Privacy Policy — CAI-AUTH (Cipher AI Authenticator)

1. Introduction

This Privacy Policy (the "Policy") explains how CAI Technology SRL ("CAI Technology", "we", "us", "our") collects, uses, discloses, retains, and protects personal data in connection with the CAI-AUTH authentication service, the associated Android application, the Chrome Extension, the server APIs, and the website at auth.caitech.ro (collectively, the "Service").

CAI-AUTH is a passwordless, hardware-bound, post-quantum authentication factor. It replaces passwords and one-time codes with cryptographic signatures that are generated inside a Secure Element, StrongBox, or Trusted Execution Environment on your device. Because of this architecture, the Service is designed around a very small personal data footprint: we do not have access to your private keys, your biometric templates, or the content of the operations you authenticate on third-party websites or applications. We believe that privacy protection and strong authentication are complementary and that the best way to protect your data is not to collect it in the first place.

This Policy is issued in compliance with Regulation (EU) 2016/679 (the "EU GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (together, the "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA/CPRA"), the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, "LGPD"), the Swiss Federal Act on Data Protection ("FADP"), the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Australian Privacy Act 1988, the Korean Personal Information Protection Act ("PIPA"), and Romanian Law No. 190/2018 implementing the GDPR. Where any of these laws grants you a stronger right than another, we will apply the stronger standard.

This Policy forms an integral part of our Terms of Service. By installing the CAI-AUTH application, enrolling a credential, or otherwise using the Service, you acknowledge that you have read, understood, and agreed to the processing described here. If you do not agree with this Policy, please do not use the Service.

The effective date of this Policy is April 24, 2026 and the version is v3.0. Previous versions are archived and available on request at office@caitech.ro.

2. Data Controller and Data Protection Officer

CAI Technology SRL is the Data Controller for the personal data processed under this Policy, within the meaning of Article 4(7) of the EU GDPR, Article 5(VI) of the LGPD, and equivalent provisions of the UK GDPR, FADP, PIPEDA, and CCPA/CPRA (where CAI Technology qualifies as a "business").

Legal name: CAI Technology SRL
Registered office: Str. Victor Brauner 34, Bucharest, Romania (EU member state)
Romanian Commercial Registry (ONRC): registration on file; unique identification code available on request
EU representative: CAI Technology SRL (the controller is established in the EU and does not require a separate Article 27 representative)
General contact: office@caitech.ro
Privacy and Data Protection Officer (DPO): Gelu Constantin — office@caitech.ro
Security and vulnerability disclosure: tehnic@caitech.ro
Legal: office@caitech.ro
Postal address: CAI Technology SRL, Attention: Data Protection Officer, Str. Victor Brauner 34, Bucharest, Romania

The DPO is responsible for monitoring compliance with this Policy, responding to data subject requests, liaising with supervisory authorities, and advising on data protection impact assessments. You may contact the DPO directly and confidentially at any time.

The lead supervisory authority for the controller is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania, www.dataprotection.ro. You always retain the right to lodge a complaint with ANSPDCP or with the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement.

3. Scope of this Policy, Relationship to the Terms of Service, and Sub-processors

This Policy applies to all personal data processing activities carried out by CAI Technology in its capacity as Data Controller in connection with the Service. It covers the CAI-AUTH Android application (Google Play package ro.caitech.caiauth), the CAI-AUTH Chrome Extension published on the Chrome Web Store, the CAI-AUTH server and REST/WebSocket APIs operated on the domain auth.caitech.ro, any self-hosted instance operated by CAI Technology, and the public website.

Where the Service is deployed on customer-owned infrastructure under an enterprise agreement, the customer acts as Data Controller for data processed on their own servers, and CAI Technology acts as a Data Processor under a Data Processing Agreement concluded pursuant to Article 28 of the GDPR. In that case, this Policy continues to apply to any data that we process in our role as controller (for example, account-level billing data, support tickets, or incident telemetry that you voluntarily share with us).

This Policy must be read together with our Terms of Service and our License. Capitalised terms not defined here have the meaning given in the Terms of Service. If there is a conflict between this Policy and any other document, this Policy prevails for matters of personal data protection.

We engage a limited number of sub-processors that carry out processing activities on our behalf under written contracts containing confidentiality, security, audit, and international transfer safeguards consistent with Article 28(3) of the GDPR. The current list of sub-processors is set out in Section 11 and in the Appendix at the end of this Policy. We will give you prior notice of any intended addition or replacement of sub-processors, giving you a reasonable opportunity to object where the processing is carried out on your behalf under a DPA.

