eustella

Privacy

eustella Privacy Policy

Last updated: 16.04.2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use eustella. We wrote it to be clear and honest - if not, please contact us and we will be happy to explain.

This Privacy Policy forms part of your relationship with us but is separate from our Terms of Use. It applies to your use of eustella's mobile applications, web interfaces, AI agent features, and all related services ("Services").

If you are looking for the Privacy Policy regarding our website eustella.com, please visit eustella.com/privacy.

1. Who we are

eustella is built by AI Newsrooms Technology GmbH, a European AI company based in Vienna, Austria. We are the controller of your personal data, which means we decide how and why your data is processed.

AI Newsrooms Technology GmbH Schönbrunner Straße 231, 1120 Vienna, Austria Company register: 637289s, Commercial Court of Vienna

Email: privacy@eustella.com

If you have any questions about how we handle your data, please contact us at privacy@eustella.com. We aim to respond within 14 days.

2. What data we collect

We collect different types of data depending on how you use eustella. Here is an overview.

Data you give us directly

When you create an account, we collect your name, email address, and password. If you sign up through Google or Apple, we receive the profile information those services share with us (typically your name and email address). We do not receive or store your Google or Apple password.

When you use eustella, we collect the content of your conversations - your inputs (what you type or upload) and eustella's outputs (what eustella generates for you). If you upload files, images, or documents, we process those too.

If you connect third-party services such as Google Calendar or Google Drive, we access and process data from those services on your behalf and only to the extent necessary to provide the features you have enabled. We do not access data from your connected services for any other purpose.

Data we collect automatically

When you use our Services, we automatically collect certain technical and usage data. This includes your IP address, device type, operating system, browser type, language settings, and general location (derived from your IP address at the country or city level - we do not collect precise GPS location data). We also collect information about how you use eustella, such as which features you use, when you use them, and how you interact with the app. This data is collected through PostHog, our analytics provider, which is hosted in the European Union (Frankfurt, Germany).

Data eustella learns about you

eustella is a personalised AI assistant. One of its core features is learning your preferences over time so it can give you more useful and relevant responses. This means eustella may remember things like your preferred language, your communication style, the topics you are interested in, or the way you like information presented. We explain exactly how this works and what control you have in Section 5.

3. Why we use your data and our legal basis

The GDPR requires us to have a specific legal reason for every way we use your personal data. Here is an overview.

Providing and operating eustella - When we process your conversations, generate responses, connect to your third-party services, save your preferences, and generally make eustella work for you, we do so because it is necessary to perform our contract with you (Art. 6(1)(b) GDPR). You asked us to provide these services, and we need to process your data to do so.

Keeping eustella safe - We operate our own content moderation and safety systems to detect misuse, enforce our Usage Policies, and protect our users and the public. We do this based on our legitimate interest in maintaining a safe and lawful service (Art. 6(1)(f) GDPR), in conjunction with our legal obligations under the Digital Services Act (Art. 6(1)(c) GDPR).

Improving our Services - We use aggregated and anonymised usage data (such as which features are popular, where users encounter errors, and general usage patterns) to improve eustella. We rely on our legitimate interest in developing and improving our service (Art. 6(1)(f) GDPR). We do not use the content of your conversations to train or improve AI models.

Analytics - We use PostHog (hosted in the EU) to understand how people use eustella so we can identify issues and improve the experience. We rely on our legitimate interest in understanding and improving our service (Art. 6(1)(f) GDPR). You can opt out of analytics through your account settings or by contacting us.

Communicating with you - We may send you service-related communications, such as security alerts, changes to our terms, or important updates about your account. These are necessary for the performance of our contract with you (Art. 6(1)(b) GDPR). If we ever send you marketing communications, we will only do so with your explicit consent (Art. 6(1)(a) GDPR), and you can withdraw that consent at any time.

Complying with the law - We process data when required by law, for example to respond to valid legal requests from authorities or to fulfil our tax and accounting obligations under Austrian law (Art. 6(1)(c) GDPR).

Protecting our rights - In rare cases, we may process data to establish, exercise, or defend legal claims. We rely on our legitimate interest in protecting our legal position (Art. 6(1)(f) GDPR).

4. What we do not do with your data

Some things are just as important to say plainly.

