Savvina AI
Privacy Policy

Privacy Policy

Effective date: 1 June 2026 Last updated: 22 May 2026 Regulation: GDPR (EU) 2016/679
This policy is compliant with GDPR (EU) 2016/679 and applicable Greek data protection law.
01

Who We Are

Savvina AI ("we," "us," or "our") is the data controller for the personal data described in this Privacy Policy. We operate the Savvina AI natural language to SQL platform and associated services, available at savvina.ai.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Greek data protection law, the data controller is:

02

The Privacy-First Architecture

What This Means for You

Savvina AI is self-hosted. Your databases, business data, queries, and query results never leave your own infrastructure and are never transmitted to, stored by, or accessible to Savvina. We are not a processor of your Customer Data — we cannot be, because we never receive it.

This Privacy Policy governs only the limited personal data that Savvina does receive in connection with operating the business — primarily billing and account contact information, and the minimal license validation signals described below.

This policy does not apply to the personal data of your end-users or employees that your deployment of Savvina AI may process. You are the data controller for that data. You are responsible for ensuring your use of Savvina AI complies with applicable data protection law in relation to your own users and the databases you connect.

03

Data We Collect

We collect only the minimum data necessary to operate the Service. The table below summarises what we collect, why, and how.

3.1 Account & Billing Data

Data How Collected Purpose
Business email address Provided during purchase License delivery, billing notices, support communication
Payment method details Entered in Stripe Checkout Payment processing — Savvina never sees raw card details; Stripe tokenises these
Billing address / VAT number Provided during checkout Invoice generation, VAT calculation, tax compliance
Subscription and transaction history Generated by Stripe Billing records, dispute resolution, accounting
Name (optional) Provided during checkout Personalisation of communications

3.2 License Validation Data

The Savvina software installed on your server contacts license.savvina.ai every 24 hours to validate its License Key. This request transmits:

  • The License Key (an opaque token encoding tier, limits, and expiry)
  • The software version number
  • A timestamp

No Customer Data, query content, user information, database credentials, or business information is transmitted in this exchange. The source IP address of the request is received as part of the network communication but is not stored or linked to any individual.

3.3 Support Data (Customer-Initiated)

When you contact support or raise a ticket, you may share:

  • Log excerpts or a support bundle (sanitised — no query content, no credentials, no customer data)
  • Diagnostic output from the /api/admin/diagnostics endpoint (system health metrics only)
  • Description of the issue and any screen recordings you choose to share

All support data is provided voluntarily by you and used solely to resolve the relevant support request. It is deleted once the ticket is closed.

3.4 Optional Error Reporting

If you enable the opt-in error reporting feature (ERROR_REPORTING=true in your .env file), unhandled application exceptions from your deployment are sent to our Sentry instance. Before transmission, all personally identifiable information, query content, connection credentials, and customer data are stripped. This feature is disabled by default. You may enable or disable it at any time by modifying your deployment configuration.

3.5 Website & Marketing Data

When you visit savvina.ai, we may collect standard web analytics data (page views, referrer, browser type) using privacy-respecting analytics tools that do not track individuals across sites. We do not use advertising networks or third-party tracking pixels.

04

How We Use Your Data

  • Delivering the Service — issuing and validating License Keys, delivering Docker image access, and sending the welcome email with deployment credentials.
  • Billing and payment processing — managing subscriptions, processing payments and renewals via Stripe, issuing invoices, and handling VAT compliance.
  • Customer communications — sending transactional emails related to your subscription (payment confirmations, renewal reminders, failed payment notices, license upgrade notifications).
  • Support — diagnosing and resolving technical issues using information you share with us.
  • Security and fraud prevention — detecting and preventing abuse of the licensing infrastructure.
  • Legal compliance — meeting our obligations under applicable tax, accounting, and data protection law.
  • Product improvement — using aggregated, anonymised data (never individual customer data or query content) to understand usage patterns and prioritise development.

We do not use your data for advertising, profiling, or marketing to third parties. We do not sell, rent, or trade your personal data.

05

Legal Basis for Processing

Under the GDPR, every processing activity requires a lawful basis. The bases on which we rely are:

Processing Activity Legal Basis GDPR Article
Billing and subscription management Performance of contract Art. 6(1)(b)
License key issuance and validation Performance of contract Art. 6(1)(b)
Transactional emails Performance of contract Art. 6(1)(b)
Tax record keeping Legal obligation Art. 6(1)(c)
Support resolution Legitimate interest Art. 6(1)(f)
Security and fraud prevention Legitimate interest Art. 6(1)(f)
Optional error reporting Consent Art. 6(1)(a)
Web analytics Legitimate interest Art. 6(1)(f)
06

Data Sharing & Processors

We share your data with a limited number of third-party processors who act under our instructions and are bound by data processing agreements. We do not share your data with any other parties.