4. Categories of Personal Data We Process

We process only the categories of personal data strictly necessary to deliver, secure, and improve the Service, to comply with our legal obligations, and (for financial-sector customers) to discharge regulatory reporting duties. The following table sets out each category, the source from which it is obtained, the legal basis under the GDPR, and the retention period. Retention periods are maxima; we delete earlier if the purpose has been achieved.

Category	Source	Legal basis	Retention
Email address and display name Used for account identification, verification notifications, and service communications.	Directly from you at enrolment	Art. 6(1)(b) GDPR — contract performance	Until you close the account; 30 days in purge state; then permanently deleted
User identifiers A UUID assigned by us and a random `user_handle` byte string (WebAuthn-compatible).	Generated by us at registration	Art. 6(1)(b) GDPR — contract performance	Until account closure + 30 days
Credential public keys A 1 984-byte hybrid public key (Ed25519 + ML-DSA-87) per credential. We never receive private keys.	Generated on your device; public part sent to us at registration	Art. 6(1)(b) GDPR — contract performance	Until you revoke the credential or close the account; then permanently deleted
Attestation certificate chain Device hardware attestation (Android Key Attestation, Apple App Attest where applicable) proving the credential was generated in genuine hardware.	Manufacturer-signed chain presented by your device	Art. 6(1)(f) GDPR — legitimate interest (fraud prevention, anti-cloning)	Until credential revocation; up to 5 years thereafter in cold archive where required for forensic defence
Device information (JSONB) Device model, OS version, security posture flags (StrongBox vs. TEE vs. software-only key storage), Google Play Integrity verdict, locale.	Provided by the app at enrolment and during risk evaluations	Art. 6(1)(f) GDPR — legitimate interest (security)	Until credential revocation
Client IP address and user agent Recorded in the audit log for abuse prevention and forensic investigation.	Observed on incoming HTTPS requests	Art. 6(1)(f) GDPR — legitimate interest (security, abuse prevention)	5 years inside the tamper-evident audit log; longer only where mandated by law (e.g. DORA, AML)
Timestamps `created_at`, `last_seen_at`, session start and end.	Generated by the server	Art. 6(1)(b) and (f) GDPR	Aligned with the parent record
Relying Party ID and origin The domain or application to which you authenticate.	Sent by the client at authentication	Art. 6(1)(b) GDPR — contract performance	Inside the audit log (5 years)
Audit log events Event type, metadata, success or failure flag, BLAKE3 Merkle chain pointers for tamper evidence.	Generated by the server on each event	Art. 6(1)(c) and (f) GDPR — legal obligation (where applicable) and legitimate interest (security, accountability)	5 years by default; longer where required by sectoral law (e.g. DORA Art. 19 and Art. 28; PSD2; AML5)
FCM push tokens Firebase Cloud Messaging registration tokens used to deliver push-to-approve prompts.	Google LLC issues the token to your device; your device sends it to us	Art. 6(1)(b) GDPR — contract performance	Until you unregister the device or uninstall the app; Google automatically invalidates stale tokens
DORA incident reports Major ICT incident data prepared for financial-entity customers pursuant to Regulation (EU) 2022/2554 (DORA).	Customer notification and automated telemetry	Art. 6(1)(c) GDPR — compliance with legal obligation	5 years, in line with DORA Art. 28 and EBA guidance
Behavioural observations (CBB) Continuous Behavioural Biometrics: aggregated, locally derived features such as motion signatures, tap rhythm, and touch pressure. Currently these are observed for research only and are not used to reject authentications (an opt-in CBB enforcement flag exists since v0.15.0 but remains off by default). Observation is disclosed in-app before activation.	Derived on your device; aggregated statistics only are returned to the server	Art. 6(1)(f) GDPR — legitimate interest (security research) with a documented Legitimate Interests Assessment	12 months for raw feature aggregates; perpetual for anonymised, non-identifying statistics
Support and legal correspondence Emails, tickets, contractual documents.	You, or your authorised representative	Art. 6(1)(b), (c) and (f) GDPR	3 years from the last interaction; 10 years for contractual and tax records per Romanian Fiscal Code

We do not intentionally collect or process special categories of personal data within the meaning of Article 9 of the GDPR. Where a piece of information incidentally reveals such a category (for example, a device model that could imply a disability aid), we apply heightened protection and access controls.

