Privacy Policy

Effective date: 23 April 2026 · Last updated: 24 April 2026 · Version: 1.2

This Privacy Policy explains how Alpha Digital B.V., trading as Custos AI ("Custos AI", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our platform at app.custosai.eu and our website at custosai.eu (together, the "Service").

1. Introduction

Custos AI is a multi-LLM workspace platform designed for European small and medium-sized enterprises (SMEs). We are committed to protecting your personal data in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch GDPR Implementation Act (Uitvoeringswet AVG, "UAVG").

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Controller

The data controller responsible for the processing of your personal data is:

Alpha Digital B.V. (trading as Custos AI) — Privacy Team
Stationsplein 26, 6512 AB Nijmegen, The Netherlands
KvK: 72313129
Email:

3. What Personal Data We Collect

3.1 Account data

When you register for the Service, we collect:

Full name
Email address
Hashed password
Preferred language (app currently available in NL and EN; additional EU languages rolling out)
Organisation name (if applicable)
User role within the organisation (admin or member)

3.2 Usage data

When you use the Service, we process:

Chat messages sent to LLM providers through our platform
Chat history and conversation metadata (timestamps, model used)
Uploaded files (PDF, DOCX, images — maximum 20 MB per file)
API usage metrics (token counts, estimated costs per provider)
Budget and spending data

3.3 Technical data

We automatically collect:

IP address
Browser type and version
Operating system
Timestamps of access and actions
Error logs (anonymised)

3.4 API keys (BYOK)

You provide your own API keys for third-party LLM providers ("Bring Your Own Key"). These keys are encrypted at rest using AES-256-GCM and are never logged in plaintext. Custos AI does not use your API keys for any purpose other than routing your requests to the provider you selected.

3.5 Payment data

If you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not store credit card numbers or bank account details on our servers. We receive from Stripe only a transaction reference, plan type, and billing status.

4. Purposes and Legal Basis for Processing

Purpose	Data involved	Legal basis (GDPR)
Providing and operating the Service	Account data, chat messages, uploaded files, API keys	Art. 6(1)(b) — contract performance
User authentication and access control	Email, password, MFA tokens, session data	Art. 6(1)(b) — contract performance
API cost protection and budget enforcement	API usage metrics, spending data	Art. 6(1)(b) — contract performance
Billing and invoicing	Account data, Stripe transaction references	Art. 6(1)(b) — contract performance
Security, fraud prevention, and abuse detection	IP address, technical data, access logs	Art. 6(1)(f) — legitimate interest
Uptime monitoring and error resolution	Technical data, error logs	Art. 6(1)(f) — legitimate interest
Compliance with legal obligations	Account data, access logs, billing records	Art. 6(1)(c) — legal obligation
Website analytics (custosai.eu)	Anonymised page views via Vercel Analytics	Art. 6(1)(f) — legitimate interest; no cookies set
Responding to support requests	Email address, message content	Art. 6(1)(b) — contract performance

5. What We Do NOT Do With Your Data

No AI training: Your data — including chat messages, uploaded files, and API usage — is never used by Custos AI to train, fine-tune, or improve any AI model.
No selling of data: We never sell, rent, or trade your personal data to third parties.
No profiling for advertising: We do not use your data for targeted advertising or automated profiling.
No margin on LLM costs: Custos AI does not intercept, resell, or charge a margin on your LLM provider usage. All LLM costs are between you and the provider directly.

6. Sub-Processors

We engage the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data.

Sub-processor	Purpose	Location	Data processed
Supabase	Database, authentication, file storage	Frankfurt, Germany (EU)	Account data, chat history, uploaded files
TransIP B.V.	VPS hosting for LiteLLM proxy and budget enforcement	Amsterdam, Netherlands (EU)	API request routing, budget metadata
Vercel, Inc.	Website and app frontend hosting	EU edge network	Anonymised page analytics
Lettermint	Transactional email delivery	EU	Email address, message content
Stripe Payments Europe, Ltd.	Payment processing and Stripe Tax	Dublin, Ireland (EU)	Billing data, transaction references

An up-to-date list of sub-processors is published at custosai.eu/sub-processors. We will notify you at least 30 days in advance of any material changes to our sub-processor list.