We do not train AI models on your data. We do not use your conversations, your files, your preferences, or any data from your connected third-party services to train, fine-tune, or improve AI models. Not ours, not anyone else's. This is a core commitment of eustella, not just a setting you need to find and toggle.

We do not sell your data. We do not sell, rent, or trade your personal data to anyone, for any reason.

We do not use your data for advertising. eustella does not serve advertisements and we do not share your data with advertisers or ad networks.

We do not transfer your data outside the European Union. All of our infrastructure, data processing, and storage takes place within the EU. Your data does not leave the European Union. This means your data is is fully protected by the GDPR at all times and not subject to the laws of any non-EU country - including the U.S. CLOUD Act.

5. How personalisation works and why it is not profiling

eustella learns your preferences to give you better responses. This is a core feature of the service and works as follows.

What eustella remembers. As you use eustella, it may save information about your preferences - for example, that you prefer concise answers, that you work in a particular industry, that you like a certain communication style, or that you have asked it to remember a specific fact about your life. This information is stored as part of your account and is used exclusively to personalise eustella's responses to you.

You are always in control. You can view everything eustella has saved about you at any time in your account settings. You can edit or delete any individual preference. You can also turn off the entire personalisation feature, in which case eustella will not save any preferences and each conversation will start fresh.

This is not automated decision-making. Under the GDPR (Art. 22), you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. eustella's personalisation does not make any decisions about you. It does not determine your eligibility for anything, restrict your access to any service, assess your creditworthiness, evaluate your job performance, or affect your legal rights in any way. It adapts the way it talks to you - the words it chooses, the level of detail it provides, the topics it remembers - based on what you have told it or what it has learned from your conversations. No decision with legal or similarly significant effect is made on the basis of this information. Keep in mind that the personalization of eustella may effect what information is presented to you due to the nature of personalization.

This is not profiling for third-party purposes. eustella does not build profiles about you for advertising, marketing, credit scoring, insurance assessment, or any external purpose. Your preferences exist solely between you and eustella and are used only to make the service more useful to you.

In short: eustella remembers what you tell it so it can help you better. You can see exactly what it knows, change it, or turn it off. That is all it does.

6. Special categories of personal data

The GDPR gives additional protection to certain especially sensitive types of personal data - including health information, data about religious or philosophical beliefs, political opinions, sexual orientation, racial or ethnic origin, and genetic or biometric data (Art. 9 GDPR).

eustella is not designed to process sensitive data. Our service is a general-purpose AI assistant. We do not ask you for sensitive data, we do not require it, and our features do not depend on it.

But we cannot prevent you from sharing it. Because eustella is a conversational tool, you can type anything into it. We cannot hinder you from telling eustella about a health condition, ask it about a religious topic in a personal context, or share other information that falls into a special category. We want to be honest about this reality rather than pretend it cannot happen.

Our strong recommendation. Please do not share sensitive personal data with eustella unless you genuinely need to for the purpose of your conversation. In particular, please do not share sensitive personal data about other people.

If you do share sensitive data, here is how we handle it.

We apply the following safeguards. We do not share sensitive data with any third party for marketing, advertising, or profiling purposes. We do not use sensitive data to build profiles about you or to make any kind of assessment about you. We do not use sensitive data to train AI models. If personalisation is enabled, eustella may remember context from your conversations, which could include sensitive information you provided - you can review and delete this at any time. We apply the same security measures (encryption at rest and in transit, access controls) to all data, including sensitive data. You can delete individual conversations or your entire account at any time.

A note on data about other people. Please do not enter the personal data of third parties into eustella - particularly not sensitive data - unless you have a lawful basis for sharing it. You are responsible for ensuring that you have the right to share any personal data you provide about other people.

7. Content moderation and safety

We operate our own safety systems to detect and prevent misuse of eustella. This is required to comply with our legal obligations and is also something we believe is the right thing to do.

What this means in practice. Our safety systems may analyse the content of your conversations to identify violations of our Usage Policies - for example, attempts to generate illegal content, content that could harm minors, or content that would facilitate violence or other serious harms. This analysis is automated and is designed to flag potential violations. Where a flag is raised, a limited number of trained safety staff may review the flagged content.

What this does not mean. Content moderation is not a general surveillance of your conversations. We do not read your conversations by default. We do not use content moderation data for any purpose other than safety and compliance. Staff who conduct safety reviews are bound by strict confidentiality obligations and access controls.

