• Regular review of security logs and metrics

Data Protection Measures

• Regular automated backups with encryption and secure storage
• Disaster recovery procedures tested quarterly
• Secure data deletion procedures ensuring complete removal

Vulnerability Management

• Regular security assessments and penetration testing
• Automated vulnerability scanning of infrastructure and applications
• Responsible disclosure program for security researchers
• Prompt patching of identified vulnerabilities based on risk assessment

Incident Response

In the event of a personal data breach, we will:

1. Contain and assess the incident immediately
2. Notify affected users without undue delay where required
3. Report to supervisory authorities within 72 hours when mandatory
4. Document all breaches and remediation actions taken

Security Limitations

While we implement industry-leading security measures, no system can guarantee absolute protection. We continuously review and improve our security posture to address evolving threats. Users are encouraged to:

• Report any suspected security issues to support@productclassifier.com
• Keep their API keys confidential and rotate them regularly

For security concerns or to report vulnerabilities, please contact our security team directly at support@productclassifier.com.

13. Children's Privacy

Product Classifier is a business service designed exclusively for professional and commercial use. We do not offer services to children and have implemented measures to prevent the collection of their personal data.

Age Restrictions

Our Service is strictly limited to users who are:

• At least 16 years of age
• Acting in a professional or business capacity
• Authorized to enter into contracts on behalf of their organization

By registering for an account, you confirm that you meet these age requirements and are not registering on behalf of anyone under 16.

Our Commitment

We do not knowingly collect, process, or store personal data from individuals under the age of 16. Our Service is not directed at, marketed to, or intended for use by children. The nature of our Service - business product classification for e-commerce - inherently targets adult business users.

If a Child Provides Personal Data

If we discover that we have inadvertently collected personal data from someone under 16, we will:

1. Immediately suspend the associated account
2. Delete all personal data related to that account within 48 hours
3. Notify the account email address of the action taken
4. Not retain any records beyond what is legally required

For Parents and Guardians

If you believe your child under 16 has provided us with personal data without your consent:

• Contact us immediately at support@productclassifier.comwith "Child Privacy Concern" in the subject line
• Provide the email address or account details used by your child
• We will promptly investigate and delete any data collected from your child

Verification

While we do not actively verify age during registration due to the business nature of our Service, we rely on:

• The professional context of account registration (company details, VAT numbers)
• The business-focused nature of our Service
• Our Terms of Service which require users to confirm they are at least 16 years old

This approach balances privacy protection with the business-to-business nature of our Service, ensuring children's data is not collected while maintaining a streamlined experience for our legitimate business users.

14. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our data processing practices, legal requirements, or business operations. We are committed to keeping you informed about how we protect and process your personal data.

Types of Changes

Minor ChangesMinor changes include:

• Typographical corrections and clarifications
• Formatting improvements
• Updates to contact information
• Addition of newly integrated processors performing similar functions
• Clarifications that don't materially affect your rights

These changes will be made directly to the policy with an updated revision date.

Material ChangesMaterial changes include:

• New purposes for processing personal data
• Changes to data retention periods
• New categories of personal data collected
• Changes to your rights or how to exercise them
• Significant changes to international data transfers
• Changes to our legal bases for processing

Notification Procedures

For Minor Changes:

• Updates will be posted on our website at productclassifier.com
• The "Effective Date" at the top of the policy will be updated
• No additional notification will be provided

For Material Changes:

• We will notify you via email at least 30 days before the changes take effect

• A prominent notice will be posted on our Service dashboard

• The email will include:

  • A summary of key changes
  • The effective date of the new policy
  • A link to review the complete updated policy
  • Your options if you disagree with the changes

Your Rights Regarding Changes

When we make material changes:

• You have 30 days to review the changes before they take effect

• You may contact us with questions or concerns about the changes

• If you disagree with material changes, you may:

  • Export your data (see Section 10 - Data Subject Rights)
  • Close your account before the changes take effect
  • Continue using the Service, which constitutes acceptance of the new terms

Continued Use

By continuing to use Product Classifier after privacy policy changes take effect, you acknowledge and agree to be bound by the updated policy. If you do not agree to material changes, you should discontinue use of the Service before the effective date.

Policy History

We maintain a record of material changes to this Privacy Policy. To request information about previous versions or specific changes, contact us at support@productclassifier.com.

Stay Informed

We encourage you to review this Privacy Policy periodically. The "Effective Date" at the top of this document will always reflect the date of the most recent version.

15. Contact Information & Complaints

We are committed to addressing your privacy concerns and facilitating the exercise of your rights under GDPR. This section provides comprehensive information on how to contact us and lodge complaints if necessary.

How to Contact Us

For all privacy-related matters, including questions about this Privacy Policy, data protection inquiries, or to exercise your rights under GDPR, please contact:

Primary Contact:

• Email: support@productclassifier.com
• Attention: Csaba Cserep, Chief Information Officer
• Company: Infinea Consulting Tanácsadó és Fejlesztő Korlátolt Felelősségű Társaság
• Address: Andor utca 21/c fszt. 1., 1119 Budapest, Hungary

Types of Requests We Handle:

• Data subject rights requests (access, rectification, erasure, etc.)
• Privacy policy clarifications
• Data processing inquiries
• Security concerns or breach notifications
• Consent withdrawals
• Complaints about our data handling practices

Response Times

We strive to respond to all privacy-related communications promptly:

• Initial acknowledgment: Within 48 hours of receiving your request
• Substantive response: Within 30 days for standard requests
• Complex requests: We may extend by an additional 60 days with notice
• Urgent security matters: Within 24 hours

Language Support

We accept and respond to privacy requests in:

• English (primary language)
• Hungarian
• Other EU languages (we will make reasonable efforts to accommodate)

Lodging a Complaint with Supervisory Authorities

If you are dissatisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority.

Your Options for Filing Complaints:

You may file a complaint with the supervisory authority in:

1. Your country of habitual residence
2. Your place of work
3. The place where the alleged infringement occurred
4. Hungary (our location)

Hungarian Supervisory Authority:

• Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) / National Authority for Data Protection and Freedom of Information
• Address: 1055 Budapest, Falk Miksa utca 9-11
• Phone: +36 1 391 1400
• Email: ugyfelszolgalat@naih.hu
• Website: https://naih.hu

**Finding Your Local Authority:**For supervisory authorities in other EU member states, visit the European Data Protection Board website: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Escalation Process

If you're not satisfied with our initial response:

1. You may request escalation to senior management
2. We will review your concern within 10 business days
3. You will receive a final response from our Chief Information Officer
4. If still unsatisfied, we will provide information about external dispute resolution options

Data Protection Representation

As we are established in the EU (Hungary), we are not required to appoint a representative in other member states. However, we accept and process requests from data subjects throughout the EEA with equal diligence.

Keeping Records

We maintain records of all privacy-related requests and complaints for a minimum of three years to demonstrate compliance and improve our practices. These records are kept confidential and used only for compliance and service improvement purposes.