5. Categories of Personal Data We Do Not Process

Our architecture is built to structurally prevent access to the most sensitive elements of your identity. The following categories are never transmitted to, observed by, or stored on our servers:

Private keys. Your Ed25519 and ML-DSA-87 private keys are generated inside StrongBox, Secure Enclave, or an equivalent hardware root of trust. The keys are non-extractable: the Service requests a signature and the hardware performs it. We never see private key material.
Biometric templates. Your fingerprint, face, or iris templates remain inside the Trusted Execution Environment of your device. The operating system exposes to our application only a boolean verification result. We never see biometric samples or templates, and we cannot re-identify you from them.
Passwords. CAI-AUTH is passwordless by design. There is no shared secret to steal, phish, leak, or brute-force.
Plaintext content of your authenticated operations. When you sign in to your bank, your email provider, or any third-party website using CAI-AUTH, we see only the authentication assertion. We do not see the contents of the session you open, the pages you visit, the transactions you perform, or the files you access.
Third-party credentials. Usernames, passwords, or cookies for websites you log in to using CAI-AUTH are not transmitted through or stored by us. CAI-AUTH is an authentication factor, not a password manager and not a proxy.
Advertising identifiers, contacts, calendars, SMS, call logs, microphone audio, photos, and precise location data. We do not request these permissions and we do not collect these categories.
Browsing history. The Chrome Extension does not read, collect, or transmit your browsing history.

This is not merely a policy promise: the zero-knowledge properties above are enforced by our cryptographic protocol, by the platform security boundaries of Android and Chrome, and by the open-source core library cai-auth-core that can be independently audited.

6. Legal Bases for Processing

We process personal data only where we have a valid legal basis under Article 6 of the GDPR (and equivalent provisions of the UK GDPR and LGPD). The bases we rely on are:

Article 6(1)(b) — performance of a contract or taking pre-contractual steps at your request. This covers enrolment, credential management, authentication challenge-response, session management, account export, and account closure.
Article 6(1)(c) — compliance with a legal obligation. This covers retention of records for tax and accounting purposes under Romanian law, cooperation with lawful orders from competent authorities, and sector-specific reporting such as major ICT incident notifications under DORA Articles 17-23 and breach notification under GDPR Articles 33-34.
Article 6(1)(f) — legitimate interests. We rely on this basis for the security and integrity of the Service, fraud prevention, abuse mitigation, tamper-evident audit logging, aggregate statistical analysis of Service performance, and limited product-improvement analytics. We have documented a Legitimate Interests Assessment (LIA) that balances our interest in a secure, reliable service against your rights and freedoms. We apply data minimisation, pseudonymisation, short retention, role-based access, and purpose limitation to mitigate any residual risk. You may object to processing based on this legal basis at any time, and we will cease the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.
Article 6(1)(a) — consent. We ask for your explicit consent before activating any feature that is not strictly necessary, including optional product telemetry, optional research participation, and any processing that requires consent under national law. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Article 9 GDPR — Special Categories. The Service is architected so that no special-category data (in particular biometric data used for the purpose of uniquely identifying a natural person) leaves your device. Biometric verification is performed inside the TEE of your device; the server receives only a cryptographic signature and a boolean user-presence or user-verification flag. Because the server never receives biometric templates or samples, we do not process special-category data within the meaning of Article 9(1).

Where your jurisdiction recognises additional legal bases (for example, under LGPD Article 7 or UK GDPR), we rely on the equivalent basis and document the mapping internally.

7. Purposes of Processing

We process personal data for the following defined, explicit, and legitimate purposes:

Authentication and account management: enrolling credentials, verifying authentication assertions, managing sessions, and enabling account recovery and closure.
Security and abuse prevention: detecting and preventing unauthorised access, credential stuffing, brute-force attempts, replay attacks, device cloning, and ICT fraud.
Tamper-evident audit: maintaining an append-only audit log secured with BLAKE3 Merkle chains to allow forensic reconstruction of events in case of incident or dispute.
Fraud prevention: evaluating device attestation and risk signals before approving sensitive operations.
Service reliability and improvement: measuring uptime, latency, crash rates, and feature usage at an aggregate level, without profiling individuals.
Statistical and research purposes: producing aggregated, non-identifying statistics that inform our roadmap; continuous behavioural biometrics research under Article 89 GDPR safeguards.
Regulatory and contractual compliance: responding to lawful requests from competent authorities, producing reports required by DORA, PSD2, or AML regulations, and fulfilling contractual obligations to enterprise customers.
Financial-sector compliance: supporting customers subject to DORA, PSD2 strong customer authentication, eIDAS, and equivalent national banking rules.
Communications: sending transactional emails and security alerts; we do not send marketing emails without your prior opt-in.

We do not repurpose personal data for incompatible purposes. When a new purpose is contemplated, we carry out a compatibility assessment under Article 6(4) GDPR and, where required, obtain your consent or update this Policy with advance notice.

