Privacy Policy

1. Introduction

mSightFlow ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and share personal data when you use our platform.

This policy complies with the General Data Protection Regulation (GDPR / AVG) and other applicable Dutch and European data protection laws.

Data Controller: mSightFlow (eenmanszaak), KVK registration, the Netherlands. Email: support@msightflow.ai

2. Data We Collect

Account Data: Email address (required for registration), hashed password (bcrypt), account creation date, subscription tier.

Usage Data: API call logs (endpoint, timestamp, response status), API key identifiers, feature usage statistics.

Uploaded Content: Images, videos, and files uploaded for processing; annotations, labels, and project data; AI model inference results.

Technical Data: IP address, browser type and version, device type, referral source.

3. Legal Basis for Processing

Account Data — Performance of contract (Art. 6(1)(b) GDPR).

Usage Data — Legitimate interest: service improvement and abuse prevention (Art. 6(1)(f)).

Uploaded Content — Performance of contract (Art. 6(1)(b)).

Technical Data — Legitimate interest: security and analytics (Art. 6(1)(f)).

Marketing emails — Consent (Art. 6(1)(a)).

4. How We Use Your Data

We use collected data to: provide and maintain the Service; authenticate users and manage subscriptions; monitor usage against plan limits and prevent abuse; improve service performance; communicate service updates; and comply with legal obligations.

We do NOT use your uploaded content to train machine learning models unless you provide explicit written consent.

5. Data Storage and Retention

Account data is stored in a PostgreSQL database hosted in the EU. Uploaded content is stored in AWS S3 (EU region, eu-west-1). Temporary processing data is stored in memory during inference and not persisted beyond the request lifecycle.

Retention periods: Account Data — duration of account + 30 days after deletion. Active project content — duration of account. Deleted project content — removed within 30 days. API call logs — 90 days. Usage statistics — 12 months (aggregated, anonymized). Server logs — 30 days.

After account deletion, all associated personal data and content is deleted within 30 days, except where retention is required by Dutch tax law (up to 7 years for financial records).

6. Data Sharing

We do not sell personal data to third parties.

We share data with: Stripe (payment processing — email, subscription tier, billing info), AWS (cloud infrastructure — uploaded content, encrypted at rest), Hugging Face (model weight downloads — no user data shared, server-side only).

All third-party processors are bound by Data Processing Agreements and operate under GDPR-compliant frameworks.

We may disclose data when required by law, court order, or to protect the rights and safety of our users and the Service.

7. Cookie Statement

Essential Cookies: Authentication token (localStorage) maintains user session. CSRF token prevents cross-site request forgery. These are strictly necessary.

Analytics Cookies: We currently do not use third-party analytics cookies. If this changes, we will update this policy and request consent.

Third-Party Cookies: Stripe may set cookies during payment. These are governed by Stripe's privacy policy.

Essential cookies cannot be disabled without losing access to authenticated features. Users can clear cookies through browser settings.

8. Your Rights (GDPR)

Under the GDPR, you have the right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restrict processing (Art. 18), right to data portability (Art. 20), right to object (Art. 21), and right to withdraw consent (Art. 7(3)).

To exercise any of these rights, contact us at support@msightflow.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

9. Data Security

We implement appropriate technical and organizational measures: passwords are hashed using bcrypt; API communication is encrypted via TLS/HTTPS; uploaded content is encrypted at rest in AWS S3; access to production systems is restricted and logged; JWT tokens are used with expiration.

10. International Transfers

All data processing occurs within the European Economic Area (EEA). If any sub-processor transfers data outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

11. Children

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification.

13. Contact

For questions: support@msightflow.ai

For data protection complaints: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl