Privacy Policy

Last updated: March 2026

1. Introduction

Sgraal Protocol (the "Service") is operated by Zs-Consulting Kft. ("Zs-Consulting", "we", "us", or "our"), a company registered in Budapest, Hungary. References to "Sgraal" in this Policy refer to the Service; references to "we" refer to Zs-Consulting Kft. as the legal entity providing the Service. This Privacy Policy explains how we collect, use, and protect information when you use the Service at sgraal.com and api.sgraal.com.

2. Information We Collect

2.1 API Usage Data

When you call our API, we process memory state objects you submit. By default, we do not store the content of memory entries — only metadata (timestamps, decision outcomes, omega scores, domain labels).

2.2 Account Data

If you create an account at app.sgraal.com, we collect your email address, API key usage statistics, and billing information processed by Stripe.

2.3 Log Data

We collect standard server logs including IP addresses, request timestamps, and response codes for security and debugging purposes. Logs are retained for 30 days.

3. How We Use Your Data

  • To provide and improve the Sgraal API service
  • To generate compliance reports when requested
  • To detect abuse and enforce our Terms of Service
  • To send critical service notifications (not marketing)
  • To comply with legal obligations under EU law

4. Zero-Knowledge Mode

Enterprise customers may enable ZK mode, in which memory content is never transmitted to our servers. Validation is performed using cryptographic proofs. In ZK mode, we store only the omega score, decision outcome, and proof hash.

5. Data Sharing

We do not sell your data. We share data only with:

  • Supabase — database infrastructure (EU region)
  • Railway — API hosting infrastructure
  • Stripe — payment processing
  • Upstash — Redis state management
  • Cloudflare — DDoS protection, DNS, and email routing infrastructure
  • Google LLC — Google Analytics 4 traffic measurement (US, EU-U.S. Data Privacy Framework participant; loaded only after explicit cookie consent — see §8)

All subprocessors are bound by data processing agreements compliant with GDPR Article 28.

6. Data Retention

Decision metadata is retained for 90 days by default. Enterprise customers may configure custom retention periods. Upon account deletion, all personal data is purged within 30 days. Audit logs required for compliance (EU AI Act, GDPR) may be retained for up to 10 years as required by law.

7. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Data portability
  • Object to processing
  • Lodge a complaint with your national supervisory authority

To exercise these rights, contact us at: hello@sgraal.com

8. Analytics and Cookies

sgraal.com uses Google Analytics 4 (measurement ID G-K7B978E0HF) to measure aggregate traffic patterns — page views, referrers, geographic distribution at country level, and aggregated session duration. IP addresses are anonymized before transmission via the anonymize_ip parameter. No personally identifiable information is collected or transmitted.

Analytics cookies are loaded only after you accept them via the consent banner shown on your first visit. If you reject, no Google Analytics tags are loaded on the page and no analytics cookies are set. Your choice is stored in the sgraal_cookie_consent entry in your browser's localStorage and respected on every subsequent visit until you clear it.

We do not use advertising cookies. We do not share data with advertising networks. We do not use behavioral profiling.

app.sgraal.com uses essential session cookies only (no analytics, no advertising). Google LLC is listed as a subprocessor in §5 (Data Sharing).

9. Contact

Data Controller: Zs-Consulting Kft., Budapest, Hungary.
Contact: hello@sgraal.com