8. Cookies and Similar Technologies

CAI-AUTH is designed to operate without tracking. The auth.caitech.ro website uses only strictly necessary cookies that are exempt from the consent requirement under Article 5(3) of Directive 2002/58/EC (the "ePrivacy Directive") as transposed in Romanian Law 506/2004:

Session cookie: set when you authenticate, used only to maintain your authenticated state for the duration of the session.
CSRF token cookie: used to protect web forms against Cross-Site Request Forgery.
Preferences cookie (if set): stores user interface preferences such as language or theme, set only when you change the default.

We do not use advertising cookies, social-media pixels, session replay scripts, heatmaps, cross-site tracking, or third-party analytics on the website. The Android application does not use tracking SDKs. The Chrome Extension uses only the minimum permissions declared in its manifest (storage, notifications, and explicit host permission for the configured CAI-AUTH server) and does not contain any advertising or analytics code.

Because there are no non-essential cookies, we do not display a consent banner on the website. If we ever introduce non-essential cookies in the future, we will display a compliant consent management interface and honour your choices for at least twelve months before asking again.

9. Automated Decision-Making and Profiling

As of the current release of the Service (v0.17.2.3), CAI-AUTH does not take automated decisions producing legal effects or similarly significant effects on data subjects within the meaning of Article 22 of the GDPR. Authentication decisions are deterministic cryptographic verifications: either the signature is valid or it is not, based on the public key you previously enrolled.

The Continuous Behavioural Biometrics ("CBB") module currently operates in observation-only mode. It computes aggregated features locally on your device (for example, statistical summaries of motion, tap rhythm, and touch pressure) to support future anomaly detection. These features are not used to reject authentications, to deny you access, or to draw inferences about you, and no remote AI inference is performed on this data. Raw behavioural samples never leave your device; only aggregate feature vectors are transmitted, and only if you have the feature enabled.

Before any enforcement mode of CBB is activated (for example, using behavioural signals to require an additional verification step when an anomaly is detected), we will:

publish an updated version of this Policy at least 30 days in advance;
conduct and publish a summary of a Data Protection Impact Assessment under Article 35 of the GDPR;
offer a clear opt-out that does not degrade your ability to use the Service;
implement the Article 22(3) safeguards, including the right to obtain human intervention, express your point of view, and contest the decision.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described above, including to satisfy legal, accounting, audit, and dispute-resolution requirements. The retention periods by category are:

Audit log events: 5 years from creation, extended only where mandated by applicable law (for example, DORA Article 28 for financial customers, or AML5 for obliged entities). After expiry, records are permanently deleted and the BLAKE3 chain is pruned.
Credential public keys and attestation metadata: until you revoke the credential or close your account; in both cases, deletion occurs within 30 days of the request, except for attestation evidence retained in cold archive for up to 5 years for forensic defence.
Account email, display name, and identifiers: for the duration of the account and for 30 days after closure, then permanently deleted, except where we must retain the record to comply with a legal obligation or to establish, exercise, or defend legal claims.
FCM push tokens: until the device is unregistered, the application is uninstalled, or Google automatically invalidates the token.
DORA incident reports: 5 years, in line with EBA and DORA guidance.
Behavioural aggregates (CBB): 12 months for raw aggregated features; perpetual for fully anonymised, non-identifying statistics.
Session cookies and ephemeral authentication challenges: minutes to hours, automatically purged at expiry.
Support correspondence: 3 years from the last interaction; longer where a dispute is pending.
Contractual, tax and accounting records: 10 years, per Romanian Fiscal Code and Accounting Law.

Where you exercise the right to erasure (Section 14), we delete personal data even before these retention periods expire, unless an overriding legal basis requires us to keep it.

11. Sub-processors

We engage a small number of sub-processors under written contracts that impose obligations equivalent to those set out in Article 28 of the GDPR, including confidentiality, security, sub-processor notification, audit rights, and assistance with data subject requests.

Sub-processor	Role and purpose	Location of processing	Transfer mechanism
Google LLC (Firebase Cloud Messaging)	Delivery of push-to-approve notifications. FCM tokens and encrypted push payloads are transmitted through Google's messaging infrastructure. The payloads contain no user-identifiable content beyond an opaque request identifier.	European Union and United States	EU-US Data Privacy Framework (where applicable) and EU Standard Contractual Clauses 2021/914, Module 2 (Controller-to-Processor). Transfer Impact Assessment completed; supplementary technical measures in place.
Hetzner Online GmbH / OVH SAS	EU-based hosting and colocation for production servers, storage volumes, and tamper-evident audit log. Data processing is strictly within EU data centres (Germany, Finland, France).	European Union only	Intra-EU transfer; no third-country transfer occurs.
GitLab (self-hosted or SaaS, as applicable)	Private version control of the Service source code and continuous integration pipelines. No production user data is stored in Git.	European Union	Intra-EU transfer; where SaaS is used, EU Standard Contractual Clauses apply.

