Back to natix.chat

Privacy Policy

Last updated: April 24, 2026

This document describes how Natix collects, processes and protects personal data when you use natix.chat. Read together with our Terms of Service.

1. Data controller

The controller of your personal data is Natix, with contact point at hello@natix.ro. For any data protection inquiries, including GDPR rights requests, please write to this address.

We process data in accordance with the EU Regulation 2016/679 (GDPR) and applicable Romanian law (Law 190/2018).

2. What data we collect

2.1 Account data

  • Email, name, profile picture (if you sign in with Google)
  • Password (stored bcrypt-hashed) — only for email/password sign-in
  • OTP codes sent to your email for verification

2.2 Onboarding data

  • Date of birth (for age verification)
  • Company size, department, role

2.3 Usage-generated data

  • Conversations: messages you send to AI agents and their responses
  • Documents: files you upload for AI processing (PDF, DOCX, XLSX, images)
  • Configuration: departments, custom agents, prompts, integrations
  • Usage: message counts, tokens consumed, features used, timestamps
  • Technical logs: IP (short-lived, for rate limiting), user-agent, errors

2.4 Payment data

Payments are fully processed by Stripe. We do not store card numbers, CVV or sensitive payment data. From Stripe we only receive: card brand (Visa/Mastercard), last 4 digits, billing address, transaction history, VAT.

2.5 OAuth integration data (optional)

If you connect an external integration, we keep only the tokens necessary and minimal metadata:

  • Gmail, Outlook: access token + refresh token (encrypted), email address, IDs of processed threads
  • Google Drive, OneDrive: access token + refresh token (encrypted), list of documents you explicitly share
  • Notion: access token, workspace ID, pages you grant us access to

We request minimal scopes (data minimization principle). You can revoke access at any time from the Integrations page or from your provider account.

3. How we use data

  • Providing the natix.chat service and all features
  • Authentication and account security
  • Processing conversations with AI agents (see section 5)
  • RAG (Retrieval-Augmented Generation) indexing of your documents in the Knowledge Base
  • Sending transactional emails (verification, password reset, invoices)
  • Sending product emails (updates, onboarding tips, new templates) — you can unsubscribe anytime
  • Enforcing usage limits per your plan
  • Fraud and abuse prevention (rate limiting, spam detection)
  • Service improvement through aggregate metrics (we do not use your conversations to train AI)

4. Legal basis (GDPR art. 6)

  • Contract performance (art. 6(1)(b)) — for the service itself, payments, account
  • Legitimate interest (art. 6(1)(f)) — security, abuse prevention, technical metrics
  • Consent (art. 6(1)(a)) — for optional OAuth integrations and marketing emails
  • Legal obligation (art. 6(1)(c)) — invoice retention (Romanian Accounting Law)

5. AI processing

Messages and documents you send are processed by AI models (Claude Sonnet 4.5 and Claude Haiku 4.5) via AWS Bedrock, exclusively in the EU region (Frankfurt).

  • Your data is NOT used to train AI models — Anthropic and AWS have a Data Processing Agreement that explicitly excludes this
  • AWS Bedrock retains inputs for up to 30 days (for abuse detection), then deletes them
  • We use prompt caching (1h cache at Bedrock level) for efficiency — the cache is isolated per AWS account
  • For RAG indexing, we extract text from documents and store vector embeddings in AWS Bedrock Knowledge Base (also EU)

6. Infrastructure and data location

All data is processed and stored exclusively within the European Union:

  • Database: AWS RDS PostgreSQL — EU North (Stockholm)
  • File storage: AWS S3 — EU Central (Frankfurt)
  • AI processing: AWS Bedrock — EU Central (Frankfurt)
  • Email delivery: Resend + AWS SES — EU
  • CDN & Edge: AWS CloudFront with EU PoPs

We do not transfer data outside the EEA.

7. Sub-processors

For service operation we work with the following sub-processors, all with signed DPAs:

  • Amazon Web Services EMEA SARL — cloud infrastructure (compute, storage, AI, email)
  • Stripe Payments Europe Ltd. — payment processing (PCI-DSS)
  • Resend Inc. — transactional email delivery
  • Google Ireland Ltd. — OAuth + Gmail/Drive (only if you connect)
  • Microsoft Ireland Operations Ltd. — OAuth + Outlook/OneDrive (only if you connect)
  • Notion Labs Inc. — OAuth + Notion API (only if you connect)

We do not sell, rent or share your data with third parties for marketing purposes.

8. Cookies

  • Essential: authentication session (JWT), CSRF tokens, cookie consent preference. Without these the service cannot function.
  • Preference: theme (dark/light), sidebar width, preferred locale (RO/EN).

We do not use tracking, advertising or third-party analytics cookies.

9. Data retention

  • Active account: we keep data as long as the account is active
  • After account deletion: data is deleted within 30 days, except what is needed for legal obligations (invoices — 10 years per Romanian Accounting Law)
  • Backups: auto-expire after 30 days
  • Access logs: 90 days
  • Archived conversations: kept while account active; you can delete individually at any time

10. Your rights (GDPR)

You have the following rights, exercisable by email at hello@natix.ro:

  • Right of access (art. 15) — to receive a copy of your data
  • Right to rectification (art. 16) — to correct inaccurate data
  • Right to erasure (art. 17) — "right to be forgotten"
  • Right to restriction (art. 18) — to temporarily pause processing
  • Right to portability (art. 20) — export in structured format (JSON)
  • Right to object (art. 21) — to processing based on legitimate interest or marketing
  • Right to withdraw consent — anytime, with no retroactive effect
  • Right not to be subject to automated decision-making (art. 22) — we do not make automated decisions with legal impact

We respond within 30 days of the request.

11. Supervisory authority

If you are unsatisfied with how we process your data, you have the right to file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

12. Security

  • TLS 1.2+ for all connections
  • Passwords hashed with bcrypt (cost factor ≥ 12)
  • OAuth tokens encrypted symmetrically (AES-256) at rest
  • Restricted infrastructure access (MFA, least-privilege IAM)
  • Automated monitoring and alerts on suspicious events
  • Encrypted daily backups with 30-day retention

13. Minors

natix.chat is not intended for persons under 16 years of age. We do not knowingly collect data from minors. If you become aware that a minor has provided us data, please email hello@natix.ro for immediate deletion.

14. Changes to this policy

We will notify you by email at least 30 days before any material change. Minor changes (clarifications, typos) take effect on publication with the updated date in the header.

15. Contact

For any questions or GDPR rights requests: hello@natix.ro