ELYSIAN

Privacy Policy

Last updated: March 2026

1. Introduction

Elysian ("we", "us", "our") is committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and all applicable European Union and national data protection laws.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it. Please read it carefully before using the Service.

2. Data Controller

The data controller responsible for your personal data is Elysian. For data protection enquiries, contact us at: privacy@elysian.app

3. Personal Data We Collect

We collect the following categories of personal data:

Account data

Email address, hashed password (we never store plain-text passwords), account creation date, email verification status.

Payment data

Payment status, date of payment, Stripe customer ID, and Stripe payment intent ID. Full card details are never stored by us — they are processed exclusively by Stripe.

Usage data

Number of queries made per day and the date the query counter was last reset. Individual query contents are not stored.

Security data

Failed login attempt records (email and timestamp) retained for 24 hours for rate-limiting purposes.

4. Legal Basis for Processing (Article 6 GDPR)

We process your personal data on the following legal bases:

▸Performance of a contract (Art. 6(1)(b)): Processing your email address and payment status to provide, authenticate, and manage your access to the Service.
▸Compliance with a legal obligation (Art. 6(1)(c)): Retaining transaction records as required under applicable tax and accounting law.
▸Legitimate interests (Art. 6(1)(f)): Security logging (failed login attempts) to protect the Service and its users against unauthorised access and abuse.

5. How We Use Your Data

▸To create and manage your account
▸To verify your email address
▸To authenticate you when you sign in
▸To process and confirm your payment
▸To enforce the daily query limit
▸To send transactional emails (email verification, payment receipt)
▸To protect the Service from brute-force and unauthorised access

We do not use your data for advertising, profiling, or sale to third parties.

6. Data Retention

We retain your personal data only for as long as necessary:

▸Account and payment data: retained for the duration of your account and for up to 7 years thereafter, as required by EU tax law.
▸Failed login records: automatically deleted after 24 hours.
▸Email verification tokens: expire after 24 hours and are cleared upon use.

7. Third-Party Processors

We use the following sub-processors who may process your personal data on our behalf. All processors are bound by data processing agreements and, where applicable, comply with GDPR requirements for international data transfers (Standard Contractual Clauses or adequacy decisions).

Neon (Neon Inc.)

PostgreSQL database hosting. Stores account, payment, and usage data.

Location: EU region (AWS eu-central-1)

Stripe, Inc.

Payment processing. Handles card details and payment records.

Location: USA (covered by SCCs / Privacy Shield successor)

Vercel, Inc.

Application hosting and deployment.

Location: USA (covered by SCCs)

Anthropic, PBC

AI inference for generating responses. Query text is transmitted but not stored by us.

Location: USA (covered by SCCs)

OpenAI, LLC

Text embedding for vector search. Query text is transmitted but not stored by us.

Location: USA (covered by SCCs)

Qdrant (Qdrant Solutions GmbH)

Vector database storing knowledge-base embeddings. Does not receive personal data.

Location: EU (GCP eu-central)

Google (Gmail SMTP)

Transactional email delivery (verification, receipt).

Location: EU/USA

8. Cookies

Elysian uses only technically necessary cookies required for authentication. Specifically, NextAuth.js sets a session cookie after login to maintain your authenticated session. No tracking, advertising, or analytics cookies are used.

Because we use only strictly necessary cookies, no cookie consent banner is required under Article 5(3) of the ePrivacy Directive.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@elysian.app. We will respond within 30 days.

▸Right of access (Art. 15): Request a copy of the personal data we hold about you.

▸Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.

▸Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.

▸Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.

▸Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.

▸Right to object (Art. 21): Object to processing based on legitimate interests.

▸Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

You also have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

▸Passwords stored as bcrypt hashes (cost factor 12) — never in plain text
▸All data transmitted over TLS/HTTPS
▸Rate limiting and brute-force protection on authentication endpoints
▸Security headers (CSP, X-Frame-Options, etc.) on all responses
▸Database access restricted to server-side code only — no client-side database exposure

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or via a notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any privacy-related requests or questions, contact our data protection contact at: privacy@elysian.app