Who we are

In short: Euryka AI Limited is an Irish company. We're the data controller for personal data we collect about you when you use our website or platform.

Euryka AI Limited ("Euryka", "we", "our", "us") is a company incorporated in Ireland and operating internationally. Our registered office is in Waterford, Ireland, with additional offices in Dubai, UAE and Mumbai, India.

For the purposes of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018, Euryka AI Limited is the data controller for personal data we collect about you when you use our marketing site (euryka.ai) or our platform (app.euryka.ai).

Where Euryka processes data on behalf of a customer (see Section 2: Two kinds of data), we act as a data processor under that customer's instructions, governed by a Data Processing Agreement.

02

Two kinds of data

In short: We treat your account information (name, email, billing) very differently from the content you put into the platform (brand assets, prompts, outputs). Different rules, different retention periods, different control.

Throughout this policy we distinguish between two clearly separate categories of data, because the legal treatment of each is different.

Account data

About you, the user.

Information about the person signing up to use Euryka. Name, email, role, billing details, login credentials, support tickets.

Euryka is the data controller. We decide what to collect and why, within the limits of this policy.

Customer content

What you put into the platform.

Brand assets, prompts, files, configurations, generated outputs — anything uploaded to or created within the platform.

The customer is the data controller. Euryka is a data processor acting under the customer's instructions.

Customer Content is governed by the customer's own Data Processing Agreement with Euryka. If you've uploaded personal data into the platform — about your customers, employees, or anyone else — your obligations as a data controller still apply, and Euryka will support you in meeting them.

03

What we collect

In short: Account info you give us when you sign up, billing details if you pay us, technical data your browser sends automatically, and whatever you put into the platform.

Information you give us

When you create an account, contact us, or use our services, we collect:

Identity data: name, role/title, company name.
Contact data: email address, phone number (if provided), country of residence.
Account credentials: username and a hashed copy of your password (we never store the plaintext).
Billing data: payment card details (processed by our payment provider; Euryka stores only the last four digits and card type), billing address, VAT number where applicable.
Support and communications data: messages you send via Intercom, email, or contact forms, and our responses.

Information collected automatically

When you visit euryka.ai or use app.euryka.ai, we and our service providers collect:

Device and browser data: browser type, operating system, screen size, language preferences.
Usage data: pages visited, features used, time spent, click paths, error logs.
Network data: IP address, approximate geolocation derived from IP, referring URL.
Cookie and similar tracking data — see Section 11.

Customer Content

Whatever you upload to, generate within, or store inside the platform. This may include personal data of third parties (your customers, employees, or others) if you choose to put it there. Euryka processes this content only as instructed by you under your DPA.

04

How we use your information

In short: To run your account, send you the things you signed up to receive, keep the service secure, comply with the law, and get better at what we do. We do not use your personal data for advertising, and we do not train AI models on your Customer Content.

We use your personal data for the following purposes:

To provide the service. Create and authenticate your account, deliver platform features, process payments, and respond to support requests.
To communicate with you. Send transactional notifications (billing, security, account changes), and — only with your consent — product updates and marketing.
To keep the service secure. Detect, investigate, and prevent fraud, abuse, security incidents, and policy violations.
To improve the service. Understand how the platform is used in aggregate, identify pain points, and prioritise improvements. This uses anonymised or aggregated data wherever possible.
To comply with legal obligations. Maintain records required by Irish law (including invoicing records under Revenue rules), respond to valid legal requests, and enforce our terms.

What we do not do: We do not sell your personal data. We do not use it for behavioural advertising. We do not train, fine-tune, or evaluate AI models — ours or any third party's — using Customer Content.

05

Legal bases for processing

In short: Under GDPR, we need a legal reason to process your data. Most of what we do is justified by the contract we have with you, our legitimate interests, or your consent — depending on the activity.

Under GDPR, every processing activity needs a lawful basis. We rely on:

Activity	Legal basis
Account creation, service delivery, billing	Contract (Article 6(1)(b))
Service security, fraud prevention, product improvement	Legitimate interests (Article 6(1)(f))
Marketing emails, non-essential cookies	Consent (Article 6(1)(a))
Tax records, statutory record-keeping	Legal obligation (Article 6(1)(c))
Customer Content processing	Contract with the customer (as processor)

Where we rely on legitimate interests, we have carried out a Legitimate Interest Assessment to confirm our interests are not overridden by your rights. You can request a summary by emailing privacy@euryka.ai.