We publish the most up-to-date list of sub-processors in the Appendix to this Policy and notify you of any material change by email (where you have provided one) or through an in-app notice at least 30 days before the change takes effect, giving you the opportunity to terminate the Service before the change applies to your data.

We do not share personal data with advertising networks, analytics vendors, data brokers, or social-media platforms. We do not sell or share personal data in the sense of the CCPA/CPRA. We do not authorise any sub-processor to use personal data for their own purposes.

12. International Data Transfers

Our primary processing takes place inside the European Economic Area, on servers physically located in EU member states. Wherever practicable, we avoid international transfers. Where a transfer is necessary (for example, to deliver an FCM push notification via Google's global infrastructure), we rely on one or more of the following transfer mechanisms, in order of preference:

An adequacy decision adopted by the European Commission under Article 45 of the GDPR (for example, the EU-US Data Privacy Framework, subject to current legal status).
Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914, Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor), as appropriate, together with a Transfer Impact Assessment and supplementary technical measures (including encryption in transit with TLS 1.3, hardware-bound keys, and on-device cryptographic protection so that personal data in transit cannot be read by the transit provider in a manner that affects identifiable individuals).
Where required for a single transfer to protect your vital interests, Article 49 derogations, used exceptionally and documented.

We do not transfer personal data to countries without an adequacy decision or SCCs. For UK data subjects, transfers out of the UK follow the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable. For Brazilian data subjects under LGPD, we rely on the transfer mechanisms recognised by the Brazilian National Data Protection Authority (ANPD), which in practice means SCCs or adequacy. For Swiss data subjects, we apply the Swiss Addendum to the EU SCCs and recognise the Swiss Federal Data Protection and Information Commissioner as the relevant authority.

A copy of the SCCs, the TIA summary, or any additional transfer documentation is available on request, subject to redaction of commercially confidential information, at office@caitech.ro.

13. Security Measures

Security is the central design principle of CAI-AUTH. We implement a defence-in-depth programme that includes technical, organisational, and supply-chain measures. Key measures include:

Post-quantum cryptography: ML-DSA-87 (NIST FIPS 204) for signatures and ML-KEM-1024 (NIST FIPS 203) for key encapsulation, combined with classical Ed25519 and X25519 in a hybrid construction that is secure if either algorithm is secure.
Hardware-bound private keys: credentials are generated inside StrongBox, TrustZone TEE, or Apple Secure Enclave wherever supported. Keys are marked non-extractable and require user verification for signing.
Hardware attestation: we validate the manufacturer-signed attestation chain to confirm that credentials originate from genuine secure hardware and have not been generated in software.
Transport security: TLS 1.3 with HSTS, preloaded certificates where practical, and public key pinning in the mobile application and the extension.
Tamper-evident audit: the server-side audit log is protected by a BLAKE3 Merkle hash chain that allows detection of any retroactive modification or deletion.
Software bill of materials: every release is accompanied by an SBOM (CycloneDX / SPDX) and signed with Sigstore/cosign; release artefacts are verifiable against our public signing identity.
Access controls: role-based access control with least privilege; production access gated by multi-factor authentication; privileged actions recorded in the append-only audit log.
Zero unsafe Rust: the core cryptographic library contains no unsafe blocks; the server is written in memory-safe Rust; dependencies are pinned and audited with cargo audit and cargo deny.
Continuous vulnerability monitoring: automated CVE monitoring for all dependencies, with remediation SLAs of 72 hours for critical vulnerabilities and 30 days for high-severity vulnerabilities.
Red-team testing: we run recurring adversarial tests including SQL injection, replay, timing, and CBOR fuzzing. Current test matrix: 35 of 35 cases passing.
Planned third-party certifications: ISO/IEC 27001 certification and SOC 2 Type II attestation are on the roadmap. We operate to OWASP ASVS Level 3 internally.
Key management and rotation: documented key rotation schedules for server signing keys, TLS certificates, and backup encryption keys.
Incident response: 24/7 on-call rotation; a documented incident response playbook; a commitment to notify affected users and competent authorities within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33.
Business continuity: off-site encrypted backups, disaster recovery tested quarterly, RPO and RTO targets defined per service tier.

No system is perfectly secure, and we do not guarantee that the measures above will prevent every conceivable attack. However, we commit to using the security baseline described above, to disclosing incidents transparently, and to remediating them promptly.

14. Data Subject Rights under the GDPR (EU and UK)

Under Articles 15-22 of the EU GDPR and the equivalent provisions of the UK GDPR, you have the following rights. You can exercise them free of charge by writing to office@caitech.ro. We respond within 30 calendar days and may extend this period by up to two further months where the request is complex, in which case we will inform you within the first month.

Right of access (Art. 15): obtain confirmation that we process your data and receive a copy of it.
Right to rectification (Art. 16): request the correction of inaccurate or incomplete data.
Right to erasure (Art. 17): request the deletion of your data ("right to be forgotten"). We will comply unless an exception applies, such as an overriding legal obligation or the need to establish, exercise, or defend legal claims. Server-side data is deleted within 30 days of a valid request; on-device data is deleted by you in the application.
Right to restriction (Art. 18): request that we limit the processing of your data while a dispute or verification is pending.
Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller where technically feasible.
Right to object (Art. 21): object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds.
Right not to be subject to automated individual decisions (Art. 22): see Section 9 above.
Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint (Art. 77): with ANSPDCP in Romania, with the ICO in the United Kingdom, or with any other competent supervisory authority.

Verification procedure. To prevent unauthorised disclosure, we may verify the request using the authentication factor you already hold (CAI-AUTH itself) or by other reasonable means. We may ask for additional information strictly necessary to confirm your identity and to locate the relevant records. We never ask for your private keys, passwords, or biometric data.

Authorised agents. You may designate a person, including a lawyer, to act on your behalf. We will require evidence of the mandate and of the agent's authority.

15. Data Subject Rights under the CCPA/CPRA (California Residents)

If you are a California resident, in addition to the rights described above, you have the following rights under the CCPA as amended by the CPRA:

Right to know: request the categories and specific pieces of personal information we have collected about you, the sources, the purposes of collection, and the categories of third parties with whom we share it.
Right to delete: request deletion of personal information we have collected about you, subject to the exceptions set out in Cal. Civ. Code § 1798.105(d).
Right to correct: request correction of inaccurate personal information (CPRA § 1798.106).
Right to opt out of sale or sharing: we do not sell and do not share personal information for cross-context behavioural advertising. There is nothing to opt out of. We certify this status and treat it as an ongoing commitment.
Right to limit the use of sensitive personal information: we do not use or disclose sensitive personal information for purposes beyond those reasonably necessary to provide the Service; therefore the right is effectively satisfied by default.
Right to non-discrimination: we will not deny service, charge a different price, or provide a different level of service because you exercise a CCPA/CPRA right.

We verify California consumer requests through the authentication factor on file and respond within 45 calendar days, extendable by another 45 days where reasonably necessary. We honour Global Privacy Control (GPC) signals as a valid opt-out under CPRA regulations. Submit requests to office@caitech.ro.

16. Data Subject Rights under the LGPD (Brazilian Residents)

If you are located in Brazil, Article 18 of the LGPD grants you the following rights, which we implement in parallel with the GDPR set:

Confirmation of the existence of processing;
Access to your personal data;
Correction of incomplete, inaccurate, or outdated data;
Anonymisation, blocking, or deletion of data processed in non-compliance with the LGPD;
Portability of your data to another service or product provider;
Deletion of personal data processed with consent;
Information about the public or private entities with which we have shared your data;
Information about the possibility of not consenting and the consequences of refusal;
Revocation of consent.

Requests can be submitted to our DPO at office@caitech.ro. You may also lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD).

17. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal data from, children below the minimum digital-consent age applicable in their jurisdiction. In the European Union we apply Article 8 of the GDPR and do not process personal data of children under 16 years of age on the basis of consent without parental authorisation. Romania recognises the age threshold of 16. In the United States we comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal data from children under 13 years of age. Similar thresholds apply in the UK (13), Brazil (under 18, with parental authorisation required for those under 12), and other jurisdictions.

If we discover that we have inadvertently collected personal data from a child below the relevant threshold without parental consent, we will delete that data promptly. Parents and guardians who believe their child has provided personal data to us can contact office@caitech.ro and we will investigate and act without delay.

18. Law Enforcement Access

We disclose personal data to law enforcement or other public authorities only when compelled by a valid legal process that we believe in good faith to be issued by a competent authority with jurisdiction and authority over us and the data in question. This includes:

a court order or warrant issued by a court of competent jurisdiction;
a subpoena that we are legally required to honour;
a formal request from a supervisory authority acting within its statutory powers;
a Mutual Legal Assistance Treaty (MLAT) request or a request under the EU-US Umbrella Agreement;
a request from a Romanian, EU, or EEA authority pursuant to Regulation (EU) 2023/1543 (e-Evidence) once effective and applicable.