7. International Data Transfers

All primary data processing occurs on servers located within the European Union — database and file storage in Frankfurt (Germany) via Supabase, LLM proxy and budget enforcement in Amsterdam (Netherlands) via TransIP. We do not transfer your personal data outside the European Economic Area (EEA) except in the following circumstances:

LLM provider requests: When you send a chat message, it is forwarded to the LLM provider associated with your API key (e.g. OpenAI, Anthropic, Google). These providers may process data outside the EEA. This transfer is initiated by you, using your own API key. Custos AI acts as a processor forwarding your instructions.
Stripe: Payment data may be processed in Stripe's EU infrastructure (Dublin). To the extent data is transferred outside the EEA, Stripe relies on EU Standard Contractual Clauses.

8. Data Retention

Data type	Retention period	Justification
Account data	Duration of account + 12 months after deletion	Contract performance; Dutch fiscal law
Chat history	Duration of account; deleted upon account deletion	Contract performance
Uploaded files	30 days after upload (configurable by workspace admin)	Storage management; data minimisation
API usage and budget data	12 months (rolling)	Contract performance; cost transparency
Audit logs	12 months	Legitimate interest — security and fraud prevention
Billing records	7 years after end of financial year	Legal obligation — Dutch tax law (Art. 52 AWR)
Error logs	90 days	Legitimate interest — service stability
Support correspondence	24 months after last interaction	Contract performance

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption at rest: All data stored in our database and file storage is encrypted using AES-256.
Encryption in transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher.
API key encryption: Your LLM provider API keys are encrypted using AES-256-GCM before storage and are decrypted only in memory at the time of use. They are never written to logs.
Access control: Access to production systems is restricted to authorised personnel on a least-privilege basis.
MFA: Multi-factor authentication (TOTP) is available for all user accounts.
Network security: Supabase enforces connection encryption and Row Level Security (RLS) on all database access.
Network isolation: All customer data is isolated at the database layer using Supabase Row Level Security (RLS). Multi-tenant separation is enforced at every query, not at the application layer.
Regular backups: Daily automated backups with monthly restore testing.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights with respect to your personal data:

Right	Description
Access (Art. 15)	You may request a copy of the personal data we hold about you.
Rectification (Art. 16)	You may request correction of inaccurate or incomplete data.
Erasure (Art. 17)	You may request deletion of your data. You can delete your account and all associated data directly from the platform.
Restriction (Art. 18)	You may request that we limit processing of your data under certain circumstances.
Data portability (Art. 20)	You may export your data in a machine-readable format (JSON or CSV) directly from the platform.
Objection (Art. 21)	You may object to processing based on our legitimate interest.
Withdraw consent (Art. 7(3))	Where processing is based on consent (e.g. cookies), you may withdraw consent at any time.

To exercise any of these rights, please contact us at . We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Data Export and Account Deletion

Data export: You can export your personal data (including chat history and account information) at any time in JSON or CSV format via the platform settings.
Account deletion: You can permanently delete your account and all associated data from the platform settings. Upon deletion, all your personal data is irreversibly removed from our systems within 30 days, except where retention is required by law.

12. Cookies

12.1 Application (app.custosai.eu)

The application uses only strictly necessary cookies for authentication and session management. No analytics or tracking cookies are placed on the application domain.

12.2 Website (custosai.eu)

The marketing website uses Vercel Analytics, which is privacy-friendly and does not use cookies or track individual users. You can manage your cookie preferences at any time via the Cookie Policy.

Plausible Analytics (EU-hosted in Germany) is also used for privacy-friendly, cookieless website analytics. No personal data is collected; only aggregate page views, referrer, and browser type are processed in anonymous form. Plausible does not set cookies and is not a sub-processor under the GDPR definition because no personal data is transferred.

13. Children

The Service is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at .

14. Third-Party LLM Providers

When you use the Service, your chat messages are forwarded to the LLM provider you have selected using your own API key. Custos AI does not control how these providers process your data. We strongly recommend that you:

Review the privacy policy of each LLM provider before using their services.
Ensure that the provider offers a Data Processing Agreement (DPA) and a no-training guarantee if this is important to your business.
Avoid sending highly sensitive personal data (such as national identification numbers, medical records, or financial account details) to any LLM provider unless you have assessed the associated risks.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this document.
Notify registered users by email at least 14 days before the changes take effect.
Publish the updated policy at https://custosai.eu/privacy.

16. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands
Website: autoriteitpersoonsgegevens.nl
Phone: +31 70 888 85 00

17. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data protection practices, please contact:

Alpha Digital B.V. (trading as Custos AI) — Privacy Team
Stationsplein 26, 6512 AB Nijmegen, The Netherlands
KvK: 72313129
Email: