Privacy Policy
1. Controller
The controller of personal data described in this Policy is Headframe sp. z o.o., Stanisława Leszczyńskiego 4/77, 50-078 Wrocław, Poland (KRS 0001227801, NIP 8971969073) ("Traken"). Contact for privacy matters: legal@traken.ai. Traken has not appointed a Data Protection Officer (Inspektor Ochrony Danych); if one is appointed, this Policy will be updated with their details and published as required under Polish law. This Policy is issued in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data (which implements the GDPR in Poland, commonly "RODO").
2. Scope and roles (controller vs processor)
This Policy explains how Traken processes personal data as a controller — for example, data about visitors to traken.ai and about the individual users and business contacts of our Customers (account administrators, billing contacts).
Separately, when Traken processes data submitted by a Customer through the Service in order to provide the Service, Traken acts as a processor on behalf of the Customer, who is the controller of that data. Because of Traken's Zero-Data architecture, the operational data processed through the Service consists of token counters, hashes, numeric cost/usage figures, provider invoice and billing-export data, and business metadata — this is generally not personal data, although limited personal data may incidentally appear (for example, a user name in a metadata label or an email address on a provider invoice). Processing in Traken's role as processor is governed by the Data Processing Agreement (Document C), not by this Policy.
3. What personal data we collect (as controller) and why
- Account and identity data (name, business email, company, role): to create and administer accounts, authenticate users, and provide support. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f)).
- Billing and transaction data: payment is handled by Paddle as Merchant of Record; Traken receives limited transaction and invoice metadata (not full card details). Legal basis: contract (Art. 6(1)(b)) and legal obligation for accounting/tax records (Art. 6(1)(c)).
- Support communications: to respond to inquiries. Legal basis: legitimate interests (Art. 6(1)(f)) and contract (Art. 6(1)(b)).
- Website usage data: aggregate, cookieless analytics via Cloudflare Web Analytics (see Section 8). Legal basis: legitimate interests (Art. 6(1)(f)) in understanding and securing our website.
- Security and log data (e.g., IP addresses processed by our CDN/security layer): to secure and operate the Service. Legal basis: legitimate interests (Art. 6(1)(f)).
We do not sell personal data and do not use it for advertising. We do not carry out profiling or automated decision-making producing legal or similarly significant effects. We do not use personal data to train AI/LLM models.
4. The Zero-Data architecture
Traken is built so that the content of your AI prompts and the AI providers' responses/completions is never ingested, transmitted to, or stored by Traken. The Service processes only token counters, hashes, numeric figures, and business metadata. This data minimisation is central to how Traken protects personal and confidential data by design and by default (Art. 25 GDPR).
5. Subprocessors and recipients
Traken uses the infrastructure and processing providers listed at traken.ai/subprocessors. These providers process personal data only to help provide the Service and are bound by data-protection terms. Paddle acts as Merchant of Record and as an independent controller for payment processing. We may also disclose personal data to professional advisers, or where required by law or to establish or defend legal claims.
6. International transfers (EEA and beyond)
Traken's default infrastructure is located in the European Union. Some recipients are established in the United States. Where personal data is transferred outside the EEA:
- Cloudflare, Inc. (US) is certified under the EU-U.S. Data Privacy Framework, and its Swiss-U.S. and UK Extensions, and is listed as Active on the U.S. Department of Commerce Data Privacy Framework List (dataprivacyframework.gov, participant 5666). Transfers rely on the DPF adequacy decision, with the EU Standard Contractual Clauses incorporated in Cloudflare's DPA as a documented fallback.
- Anthropic, PBC (US), used optionally for premium narrative generation, is not certified under the EU-U.S. Data Privacy Framework (the DPF is absent from Anthropic's published certifications, which as of March 2026 list SOC 2 Type I & II, ISO/IEC 27001:2022, ISO/IEC 42001:2023, and a HIPAA-ready configuration). Transfers therefore rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with supplementary measures, and Anthropic is used in a zero-data-retention configuration.
For transfers relying on Standard Contractual Clauses, we consider supplementary technical and organisational measures (including Traken's Zero-Data design, which minimises the personal data exposed to any transfer). You may request further information at legal@traken.ai. Note: the adequacy of the EU-U.S. Data Privacy Framework is subject to ongoing legal challenge before the EU courts (the Latombe appeal, Case C-703/25 P, pending as of mid-2026); Traken monitors its status.
7. Retention
We keep account and identity data for the duration of the customer relationship and for up to 3 years afterwards, unless a longer period is required. Accounting records must be retained for five years under Art. 74 of the Polish Accounting Act of 29 September 1994 (counted from the beginning of the year following the financial year to which they relate), and the parallel tax limitation period is five years under Art. 70 of the Tax Ordinance. Website analytics are aggregate and cookieless. Security logs are retained for 12 months. We delete or anonymise personal data when it is no longer needed.
8. Cookies and analytics
Our public website uses Cloudflare Web Analytics, which is cookieless. Per Cloudflare, its Web Analytics "does not use any client-side state, such as cookies or localStorage, to collect usage metrics — and never 'fingerprints' individual users." Because no non-essential cookies are set on the marketing site, no cookie-consent banner is presented there for analytics. The authenticated application uses only strictly necessary cookies required for login/session security and, at the network layer, Cloudflare may set strictly necessary security cookies (e.g., __cf_bm, cf_clearance) for bot protection. See the Cookie & Analytics Notice (Document G) for detail.
9. Your rights
Subject to the GDPR, you have the right to access, rectify, erase, restrict, and object to processing, and to data portability, and to withdraw consent where processing is based on consent. To exercise these rights, contact legal@traken.ai. We will respond within one month (extendable by two further months for complex requests, with notice within the first month). You have the right to lodge a complaint with the Polish supervisory authority, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl, or with the supervisory authority in your EEA country of residence.
10. Security
We use encryption in transit (TLS) and at rest, access controls, and least-privilege practices. See the Trust & Security page (Document F).
11. Changes
We may update this Policy by posting a new version with a new effective date and, for material changes, providing reasonable notice.