1. Who we are
Archivez is a tenant-scoped AI assistant operated by Open Kinetix d.o.o. ("Open Kinetix", "we", "us"), a company registered in the Republic of Serbia. Open Kinetix is the data controller for personal data processed through Archivez.
- Registered address: Kazimira Veljkovica 45, 34000 Kragujevac, Serbia
- Contact for privacy and data protection: privacy@archivez.io
- Website: https://archivez.io
2. What this policy covers
This policy explains what personal data Archivez processes, why, where it is stored, how long it is kept, who it is shared with, and what rights you have as a data subject under the EU General Data Protection Regulation (GDPR) and comparable laws.
3. What data we collect
3.1 Account data
When your tenant organisation provisions an Archivez account for you, we process:
- Your email address and name (from your organisation's single sign-on provider)
- Role and permission metadata needed to enforce access control
3.2 Gmail data (only if you connect Gmail)
If you choose to connect your Gmail account through Google OAuth, Archivez will read and index messages from senders you explicitly authorise. We use the gmail.readonly OAuth scope, which means:
- We can read the subject, body, and metadata (sender, recipients, timestamps, thread ID) of selected messages
- We cannot send, modify, or delete any messages
- You control which senders are indexed and can revoke access at any time via Archivez settings or your Google Account permissions
3.3 Uploaded documents
Files (PDF, DOCX, TXT, and similar) that you or a colleague upload into your Archivez tenant are indexed and stored in the tenant's private storage scope.
3.4 Usage data
To run the service we process:
- Chat questions and answers (used to render source citations and maintain conversation history)
- Service logs (request timestamps, error traces, rate-limit counters)
- Aggregate usage metrics (chunk counts, token counts, cost attribution)
4. How we use your data
- To provide the core product: retrieving relevant passages from your own content library and generating cited answers
- To enforce tenant isolation: every row of every database table is scoped by
tenant_id, and access is filtered at both the application and query layers - To operate, maintain, and troubleshoot the service
- To comply with legal obligations
We do not sell your data. We do not use your data to train third-party AI models. Prompts sent to AWS Bedrock are not retained by Anthropic or Cohere for model training.
5. How we store your data
- Encryption at rest: all tenant data is encrypted with AWS KMS customer-managed keys. Each tenant's data envelope uses a distinct Data Encryption Key (DEK) wrapped by the tenant's KMS key.
- Encryption in transit: TLS 1.2 or higher for all connections.
- Tenant isolation: database rows are scoped to
tenant_id; application-layer and query-layer checks both enforce the boundary. - Location: data is stored in the European Union. Primary region is
eu-central-1(Frankfurt, Germany). Large language model calls route through the AWS Bedrock EU cross-region inference profile, which is guaranteed by AWS to stay within EU data-residency boundaries (Frankfurt, Stockholm, Milan, Spain, Ireland, Paris).
6. How long we retain your data
| Category | Retention |
|---|---|
| Indexed Gmail content | Until you disconnect Gmail, un-index the sender, or your tenant account is deleted |
| Uploaded documents | Until deleted by you or your tenant admin |
| Chat history | 180 days by default; your tenant admin may change this |
| Service logs | 90 days rolling |
| Aggregate usage metrics | 24 months (cost attribution and capacity planning) |
| Account data | Duration of your tenant's contract with Open Kinetix |
When you disconnect Gmail, embedded chunks derived from that mailbox are deleted within 24 hours. When your tenant account is closed, all tenant data is deleted within 30 days.
7. Who we share your data with
Archivez does not sell, rent, or share your personal data with third parties for their own purposes.
We use the following sub-processors to operate the service:
| Sub-processor | Purpose | Location / routing |
|---|---|---|
| Amazon Web Services, Inc. | Primary cloud infrastructure (compute, storage, databases, AI inference via Bedrock) | EU — eu-central-1 primary; EU CRI for Bedrock |
| Anthropic, via AWS Bedrock | Large language model inference (Claude family) | EU-only routing via Bedrock EU CRI |
| Cohere, via AWS Bedrock | Multilingual embedding model | EU region |
| Google LLC | Gmail API access (only if you connect Gmail) | Data is pulled from your Google account under your OAuth consent |
All sub-processors are bound by contractual data protection obligations. A current sub-processor list can be requested at privacy@archivez.io.
8. Your rights under GDPR
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
- Access — request a copy of personal data we process about you
- Rectification — correct inaccurate personal data
- Erasure ("right to be forgotten") — request deletion of your personal data
- Portability — receive your personal data in a structured, machine-readable format
- Restriction — request that we limit processing in specified circumstances
- Objection — object to processing based on legitimate interests
- Withdraw consent — for processing based on consent (e.g., the Gmail connection), you can withdraw at any time
To exercise any of these rights, email privacy@archivez.io. We respond within 30 days.
You also have the right to lodge a complaint with a data protection authority — for example the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik) in Serbia, or your national supervisory authority in the EU.
9. Cookies and similar technologies
The Archivez brand website (archivez.io) uses only essential cookies required for the site to function. The Archivez application uses session cookies for authentication through the tenant's identity provider. We do not use third-party advertising or analytics trackers on the application.
10. International transfers
Archivez processes personal data in the European Union. We do not transfer personal data outside the EU in the course of normal operations. Gmail API calls to Google are subject to Google's own data transfer arrangements, which are covered by Google's Data Processing Amendment.
11. Security and breach notification
We maintain administrative, technical, and organisational measures appropriate to the nature of the data we process, including encryption, access controls, logging, and least-privilege IAM. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the affected tenant admins without undue delay and, where required by law, the competent data protection authority within 72 hours.
12. Children
Archivez is a business product and is not intended for children under 16. We do not knowingly collect personal data from children.
13. Changes to this policy
We may update this policy to reflect changes to the service or to legal requirements. Material changes will be announced to tenant admins by email at least 30 days before they take effect. The "Last updated" date at the top of this page is always current.
14. Contact us
- Privacy and data protection: privacy@archivez.io
- General support: support@archivez.io
- Abuse reports: abuse@archivez.io
- Legal entity: Open Kinetix d.o.o., Republic of Serbia