06

Who we share your data with

In short: Service providers who help us run the business (hosting, payments, support tools), AI providers who power platform features, and authorities if the law requires it. Never advertisers, never data brokers.

We share personal data with the following categories of recipients:

Service providers (sub-processors). Companies we use to run the business — including cloud infrastructure, payment processing, customer support tooling (Intercom), email delivery, and analytics. Each operates under a Data Processing Agreement requiring them to handle data only on our instructions and to maintain appropriate security. The full current list is published at trust.euryka.ai.
AI model providers. The platform sends prompts and content to third-party AI APIs to generate outputs. See Section 7 for detail.
Professional advisers. Lawyers, auditors, accountants, and insurers, where strictly necessary for our legitimate business operation.
Legal and regulatory authorities. Where required by law, court order, or to protect our legal rights, the safety of any person, or to investigate fraud.
Acquirers. If Euryka is acquired, merged, or restructured, personal data may be transferred as part of that transaction. We will notify you in advance and your rights will be preserved.

We do not sell, rent, or trade your personal data. We do not share it with advertising networks or data brokers.

07

AI providers and how we use them

In short: The platform sends your content to third-party AI APIs (such as OpenAI and Anthropic) to generate outputs. Those providers are contractually prohibited from using your content to train their models. We do not train models on your content either.

Euryka's platform is powered, in part, by large language and image generation models hosted by third-party AI providers. When you use a feature that requires AI generation, your prompt and any associated content is transmitted to the relevant provider via their API to produce a response.

What protections are in place

We use enterprise-tier API agreements with our AI providers, under which they are contractually prohibited from training, fine-tuning, or evaluating their models on data we send them.
Data sent to AI providers is processed transiently — typically retained by the provider for a short window for abuse monitoring (commonly 30 days) before being deleted.
We do not train, fine-tune, or evaluate any AI model — Euryka's own or any third party's — using Customer Content.
The current list of AI providers we use, and the specific terms governing each, is published at trust.euryka.ai.

Custom AI processing terms — such as zero-retention agreements, regional model routing, or restriction to specific providers — are available for enterprise accounts. To discuss whether your use case qualifies, contact sales@euryka.ai.

08

International data transfers

In short: Euryka is an Irish company. Some of our service providers — including AI providers — are based outside the EEA. When personal data leaves the EEA, we use legally-approved transfer mechanisms (mainly Standard Contractual Clauses) to keep your protection in place.

Euryka AI Limited is a single legal entity incorporated in Ireland. We work with team members and contractors in the UAE and India who operate under contract with the Irish entity.

Some of our service providers and AI providers are based in the United States and other jurisdictions. As a result, personal data we process may be transferred to, stored in, or accessed from countries outside the European Economic Area (EEA).

Where this happens, we rely on one or more of the following safeguards:

European Commission adequacy decisions — including transfers under the EU–US Data Privacy Framework where the recipient is certified.
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where required.

Documentation of the transfer mechanisms applied to specific service providers is available on request via privacy@euryka.ai.

09

How long we keep your data

In short: Account data while your subscription is active, then up to 6 years for invoicing records (Irish Revenue requirement) and 30 days for everything else. Customer Content is fully purged 30 days after your subscription ends.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

Data type	Retention period
Account data (active subscription)	Duration of subscription
Account data (post-termination, non-billing)	30 days, then deleted
Billing and invoicing records	6 years (Irish Revenue requirement)
Customer Content	Duration of subscription, then 30 days, then permanently purged
Support tickets and communications	3 years from last contact
Marketing contact data	Until consent is withdrawn
Server logs	90 days

After the retention period, data is either permanently deleted or fully anonymised (so it can no longer be linked to you).

10

How we secure your data

In short: Encryption in transit and at rest, role-based access controls, regular security testing, and a documented incident response process. Full security posture and certifications are detailed at trust.euryka.ai.