The legal basis for this processing is our legitimate interest in maintaining a safe and lawful service (Art. 6(1)(f) GDPR), in conjunction with our legal obligations under the Digital Services Act (Art. 6(1)(c) GDPR).

8. Who we share your data with

We keep the number of parties who have access to your data to an absolute minimum. Here are the categories of recipients and why they receive data.

Infrastructure and hosting providers - We use EU-based cloud infrastructure providers to host eustella and store your data. These providers process data solely on our instructions and are bound by data processing agreements. All hosting takes place within the EU.

AI model providers - eustella uses open-source large language models to generate responses. These models are hosted on our own EU-based infrastructure. Your conversations are processed through these models to generate responses.

PostHog (analytics) - We use PostHog, hosted in the EU (Frankfurt, Germany), for product analytics. PostHog processes pseudonymised usage data on our behalf. PostHog is our data processor and is bound by a data processing agreement.

Payment providers - If you purchase a paid subscription, your payment is processed by our payment provider. We do not store your full credit card number or payment details ourselves. The payment provider receives only the data necessary to process your transaction.

Legal and regulatory authorities - We may share data with law enforcement or regulatory authorities when we are legally required to do so, for example in response to a valid court order or binding legal request. We will always verify the legal basis of any such request and, where permitted by law, we will notify you.

Professional advisors - In rare cases, we may share data with our legal, tax, or audit advisors where necessary to protect our legal interests or comply with our obligations. These advisors are bound by professional confidentiality obligations.

We maintain a current list of our sub-processors at https://eustella.com/services/privacy/sub-processors. If we make significant changes to this list, we will notify you at least 30 days in advance by email or through an in-app notification.

9. International data transfers

We do not transfer your personal data outside the European Union.

All data processing, storage, and hosting takes place within the EU. This applies to your conversations, your account data, your preferences, your analytics data, and any data from connected third-party services.

This means your data is subject exclusively to EU data protection law and is not exposed to the legal frameworks of any non-EU country.

When you connect third-party services such as Google Calendar or Google Drive, data from those services is retrieved into our EU-based infrastructure and processed exclusively within the EU. However, your data within those third-party services remains subject to their own privacy policies and data transfer practices, which may include transfers outside the EU. Our no-transfer commitment applies to our own systems and infrastructure - we cannot control how third-party services handle data on their end.

10. How long we keep your data

We retain your data only for as long as necessary for the purpose for which it was collected. Here are the specific retention periods.

Conversation data - Your conversations are stored for as long as your account exists. You can delete individual conversations at any time, and deleted conversations are removed from our active systems within 30 days. If you delete your account, all conversation data is deleted within 30 days.

Personalisation preferences - Your saved preferences are stored for as long as your account exists and the personalisation feature is enabled. You can delete individual preferences at any time or turn off personalisation entirely. If you delete your account, all preferences are deleted within 30 days.

Account data (name, email, account settings) - Retained for the duration of your account plus 3 years after account closure, to cover statutory limitation periods under Austrian law (ABGB).

Billing and payment data - Retained for 7 years after the relevant transaction, as required by Austrian accounting law (Unternehmensgesetzbuch / Bundesabgabenordnung).

Security and log data - Retained for 30 to 90 days, depending on the type of log. This data is used exclusively for security monitoring and incident response.

Content moderation records - Where content has been flagged by our safety systems, a record of the flag and any action taken is retained for up to 12 months for the purpose of enforcing our policies and complying with relevant laws and regulations.

Backups - Our backup systems retain data for up to 90 days. When data is deleted from our active systems, it will be removed from backups within this backup rotation period.

Analytics data - Usage analytics collected through PostHog are retained for 3 years. This data is pseudonymised and does not include the content of your conversations.

11. Your rights

Under the GDPR, you have the following rights. You can exercise them at any time by contacting privacy@eustella.com or using the controls in your account settings. We will respond within one month, as required by law.

Right to access - You can request a copy of the personal data we hold about you. We will provide it in a commonly used, machine-readable format.

Right to rectification - If your data is inaccurate, you can ask us to correct it. Please note that eustella is an AI system and may sometimes generate inaccurate information (so-called "hallucinations"). If eustella has saved an incorrect preference about you, you can correct it directly in your account settings. If eustella has generated inaccurate content about you within a conversation, you can delete that conversation.

