Legal Documents

Privacy Policy

Effective as of May 12, 2026 · Version 2.0

1. DATA CONTROLLER

Tesseum, domiciled in Prague, Czech Republic, is the controller of personal data collected through the tesseum.com platform. Contact: hola@tesseum.com

2. DATA WE COLLECT

When registering via Google OAuth, we collect:

• Full name
• Email address
• Public Google profile photo
• Country and professional profile (if provided by the user)

During use of the platform, we record:

• Legal queries submitted to our AI engines (Magnus, Synopsis, Praetor, Iudicium, Atlas, Corpus, Apolo)
• Country and legal area consulted
• Date and time of access
• Citation and verification metadata generated by Praetor's quality gate

3. DATA WE DO NOT STORE

Tesseum does not store:

• The original content of contracts or documents uploaded for analysis
• Personal data contained in analyzed documents
• Banking or payment information (handled exclusively by Stripe)
• Access credentials (managed by Google and Supabase Auth)

Uploaded documents are automatically anonymized by Tesseum's preprocessing pipeline before any AI engine receives them. Identifying data is replaced with generic tokens ([PERSON_1], [ADDRESS_1], etc.) before being saved.

4. PURPOSE OF PROCESSING

Collected data is used to:

• Manage access to the platform and enforce subscription tier limits
• Personalize the user experience (jurisdiction preferences, conversation history)
• Send service communications (only if the user consents)
• Improve retrieval quality across Tesseum's AI engines
• Comply with applicable legal obligations

5. LEGAL BASIS (GDPR)

For users in the European Union, processing is based on:

• Contract performance: data necessary to provide the service
• Legitimate interest: service improvement and security
• Consent: marketing communications (revocable at any time)

6. USER RIGHTS

Users have the right to:

• Access their stored personal data
• Rectify incorrect or outdated data
• Request deletion of their account and data
• Object to processing for marketing purposes
• Port their data to another service

To exercise these rights, contact us at hola@tesseum.com

7. SUBPROCESSORS AND INTERNATIONAL TRANSFERS

Data is processed by the following subprocessors:

• Supabase Inc. (United States) — database, authentication, storage. GDPR-compliant SCCs in place.
• Vercel Inc. (United States) — hosting and CDN. Region: Frankfurt (fra1) for EU traffic.
• Anthropic PBC (United States) — Claude language model inference. Zero data retention enabled.
• Google LLC (United States) — OAuth identity, Gemini language model inference.
• Stripe Inc. (United States / Ireland for EU) — payment processing.

All international transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Regulation (EU) 2016/679. A current list of subprocessors and a Data Processing Agreement (DPA) is available at tesseum.com/dpa.

8. DATA RETENTION

Account data is retained while the user maintains an active account. Upon account deletion, data is removed within a maximum of 30 days. Anonymized corpus data may be retained indefinitely as it contains no identifiable information. Stripe payment records are retained for 7 years per Czech tax law (zákon č. 235/2004 Sb.).

9. COOKIES

Tesseum uses strictly necessary technical cookies for session management and Vercel Analytics (anonymized, no personal identifiers). We do not use advertising tracking cookies or share data with advertising networks.

10. MINORS

Tesseum is not directed at users under 18 years of age. If you become aware that a minor has provided personal data, contact us for immediate deletion.

11. SECURITY MEASURES

Tesseum implements technical and organizational measures including: encryption in transit (TLS 1.3), encryption at rest (AES-256 via Supabase), row-level security policies, OAuth-only authentication with optional WebAuthn passkeys, and access logging. Detailed measures are described in the DPA.

12. CONTACT AND COMPLAINTS

For any privacy inquiries: hola@tesseum.com

If you believe the processing of your data violates applicable regulations, you may file a complaint with the Czech Office for Personal Data Protection (ÚOOÚ, uoou.cz) or with the INAI in Mexico (inai.org.mx).