Privacy Policy
For AI Automation Systems
Version: 1.2
Service Provider Information
Company Name | BossTech AI Solutions Kft. (AI-Trainer) |
Registered Office | Hungary, 4100 Berettyóújfalu, Árpád u. 36 |
Company Registration Number | 09-09-018235 |
Tax Number | 11717827-2-08 |
support@aitrainer.app | |
Website | https://aitrainer.hu (Hungarian) |
https://aitrainerlab.com (English) | |
https://aitrainer.app (application) |
Data Protection Contact
For inquiries related to data protection, the exercise of data subject rights, and the processing of personal data, requests may be submitted through the following contact details:
Name | Tibor Bossányi |
Position | Data Protection Contact |
support@aitrainer.app |
The Service Provider undertakes to provide a substantive response to data protection inquiries within a maximum of 30 days.
1. Introduction
AI-Trainer (hereinafter referred to as the “Service Provider”) places special importance on the protection of personal data and the transparency of data processing.
The purpose of this Privacy Policy is to provide detailed information regarding the data processing activities carried out by the Service Provider, with particular regard to artificial intelligence-based automation solutions.
The Service Provider processes personal data in accordance with the General Data Protection Regulation of the European Union (GDPR – Regulation (EU) 2016/679), as well as the applicable Hungarian and EU legislation.
2. Principles of Data Processing
During data processing, the Service Provider follows the principles below:
- lawfulness, fairness, and transparency,
- purpose limitation,
- data minimization,
- accuracy,
- storage limitation,
- integrity and confidentiality,
- accountability.
3. Nature of the Service – AI Automation
The primary purpose of AI-Trainer’s services is the automation of business, operational, and technological processes using artificial intelligence, including but not limited to:
- document processing and data extraction,
- workflow automation,
- decision support,
- data processing and analytical workflows,
- automated data flows between systems.
The service is not chatbot-centered; artificial intelligence is primarily used for operating background processes and automations.
4. Categories of Processed Data
4.1. Data Provided by the User
- data provided during registration (e.g. email address),
- subscription and billing-related data,
- documents, files, and datasets uploaded by the user.
4.2. Data Processed During Automation
- structured and unstructured data related to business processes,
- data originating from external systems (e.g. Google Drive, CRM, ERP systems), exclusively with the user’s authorization,
- output data generated by automations (analyses, summaries, results).
4.3. Technical Data
- log files,
- system usage and performance data,
- security and debugging information.
5. Purpose of Data Processing
The purposes of data processing include in particular:
- providing and operating the service,
- executing AI-based automations,
- maintaining system security,
- providing customer support,
- fulfilling legal and accounting obligations.
6. Automated Decision-Making and Profiling
The system may apply automated data processing and decision-making, for example:
- classification of documents,
- structuring of data,
- processing based on predefined rules.
These processes:
- do not constitute solely automated decision-making with legal effect,
- can be configured by the user,
- may be reviewed or disabled at any time.
Profiling is carried out exclusively for improving and personalizing the service and is not transferred to third parties.
7. AI Models and Data Processing Partners
The Service Provider may use external AI models via API connections in the course of providing the service.
These providers act as data processors.
Important safeguards:
- data is not used for training AI models,
- data is not sold,
- data processing is limited exclusively to the duration necessary for providing the service.
8. Use of AI Model APIs and Data Processing Through Third-Party Providers
In order to implement AI-based automations, the Service Provider may use APIs provided by external AI service providers.
These providers act exclusively as data processors pursuant to Article 28 of the GDPR.
Purpose of API Usage
- processing textual and structured data,
- document analysis and summarization,
- execution of business logic and automations,
- generation of decision-support outputs.
Data Protection Guarantees
- data transmitted through APIs is not used for AI model training,
- data is not sold or used for marketing purposes,
- data processing is limited exclusively to the duration of service provision,
- the Service Provider works only with partners that provide documented GDPR-compliant data processing practices.
9. AI Service Providers Used and Their Privacy Policies
The following providers’ APIs may be used during automations:
OpenAI
Privacy Policy: https://openai.com/hu-HU/policies/privacy-policy/
Data Processing Addendum: https://openai.com/hu-HU/policies/data-processing-addendum/
Google Gemini (Google AI)
Privacy Policy: https://policies.google.com/privacy
Responsible AI & data usage: https://ai.google/responsibility/
Anthropic (Claude)
Privacy Policy: https://www.anthropic.com/legal/privacy
Data Processing Addendum: https://www.anthropic.com/legal/data-processing-addendum
xAI
Privacy Policy: https://x.ai/legal/privacy-policy
Legal documentation: https://openrouter.ai/docs/privacy
OpenRouter
Privacy Policy: https://openrouter.ai/privacy
Data handling documentation: https://openrouter.ai/docs/privacy
DeepInfra
Privacy Policy: https://deepinfra.com/privacy
Legal & data processing information: https://deepinfra.com/legal
The Service Provider reserves the right to modify the range of AI service providers used, exclusively involving partners that comply with data protection and security requirements.