Processor Role Data Shared
Stripe Payment processing Billing contact, payment method (tokenised), billing address, subscription data
GitHub Container Registry (GHCR) Docker image distribution Pull token scoped to License Key (no personal data beyond authentication token)
Email delivery provider (transactional) Sending license and billing emails Billing email address, email content
Sentry (opt-in only) Error tracking Sanitised exception data — no PII, no query content (only if you enable ERROR_REPORTING)

We do not share data with advertising networks, data brokers, or analytics platforms that profile individuals.

07

International Transfers

Some of our data processors (notably Stripe and GitHub) operate infrastructure based in the United States. Where data is transferred outside the European Economic Area, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our processor agreements.
  • Adequacy decisions where applicable.

Stripe is certified under the EU–U.S. Data Privacy Framework. GitHub / Microsoft participates in the EU–U.S. Data Privacy Framework. Details are available in each processor's privacy documentation.

08

Data Retention

Data Category Retention Period Reason
Billing and transaction records 10 years from transaction date Greek tax law / EU accounting requirements
License key records Duration of subscription + 2 years Contract performance, dispute resolution
Support ticket data Until ticket closed + 90 days Legitimate interest (quality assurance)
Error reports (opt-in Sentry) 90 days Bug resolution
Web analytics 12 months (aggregated only) Product development
Account contact data (post-cancellation) 30 days after cancellation, then deleted Minimal retention, then erasure

After the applicable retention period, data is securely deleted or anonymised. Anonymised aggregate data may be retained indefinitely as it no longer constitutes personal data.

09

Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights in relation to personal data we hold about you:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Ask us to correct inaccurate or incomplete personal data.

Right to Erasure

Ask us to delete your personal data, subject to legal retention obligations.

Right to Restriction

Ask us to restrict processing while a dispute is resolved.

Right to Portability

Receive your personal data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time for consent-based processing (e.g., error reporting).

Right to Lodge a Complaint

Complain to the Hellenic Data Protection Authority (HDPA) at dpa.gr.

To exercise any of these rights, contact us at security@savvina.ai. We will respond within 30 days. We may need to verify your identity before processing your request. There is no charge for exercising your rights.

Note

Your Customer Data (databases, queries, business data) resides on your own infrastructure. Savvina has no copy of it and therefore cannot fulfil data subject rights requests on behalf of your end-users. As data controller for your Customer Data, those obligations rest with you.
10

Security

We implement appropriate technical and organisational measures to protect the personal data we hold, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Access controls limiting personal data to personnel with a business need.
  • Hashed storage of password reset tokens and security-sensitive credentials (never plaintext).
  • Regular review of security practices and third-party processor compliance.

No method of transmission or storage is 100% secure. In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours in accordance with GDPR Article 33, and notify affected individuals without undue delay where required by Article 34.

Security of your self-hosted deployment — including server hardening, network configuration, and database credentials — is your responsibility. Savvina provides documentation and guidance but cannot secure infrastructure it does not operate.

11

Cookies

The Savvina AI website (savvina.ai) uses a minimal set of cookies:

  • Strictly necessary cookies — Required for the website to function (e.g., session management during checkout). These are exempt from consent requirements under applicable law.
  • Analytics cookies — Privacy-respecting, cookieless analytics may be used to understand aggregate traffic patterns. No cross-site tracking; no advertising identifiers.

Your self-hosted Savvina deployment does not set any cookies under our domain — any session cookies set by your deployment are set under your own domain and are entirely under your control.

12

Children

Savvina AI is a business-to-business product not directed at or intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 16, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at security@savvina.ai.

13

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law or where the changes affect how we process your data in a significant way, notify you by email to your billing address with at least 30 days' notice.

Continued use of the Service after the effective date of a revised policy constitutes your acknowledgement of the changes. We encourage you to review this page periodically.

14

Contact & Data Protection

For any questions, concerns, or requests related to this Privacy Policy or the personal data we hold about you, please contact our privacy team:

You also have the right to lodge a complaint with the supervisory authority in your country of residence. In Greece, the competent authority is:

This Privacy Policy was last reviewed and approved by Savvina AI on 22 May 2026.