Right to erasure - You can ask us to delete your personal data. You can also delete individual conversations, individual preferences, or your entire account through the app at any time. Please be aware that we may need to retain certain data where required by law (for example, billing records under Austrian accounting law).

Right to restrict processing - You can ask us to restrict how we use your data in certain circumstances, for example while we verify the accuracy of data you have disputed.

Right to data portability - You can request that we provide your data in a structured, commonly used, machine-readable format, or that we transmit it directly to another controller where technically feasible.

Right to object - You have the right to object to processing that is based on our legitimate interest (Art. 6(1)(f) GDPR). If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your rights. You can also object to processing for analytics purposes at any time - we will stop immediately with no need to provide a reason.

Right to withdraw consent - Where we rely on your consent as a legal basis (for example, for marketing communications), you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before the withdrawal.

Right to lodge a complaint - If you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. In Austria, the competent authority is:

Österreichische Datenschutzbehörde Barichgasse 40–42, 1030 Vienna, Austria

Email: dsb@dsb.gv.at

Website: https://www.dsb.gv.at

If you reside in another EU member state, you can also lodge a complaint with the supervisory authority in your country of residence.

Is providing your data required?

Some data is necessary for you to use eustella. You cannot create an account without providing your name, email address, and date of birth. You cannot use the service without your inputs being processed to generate responses - that is how a conversational AI works. If you choose not to provide this data, you will not be able to use eustella.

Other data is optional. You are not required to connect third-party services, enable personalisation, or share any particular type of information in your conversations. If you choose not to, you can still use eustella - you will simply have a less personalised experience.

Right regarding automated decision-making - You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you (Art. 22 GDPR). eustella does not make such decisions. Your preferences are stored solely to personalise your experience, and you have full control over them at all times, as described in Section 5.

12. Children and minors

eustella is not intended for use by anyone under the age of 14. We chose 14 as our minimum age because that is the default age of digital consent in Austria. Other standards may apply in other EU countries.

Age verification. Before using eustella for the first time, you are required to provide your date of birth. You cannot use eustella without providing this information. You are required to provide your actual date of birth - providing a false date of birth to circumvent this age restriction is prohibited.

We acknowledge that no currently available technical means can fully verify a person's age without disproportionately intruding on their privacy. We actively monitor developments in this area and will implement proportionate verification measures as they become available and as the regulatory framework evolves.

What happens if a minor is using eustella. If we are notified that a person under 14 is using eustella, we will promptly suspend the account (if one exists) and delete all personal data associated with that person. Deletion from our active systems will take place within 30 days of receiving the notification. Deletion from backup systems will take place within the next scheduled backup rotation, at most within 90 days.

How to report. If you believe a person under 14 is using eustella, please contact us at privacy@eustella.com (or, if you prefer, minors@eustella.com - a dedicated address for exactly this purpose). We aim to acknowledge every report within 72 hours and take action as described above.

For users in the United States. If we expand our service to the United States in the future, we will comply with applicable U.S. laws including COPPA (Children's Online Privacy Protection Act).

13. Security

We take the security of your data seriously and apply appropriate technical and organisational measures, including encryption of data at rest and in transit (using industry-standard protocols such as AES-256 and TLS 1.2 or higher), strict access controls (no employee has default access to the content of your conversations - access is limited to designated safety staff in specific, documented circumstances), regular security assessments, and pseudonymisation where technically feasible (for example, separating conversation content from account identifiers in our internal systems).

No system can guarantee absolute security. If you become aware of any security concern related to eustella, please contact us immediately at security@eustella.com.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as we develop new features or as the law changes. If we make changes that materially affect your rights or the way we use your data, we will give you at least 30 days' advance notice, either by email or through an in-app notification. We will not reduce your rights under this Privacy Policy without your explicit consent.

The current version of this Privacy Policy is always available at [link]. We also maintain an archive of previous versions at [link] so you can see what has changed.

15. How to contact us

For any questions, concerns, or requests related to your privacy or this Privacy Policy:

Privacy contact: privacy@eustella.com

Reports about minors: minors@eustella.com

Security concerns: security@eustella.com

General legal inquiries: legal@eustella.com

Postal address: AI Newsrooms Technology GmbH Karl-Farkas-Gasse 22, Vienna, Austria

© 2026 AI Newsrooms Technology GmbH. All rights reserved.