Privacy Policy
Last Updated: November 23, 2025
TL;DR (Plain English Summary)
- ✓We don't sell your data. Ever. Not to advertisers, not to data brokers.
- ✓We use trusted vendors. We only use top-tier US-based infrastructure (like OpenAI and Vercel) to run the app.
- ✓You can leave anytime. And take your data with you (CSV/PDF export). We don't lock you in.
1. Data Ownership
You own your data. As between the parties, Customer retains all right, title, and interest in and to the Customer Data, including all manufacturing logs, non-conformance reports, and uploaded documents. Samrian acquires no rights in Customer Data, other than the limited right to host, process, and display such data as necessary to provide the Services.
Aggregated Data. You agree that Samrian may collect, use, and publish metadata and data in an aggregated and anonymized format (where you and your users are not identified) for the purpose of improving the Services, industry benchmarking, and developing new features. Samrian owns all rights to this Aggregated Data.
2. Use of Customer Data for Training
Samrian (and its subprocessors) will not use your Customer Data to train, fine-tune, or improve any foundational or proprietary AI models, except as follows:
- For purposes of providing the Services, Samrian may process your data transiently (inference) but will not incorporate it into any model training pipeline.
- Aggregated and anonymized usage metrics (not containing personal data or business-identifiable information) may be used by Samrian to improve service performance, subject to strict de-identification safeguards.
- Samrian may not share your raw inputs, outputs, or your proprietary content with any third-party for the purpose of training third-party AI systems without your express, written consent.
3. Sub-processors
We use the following third-party service providers to help us provide the Services. We select providers that maintain robust security and privacy standards and process data in accordance with their respective privacy policies and security commitments.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Hosting & Edge Functions | USA |
| Neon | Database (PostgreSQL) | USA |
| OpenAI | AI Processing & Analysis | USA |
| xAI | AI Processing & Analysis | USA |
| Supermemory | Vector Search & Memory | USA |
| Resend | Transactional Emails | USA |
Samrian maintains a current list of subprocessors and will notify Customer at least 30 days prior to adding or replacing any subprocessor (“Subprocessor Notice Period”). Customer may object in writing within the Subprocessor Notice Period if the change poses a reasonable data protection risk; Samrian may, at its discretion, (i) provide an alternate subprocessor, (ii) process the data without the subprocessor, or (iii) allow Customer to terminate the Services without penalty.
4. Data Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. This includes encryption in transit and at rest, strict access controls, and regular security audits.
5. Cross-Border Data Transfers
- Samrian may transfer, host, and process Customer Data using subprocessors located outside your jurisdiction.
- For any transfer of Customer Personal Data (as defined under applicable data protection law), Samrian (or its subprocessors) shall implement appropriate transfer mechanisms (e.g., Standard Contractual Clauses, Binding Corporate Rules) or rely on another lawful basis, and provide you with written documentation upon request.
- If you are subject to data residency requirements, you may request additional contractual guarantees, data localization, or data deletion in accordance with Samrian’s sub-processor disclosures and data localization policies.
6. Data Retention & Deletion
30-Day Grace Period. Upon termination of your account, we will retain your Customer Data for 30 days to allow for potential reinstatement or export. After this period, your data will be permanently deleted from our live systems, except where we are required by law to retain it. It is your responsibility to export your data before this period expires.
7. Children & Minors Compliance
Samrian is not intended for use by individuals under 18 years of age. Samrian does not knowingly collect personal data from minors. If Samrian becomes aware that personal data has been collected from a minor without verifiable parental consent, Samrian will delete such data promptly.
8. GDPR Compliance (Your Rights)
Subject to applicable law, individuals have the right to:
- Access their personal data
- Correct inaccurate personal data
- Request deletion (“right to be forgotten”)
- Object to processing
- Request restriction of processing
- Request a portable copy of their data
- Withdraw consent at any time
- Lodge a complaint with their Supervisory Authority
Legal Bases for Processing (GDPR):
- Contract performance (Article 6(1)(b))
- Legitimate interests (Article 6(1)(f))
- Compliance with legal obligations (Article 6(1)(c))
- Consent where required (Article 6(1)(a))
9. Contact Us
If you have any questions about this Privacy Policy, please contact us at support@samrian.com.