EU Privacy Policy & DPA

1. DPA Integration & Empowering Your Users

Aegitox operates exclusively behind the scenes as your B2B infrastructure provider. Because we cannot directly identify natural persons without external authentication data held by Discord Inc. (GDPR Article 11), we rely on you to handle direct user inquiries. Unverified, direct requests from end-users to us must be safely ignored to prevent social engineering.

Empowering Choice (Right to Object - Art. 21): We intentionally do not possess an independent mechanism to block or profile individual users globally. As the Guild Owner shaping your culture, you bear the wonderful responsibility of providing an "Opt-Out" mechanism for your members (such as assigning a specific role that our bot ignores) or managing your server's roster.

2. Transatlantic Data Transit (Schrems II Compliance)

To deliver lightning-fast, highly resilient moderation, our computing infrastructure and platform databases are physically localized within the United States.

Safeguarded Transit: By seamlessly integrating Aegitox, you execute a documented legal command to securely transit data from the EEA to the US. We safeguard this using the EU-US DPF Mechanism and Standard Contractual Clauses (SCCs). As the Data Controller, you smoothly assume the liability for establishing your lawful basis (Art. 6), completing any necessary Transfer Impact Assessments (TIA), and transparently informing your European members about this export.

3. Our Role as a Supportive Tool (PLD & DSA Shields)

• A Deterministic Helper (DSA Exemption): We operate strictly as a deterministic pass-through API, empowering your moderation rules. We are not an autonomous agent, and Aegitox is NOT a "Trusted Flagger" under the Digital Services Act (DSA). The final say in your community is always yours.
• Navigating AI Nuance (PLD Liability Waiver): Our service utilizes powerful third-party LLMs and is provided "AS IS". Generative AI is probabilistic and can occasionally be quirky. You graciously acknowledge that any classification errors or "hallucinations" are technological force majeure. We must categorically reject liability for direct, indirect, or reputational damages resulting from automated actions on your server, ensuring we can continue to innovate fearlessly.

4. Privacy by Design & Safeguarding Minors

Privacy by Design (Volatile RAM Processing): We embrace GDPR Art. 25 at the hardware level. Intercepted text messages exist exclusively in fleeting Volatile RAM. They are evaluated instantaneously by our AI and then permanently destroyed by the Garbage Collector—never written to a persistent physical disk.

Youth Safety & Special Categories (Art. 8 & 9): We trust Discord's age-gating, but we ask for your legal guarantee that your community members have reached the age of digital consent. Aegitox is strictly not designed to process sensitive health, political, or biometric data. Any incidental processing of such sensitive texts by your members is performed at your sole responsibility. Let's keep the focus on making friends and building great spaces!

5. Our Trusted Vendor Ecosystem

You generously grant us general authorization to engage with top-tier sub-processors. To keep Aegitox incredibly fast and secure, data is processed utilizing:

• Hetzner Cloud: US-based, high-performance bare-metal infrastructure.
• Cloudflare: Our Edge CDN and Web Application Firewall. Transitory IP processing helps us squash bugs and block DDoS attacks.
• Supabase: US-based, highly secure PostgreSQL database management.
• Groq, Inc.: Our Enterprise Inference Cluster, fully supporting our Global Zero Data Retention commitment.
• Discord: Our esteemed host platform and Event Gateway.
• PayPro Global: Independent Merchant of Record. We entrust all global transaction processing to them to ensure maximum tax compliance and elite data security.

Security Dedication (NIS2/CRA): We take security seriously. We commit to notifying you of any critical vulnerabilities within 24 hours of completing our internal technical triage and confirming the discovery, keeping you informed and protected.

6. AI Transparency (EU AI Act) & Synthetic Media

Data Minimization (GDPR Art. 5): To provide you with beautiful, contextual Karma Reports on your Dashboard, we dynamically cache minimal display data strictly bound by Row-Level Security (RLS). We categorically do not cross-pollinate user profiles across the network. Because this is a fun, community-building tool, you are strictly prohibited from utilizing these metrics for real-world Consequential Decisions (like employment or credit).

• Default Transparency Mandate (Regulation (EU) 2024/1689): To strictly prevent deceptive impersonation and champion the spirit of the European Union Artificial Intelligence Act (Article 50), all text gracefully paraphrased by our AI is conspicuously labeled by default (e.g., "✨ Upgraded by Aegitox AI"). This honest approach ensures that natural persons always know when they are interacting with an AI system, fostering a culture of trust.

7. Protecting Our Partnership (Indemnification & Limits)

To sustain B2B software at an enterprise scale, we must outline how we handle legal boundaries. Please read this section carefully.

• Mutual Support (Indemnification): You agree to fully indemnify, defend, and hold Aegitox harmless from any damages, claims, or administrative fines from EU regulators (DPA/EDPB) arising from your specific deployment of the bot, ensuring we protect each other.
• Predictable Boundaries (Financial Cap): To the maximum extent permitted by law, our total cumulative liability is safely capped at the amount you paid to Aegitox in the twelve (12) months preceding the claim, or $100.00 USD, whichever is greater. We hold no liability for indirect damages.
• Amicable Resolution (Arbitration): Any dispute will be resolved smoothly and confidentially via binding remote arbitration administered by JAMS.
• Individual Focus (Class-Action Waiver): We agree to bring claims strictly in our individual capacities, waiving the right to participate in class-action proceedings to keep resolution efficient.
• Timely Resolution: Any claims must be brought forward within one (1) year of the incident, ensuring we address concerns while they are fresh.

8. Empowering Privacy Rights & Secure DSARs

We celebrate the privacy rights granted by the GDPR. You and your users possess the right to Request Access and Request Deletion.

Cryptographic Security Verification: To shield your community's data from social engineering and spam, we legally require cryptographic verification for DSARs. Requests will ONLY be processed if executed smoothly via our authenticated dashboard or accompanied by a securely signed JWT payload. Unverified direct emails are strictly dismissed to protect everyone's privacy.

Strength in Structure (Severability): If any provision of this Global MSA is found unenforceable by a court of competent jurisdiction, that specific provision shall be limited to the minimum extent necessary, ensuring the absolute liability shield and remainder of the agreement remains in full force and effect.

For verified administrative inquiries, reach out here: privacy@aegitox.com

9. Security, Authentication & Local Storage

To deliver a seamless, high-performance, and secure experience, the Aegitox platform utilizes the browser's Web Storage API (LocalStorage) rather than legacy HTTP cookies. In strict alignment with the European ePrivacy Directive (PECR) and the General Data Protection Regulation (GDPR Article 5), we are committed to absolute transparency regarding the operational data residing on your device.