We implement technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls — Euryka staff access personal data only where strictly necessary for their role.
Multi-factor authentication for all internal systems handling personal data.
Regular penetration testing and vulnerability scanning.
A documented incident response plan, reviewed annually.
Background checks on staff and contractors with access to personal data.

For a complete view of our security posture — including current certifications, sub-processor list, audit reports, and our DPA template — see our Trust Centre.

11

Cookies and tracking

In short: The website uses Google Analytics (with your consent) and Intercom (for support chat). The platform tracks usage analytics — accepting our terms at registration constitutes consent. You can withdraw consent at any time.

On the marketing site (euryka.ai)

Our website uses cookies and similar technologies. Strictly necessary cookies are set automatically. All non-essential cookies — including analytics and chat — require your consent via our cookie banner before they are set.

Strictly necessary: session and security cookies required for the site to function. No consent required.
Analytics: Google Analytics, used to understand how visitors use the site in aggregate. Set only with consent.
Support and communication: Intercom cookies, used to provide live chat and to maintain conversation history. Set only with consent.

You can change or withdraw your consent at any time using the cookie preferences link in the website footer.

On the platform (app.euryka.ai)

When you register for the platform and accept our Terms of Service, you also consent to product analytics tracking required to operate, secure, and improve the service. This includes Google Analytics for usage measurement and Intercom for in-app support.

You can request a summary of what is tracked, or withdraw consent and request account deletion, by contacting privacy@euryka.ai.

12

Your rights

In short: You can ask to see, correct, export, restrict, object to, or delete your personal data. Email privacy@euryka.ai and we'll respond within 30 days.

Under the GDPR and Irish data protection law, you have the following rights:

Right of access. Request a copy of the personal data we hold about you.
Right to rectification. Ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"). Ask us to delete your personal data, subject to legal exceptions.
Right to restrict processing. Ask us to pause processing while a dispute is resolved.
Right to data portability. Receive your data in a structured, machine-readable format and transfer it elsewhere.
Right to object. Object to processing based on legitimate interests, and to direct marketing at any time.
Rights related to automated decision-making. We do not currently make solely automated decisions that produce legal or similarly significant effects on you.
Right to withdraw consent. Where we rely on your consent, you can withdraw it at any time without affecting prior lawful processing.
Right to lodge a complaint. With the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.

To exercise any of these rights, email privacy@euryka.ai. We will respond within 30 days. We may need to verify your identity before processing the request.

13

Data breaches

In short: If a breach affects your personal data, we will notify the Irish Data Protection Commission within 72 hours and tell you directly without undue delay if there is a likely high risk to your rights.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours of becoming aware of it, in line with GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify you directly without undue delay, with information on what happened, what data was affected, and what steps we have taken in response.

14

Region-specific rights

In short: Our default position is GDPR-level protection for everyone, regardless of location. Additional or different rights may apply if you are based in the UK, the UAE, or India.

We extend GDPR-level protections to all users globally as our baseline. Additional region-specific rights may also apply:

United Kingdom

If you are based in the UK, your rights under the UK GDPR and Data Protection Act 2018 mirror those described in Section 12. You can lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

United Arab Emirates

If you are a resident of the UAE, your rights under Federal Decree-Law No. 45 of 2021 (the UAE Personal Data Protection Law) include rights of access, correction, erasure, restriction of processing, and objection. Requests can be sent to privacy@euryka.ai.

India

If you are a resident of India, the Digital Personal Data Protection Act 2023 grants you rights of access, correction, completion, updating, and erasure of your personal data, as well as the right to nominate a person to exercise these rights in the event of your death or incapacity. Contact privacy@euryka.ai to exercise these rights or to raise a grievance.

15

Changes to this policy

In short: When we change anything material, we'll email you and update the version number at the top of this page.

We may update this policy from time to time to reflect changes to our practices, our service, or applicable law. We will post the updated policy on this page with a new "Last updated" date and version number. If we make material changes, we will notify active account holders by email at least 30 days before they take effect.

Privacy Policy.

We don't sell your data.

We don't train on your content.

You stay in control.

GDPR-compliant.