Contents
1. Our role: controller vs processor
When you browse our website or submit the contact form, Fullstream acts as a data controller for your personal data. When you use the Fullstream AI workspace under a customer subscription, the customer organisation is the controller of the content and personal data processed through the workspace, and Fullstream acts as a data processor on its behalf under a data processing agreement. This Policy describes our practices in both roles; for processor activities, the customer’s own privacy notice governs the end-user relationship.
2. Personal data we collect
2.1 When you use the website and contact form
- Identity & contact data you provide voluntarily: full name, work email, company, team size, use case and message content.
- Technical data: IP address, user agent, timestamp and basic device/browser information collected in server logs.
- Anti-abuse data: information required to operate Cloudflare Turnstile (including a visitor-interactive signal) and basic rate-limit records tied to a hashed IP.
2.2 When you use the Fullstream AI workspace
- Account data: username, email address, role, authentication tokens.
- Usage data: login timestamps, workspace interactions, error and audit logs.
- Customer Content: prompts, attachments, documents and conversations processed by the AI models at your request or at the request of your organisation.
- Billing data: where payment flows apply to your subscription, invoicing details held by the customer organisation.
3. Purposes and legal bases
| Purpose | Categories of data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Responding to your contact-form inquiry and sales communication | Identity, contact, message content, technical data | Steps at your request prior to a contract (Art. 6(1)(b)) and our legitimate interest in operating our business (Art. 6(1)(f)) |
| Providing, maintaining and securing the Fullstream AI Service | Account, usage, Customer Content, technical data | Performance of a contract with the customer (Art. 6(1)(b)); legitimate interest in service integrity (Art. 6(1)(f)) |
| Anti-abuse, rate-limiting, Turnstile challenge | IP address, technical data, Turnstile signals | Legitimate interest in protecting our systems and users (Art. 6(1)(f)) |
| Billing, accounting and tax records | Identity, contact, billing and transactional data | Compliance with legal obligations (Art. 6(1)(c)) |
| Responding to legal requests and enforcing our Terms | Relevant data depending on the case | Compliance with legal obligations (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
We do not rely on consent for the activities above unless expressly required (for example, for non-essential cookies where applicable, or for any direct marketing we may introduce in the future). When we rely on legitimate interests, we balance those against your rights and freedoms and you may object at any time (see section 10).
4. AI processing
The Fullstream AI workspace processes prompts and content through selected large language models provided by reputable AI providers. By default, Customer Content is processed only to return the requested Output and is not used to train foundation models. Where an AI provider offers a zero-retention mode for enterprise traffic, we enable it. Model inference may temporarily cache data as strictly necessary to deliver the Output and to meet abuse-monitoring requirements imposed by the relevant provider. Output is probabilistic, may be inaccurate and must be independently evaluated before reliance.
5. Cookies and similar technologies
The marketing website at fullstream.org uses only strictly necessary technical storage (such as session identifiers and the Cloudflare Turnstile challenge token). We do not set advertising cookies, and we do not use cross-site tracking on the marketing site. The application at ai.fullstream.org uses strictly necessary cookies for authentication, security and preferences. Where we introduce any optional analytics or functional cookies in the future, we will request your consent via a cookie banner.
Cloudflare Turnstile, used to protect our contact form, may process limited technical information (such as IP, browser signals and interaction metadata) to determine whether a request is likely human. See Cloudflare’s privacy notice for details.
6. Recipients and processors
We disclose personal data only to the following categories of recipients, all of whom are bound by appropriate contractual obligations of confidentiality and data protection:
- Infrastructure and hosting providers operating the servers, databases, backups and networks on which the Service runs.
- Email and communication providers used to deliver inquiry notifications and transactional messages.
- Security providers, including Cloudflare (network protection and Turnstile challenge).
- AI model providers, processing prompts strictly to generate the requested Output.
- Professional advisers (accountants, lawyers and auditors) under confidentiality obligations.
- Public authorities, where disclosure is required by law, court order or to protect our rights.
A current list of sub-processors used to provide the Service is available to subscribing customers on request. We do not sell personal data.
7. International transfers
Some of our providers may be located outside the European Economic Area (“EEA”). When personal data is transferred outside the EEA, we rely on appropriate safeguards under the GDPR, primarily the Standard Contractual Clauses adopted by the European Commission, supplemented where necessary by additional technical and organisational measures (such as encryption in transit and at rest). A copy of the relevant transfer mechanism can be provided on request.
8. Retention
- Contact-form submissions and inbox correspondence: up to 24 months from the last interaction, unless a longer period is needed to manage an active opportunity or comply with a legal obligation.
- Server and application logs: typically 30–90 days for operational logs and up to 12 months for security logs.
- Account data for workspace users: for the duration of the customer subscription and a reasonable grace period after termination, after which data is deleted or returned in accordance with the customer agreement.
- Customer Content: retained during the subscription per the customer’s configuration; deleted or exported upon termination as set out in the Terms of Service.
- Billing and accounting records: retained for the period required by Romanian tax and accounting law (generally 10 years).
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration and loss, including: encryption in transit (TLS), encryption at rest where applicable, role-based access control, least-privilege access, segregated environments, centralised logging, regular patching and backup, and anti-abuse protections such as Cloudflare Turnstile. Despite these measures, no system is completely secure; you should always keep your credentials confidential and notify us of any suspected compromise.
10. Your rights
Subject to the conditions set out in the GDPR, you have the right to:
- access the personal data we hold about you and obtain a copy;
- rectify inaccurate or incomplete personal data;
- erase personal data where the conditions of Art. 17 GDPR are met;
- restrict processing in the cases set out in Art. 18 GDPR;
- object to processing based on our legitimate interests (Art. 21 GDPR);
- receive the personal data you provided in a structured, commonly used and machine-readable format and to have it transmitted to another controller (data portability);
- withdraw consent where processing is based on consent, without affecting the lawfulness of processing already carried out;
- lodge a complaint with a supervisory authority — in Romania, the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, București, www.dataprotection.ro.
If you use the Fullstream AI workspace under a customer subscription, please direct your request first to the customer organisation that provisioned your account; we will support them in responding to your request.
To exercise your rights with us directly, please reach out via our contact form and mention “GDPR request” in the message. We will respond within one month of receipt; this period may be extended by up to two additional months where necessary, given the complexity and number of requests, in which case we will inform you.
11. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated via our website or by email at least 30 days before they take effect, where practical. The “Last updated” date at the top of this page shows when the latest version was published.
13. Contact
You can reach us on privacy matters and general inquiries via our contact form.
Data controller
BILOUD SRL
Registration number: J2015002244239
VAT number: RO34723223
Romania