We carefully review every legal request. We challenge requests that are overbroad, disproportionate, lacking lawful basis, or contrary to fundamental rights. We disclose only the specific data that is strictly necessary to comply with the order. We notify the affected user where permitted by law (that is, unless we are subject to a gag order or there is a reasonable belief that notice would obstruct an ongoing investigation or endanger life). We maintain a record of every disclosure, including the authority, the legal basis, the scope, and the data provided.

We intend to publish a Transparency Report from 2027 onwards, with annual aggregated statistics on government requests received, complied with, partially complied with, and rejected. The report will also cover national security requests to the extent we are legally permitted to disclose them.

19. Emergency Disclosure

In an emergency involving imminent risk of death or serious physical harm, we may disclose the minimum personal data necessary to a competent emergency service without awaiting a formal legal process, in accordance with Article 6(1)(d) of the GDPR (vital interests). These disclosures are rare and strictly limited in scope. We log every such disclosure, the requesting authority, the factual basis for the emergency determination, and the scope of the information provided. We inform the affected data subject after the emergency, where this is consistent with the protection of life and safety.

20. Personal Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the competent supervisory authority (ANSPDCP Romania, and any other lead or concerned authority) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.
Notify affected data subjects without undue delay, in clear and plain language, where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34. The notice will describe the nature of the breach, the likely consequences, the measures taken or proposed, and the DPO's contact details.
Maintain an internal breach register documenting the facts of the breach, its effects, and the remedial actions taken, as required by Article 33(5).
For financial-entity customers subject to DORA, support the notification cadence required by Article 19 (initial notification, intermediate report, final report) and provide the telemetry necessary to classify the incident under the relevant Regulatory Technical Standards.

We will also cooperate with the UK ICO under the UK GDPR, with the ANPD under LGPD Article 48, and with the CPPA under the CCPA/CPRA, as applicable.

21. Do Not Track and Global Privacy Control

We honour Global Privacy Control (GPC) signals as expressing your choice to opt out of any sale or sharing of personal information. Because we do not sell or share personal information, GPC signals serve as additional confirmation of our ongoing practice. We monitor the evolving legal landscape around DNT (Do Not Track) headers and privacy-preserving browser signals and adjust our implementation accordingly.

22. Changes to this Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in the functionality of the Service. The "Last updated" date at the top of the document indicates the current version. We maintain an archive of previous versions available on request.

For material changes (for example, new purposes of processing, new sub-processors that materially affect your rights, or changes in legal bases), we will provide at least 30 days' advance notice by:

posting a prominent notice on auth.caitech.ro;
displaying an in-app notice in the CAI-AUTH application and the Chrome Extension;
sending an email to the address associated with your account, where one is available;
updating the release notes on Google Play and the Chrome Web Store.

If you do not agree with a material change, you may close your account before the change takes effect, and we will delete your personal data in accordance with Section 10.

23. How to Contact Us

For questions, requests, or concerns about this Policy or our processing practices, contact:

Data Protection Officer: Gelu Constantin — office@caitech.ro
Security: tehnic@caitech.ro (PGP key available on request)
Legal: office@caitech.ro
General: office@caitech.ro
Postal: CAI Technology SRL, Attention: Data Protection Officer, Str. Victor Brauner 34, Bucharest, Romania

You also retain the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania, www.dataprotection.ro, or with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.

24. Jurisdictional Notices

This section summarises specific notices required by jurisdictions in which our users reside.

United Kingdom

Processing of UK residents' personal data is governed by the UK GDPR and the Data Protection Act 2018. The UK Information Commissioner's Office (ICO) is the competent supervisory authority for UK data subjects: ico.org.uk.

California (USA)

In addition to the rights set out in Section 15, California residents may designate an authorised agent to submit requests on their behalf under Cal. Civ. Code § 1798.135. Requests can be submitted via office@caitech.ro. We do not offer financial incentives for the sale of personal information (which we do not conduct).

Canada

For Canadian residents, our processing complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial laws such as Quebec's Law 25. The Office of the Privacy Commissioner of Canada (OPC) can be contacted at www.priv.gc.ca.

Australia

For Australian residents, our processing complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Complaints can be lodged with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Republic of Korea

For Korean residents, our processing complies with the Personal Information Protection Act (PIPA). Complaints can be lodged with the Personal Information Protection Commission (PIPC) at www.pipc.go.kr.

Switzerland

For Swiss residents, our processing complies with the Federal Act on Data Protection (FADP, revised version effective 1 September 2023). The Federal Data Protection and Information Commissioner (FDPIC) can be contacted at www.edoeb.admin.ch.

Brazil

See Section 16. The National Data Protection Authority (ANPD) can be contacted at www.gov.br/anpd.