10. Data Storage and Data Security
Data is stored on the Service Provider’s own servers located within the European Union.
Hosting is provided on the infrastructure of Contabo GmbH (Germany).
Security measures include:
- encrypted data storage and transmission,
- role-based access control,
- regular backups,
- intrusion prevention systems.
11. Access to External Systems Through MCP Servers (Model Context Protocol)
The Service Provider enables users to connect external systems (such as cloud storage solutions or corporate data sources) to the AI automation system through MCP (Model Context Protocol) servers.
Nature and Conditions of Access
- access is granted exclusively based on the user’s explicit authorization,
- all connections are authenticated and operate through secure channels,
- access may be revoked by the user at any time.
Authentication and Security
- identification and authorization management are carried out through the OAuth 2.0 protocol,
- access tokens and refresh tokens are stored in encrypted form,
- the system accesses only the data for which the user has explicitly granted authorization.
Categories of Data Processed Through MCP Usage
The following data may be involved during access:
- file names, file types, and metadata,
- the contents of documents explicitly opened by the user,
- timestamps and version information.
12. Data Processing and Compliance Provisions for Enterprise Environments
The Service Provider has designed its AI automation services for use in enterprise environments according to high standards of data protection and information security. Its data processing practices comply with the legal, technical, and organizational standards expected by enterprise clients.
Roles and Responsibilities
In enterprise environments, the Service Provider typically acts as a data processor, while the client acts as the data controller determining the purposes and means of data processing.
The Service Provider processes data exclusively based on the documented instructions of the client.
Use of AI Models and Subprocessors
During service provision, the Service Provider may use APIs of external AI service providers and infrastructure partners acting as subprocessors.
Current List of Subprocessors
Provider | Role | Data Type | Region |
|---|---|---|---|
OpenAI | AI data processor | processed input | EU / US |
Google (Gemini) | AI data processor | processed input | EU |
Anthropic (Claude) | AI data processor | processed input | EU / US |
xAI (Grok) | AI data processor | processed input | US |
OpenRouter | API gateway | processed input | EU / US |
DeepInfra | AI infrastructure | processed input | EU / US |
Contabo GmbH | Hosting infrastructure | stored data | EU (Germany) |
The Service Provider undertakes to:
- engage only partners with documented data protection practices,
- inform clients in advance, or without delay when justified, regarding changes to subprocessors,
- provide the possibility to raise objections regarding subprocessors.
Exclusion of Data Usage and Model Training
The Service Provider does not use client-provided data, either directly or indirectly, for the training, fine-tuning, or retraining of artificial intelligence models.
Client data:
- is processed exclusively for the purpose of providing the service,
- is not reused for marketing, profiling, or statistical purposes,
- is not sold or transferred to third parties.
Automated Decision-Making in Enterprise Environments
The AI automations provided by the Service Provider operate based on preconfigured business logic and rule systems defined by the client.
The system:
- does not make solely automated decisions with legal effects concerning natural persons,
- provides the possibility for human review,
- allows automations to be modified or disabled by the client at any time.
Technical and Organizational Measures (TOMs)
To ensure enterprise-level data protection, the Service Provider applies, among others, the following measures:
- role-based access control (RBAC),
- enforcement of the principle of least privilege,
- encrypted data transmission and storage,
- detailed audit logging,
- incident management procedures, including a 72-hour notification obligation.
Audit and Compliance
For enterprise clients, the Service Provider allows audits related to data processing and information security compliance within contractually defined frameworks.
The Service Provider’s data processing practices are aligned with:
- GDPR (EU 2016/679),
- ISO 27001-compatible security principles,
- enterprise procurement and IT security standards.
13. Processing of Data Accessed Through MCP
Purpose of Data Processing
- operating AI-based automations using external data,
- document processing and analysis without manual uploads,
- more efficient support of business processes.
The Service Provider:
- does not store data accessed through MCP on a long-term basis,
- does not use such data for training purposes,
- does not transfer such data to third parties.
Data is automatically deleted or anonymized after processing is completed.
14. Data Retention Period
- personal data: for the duration of the service relationship and as required by law,
- automation data: for the duration of processing,
- documents: automatically deleted after processing.
15. Rights of Data Subjects
Data subjects are entitled to:
- request access to their data,
- request correction of their data,
- request deletion of their data,
- request restriction of data processing,
- object to data processing,
- withdraw consent at any time.
Requests may be submitted to:
support@aitrainer.app
16. Legal Remedies
Data subjects may file complaints with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or seek legal remedy before a court.
17. Modification of the Policy
The Service Provider reserves the right to modify this policy. Changes become effective upon publication on the website.
Version: 1.2
Last updated: MAY 18, 2026