25. Users Outside the European Union

Our Service is available to users outside the European Union and the European Economic Area. Where applicable local laws grant equivalent or stronger protections than this Policy, those local laws apply to the processing of the personal data of those users. Where our processing is subject to additional local-law obligations (for example, local data residency, mandatory local representatives, or mandatory reporting of security incidents), we comply with those obligations and document them in our internal processing register. If you are in a jurisdiction not listed here and need information about how a particular local law applies to our processing, please contact the DPO.

26. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) in line with Article 35 of the GDPR and the ANSPDCP's list of processing operations subject to mandatory DPIA. We assess risks, mitigating measures, and residual risk before launching any new processing activity that is likely to result in a high risk to the rights and freedoms of natural persons. A summary of the most recent DPIA covering the Service is available on request to verified data subjects and to regulators, with commercially confidential information redacted.

27. Artificial Intelligence and Machine Learning

We do not perform remote AI inference on your personal data. Any machine-learning processing carried out in connection with the Service takes place on your device, using lightweight models (for example, a planned TensorFlow Lite micro-model for behavioural anomaly research) that run locally and do not transmit raw samples to the server. The output, where applicable, is an aggregate feature vector or an anomaly score that is integrated into the authentication flow under the safeguards described in Section 9.

We do not train general-purpose AI or large language models on user data. We do not provide your personal data to third parties for AI training. Where we use machine learning for internal research (for example, to study aggregate trends in security telemetry), we do so only on anonymised or synthetic data under documented safeguards.

As the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) phases in, we will continue to align the Service with its obligations. The Service is not intended to operate as a prohibited AI system and, to the extent it incorporates AI components, those components are designed to be transparent, explainable, and subject to human oversight.

28. Complaints

If you believe our processing of your personal data does not comply with this Policy or with applicable law, please contact the DPO first at office@caitech.ro. We are committed to resolving complaints directly and will acknowledge your complaint within 7 days and respond substantively within 30 days.

You also have the right to lodge a complaint with the competent supervisory authority at any time, including ANSPDCP (Romania), the ICO (UK), the CNIL (France) and other EU DPAs, the CPPA (California), the ANPD (Brazil), the FDPIC (Switzerland), the OPC (Canada), the OAIC (Australia), or the PIPC (Korea), as appropriate.

29. Definitions

Unless otherwise defined, the following terms have the meanings given in Article 4 of the GDPR:

Personal data: any information relating to an identified or identifiable natural person.
Data subject: the identified or identifiable natural person to whom personal data relates.
Processing: any operation performed on personal data, whether automated or not.
Controller: the entity that determines the purposes and means of processing.
Processor: an entity that processes personal data on behalf of the controller.
Sub-processor: a processor engaged by another processor to carry out specific processing activities.
Recipient: a natural or legal person to whom personal data is disclosed.
Consent: any freely given, specific, informed, and unambiguous indication of the data subject's wishes.
Pseudonymisation: the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without additional information held separately.
Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Supervisory authority: an independent public authority established by a Member State pursuant to Article 51 GDPR.

CCPA/CPRA-specific terms ("personal information", "sale", "share", "sensitive personal information", "service provider", "contractor", "business") have the meanings given in the California Civil Code § 1798.140 as amended. LGPD-specific terms have the meanings given in Article 5 of LGPD.

30. Appendix — Sub-processors, Locations, and Transfer Mechanisms

The following Appendix lists the sub-processors engaged at the effective date of this Policy. It is reviewed and updated at least quarterly, and more frequently where changes occur. Customers subject to a DPA receive advance notice of any material change under the terms of their agreement.

#	Sub-processor	Activity	Location(s)	Transfer mechanism
1	Google LLC (Firebase Cloud Messaging)	Push notification delivery; opaque tokens; encrypted payloads	EU and US	EU-US DPF (where applicable) + EU SCCs 2021/914 Module 2 + TIA
2	Hetzner Online GmbH	Primary EU hosting and colocation	Germany, Finland	Intra-EU — no transfer outside EEA
3	OVH SAS	Secondary EU hosting and disaster recovery	France	Intra-EU — no transfer outside EEA
4	GitLab (self-hosted/SaaS as applicable)	Source-code management and CI; no production user data	EU	Intra-EU; SCCs if SaaS

We continuously evaluate alternatives to non-EU processors where technically and economically viable, in keeping with our commitment to data minimisation and EU data sovereignty.

This Privacy Policy is issued in English. Where a translation is provided for information purposes, the English version prevails in the event of any discrepancy. This Policy is governed by Romanian law and by the EU GDPR, without prejudice to the mandatory provisions of the laws of your place of residence.