Privacy Policy

Staffken is operated by PAŞCOVICI ŞERBAN-CONSTANTIN II, a sole trader registered in Romania under registration number F33/571/2019 (EU registration: ROONRC.F33/571/2019). Not VAT registered.

Our platform, accessible at staffken.com, enables businesses to create AI-powered virtual employees trained on company knowledge, allowing team members to access expert answers instantly via a private chat interface.

We act as the data controller for the personal data you provide when using Staffken. For privacy questions or requests, contact us at privacy@staffken.com.

We collect the following categories of data:

• Account data: your full name, work email address, business name, and a hashed password. For team members invited to the platform, we also store the email address used to send the invitation.
• Knowledge content: files (PDFs, images), documents, and text you upload to train your virtual employees. This content belongs entirely to you. See Section 4 for how it is handled.
• Chat messages and session data: the questions employees ask virtual employees, the AI-generated answers, timestamps, and message counts. This data is used to provide the service and generate usage analytics for your business dashboard.
• Usage analytics: anonymous page-view and performance statistics collected via Vercel Analytics. No personal data is attached to these statistics.
• Payment data: subscription status, billing period, and payment identifiers provided by Stripe. We never store your full card number, CVV, or bank account details — all payment data is held exclusively by Stripe.
• Error logs: JavaScript errors and performance diagnostics captured by Sentry to help us identify and fix technical issues. Logs may include browser type, operating system, and a session identifier, but are not linked to your personal identity.
• Technical data: IP addresses, browser type, and authentication session tokens managed by Supabase Auth.

We process your data for the following purposes and legal bases:

• Providing the Staffken service (contractual necessity): Authenticating users, storing and retrieving knowledge, generating AI responses, and displaying usage analytics in your dashboard.
• Processing payments (contractual necessity): Managing your subscription, processing charges, and sending invoices via Stripe.
• Sending transactional emails (contractual necessity): Delivering invitation emails, password reset links, and billing notifications via Resend. We do not send marketing emails without your explicit consent.
• Monitoring service health (legitimate interests): Using Sentry to capture errors and diagnose issues so we can maintain a reliable platform. You can opt out of optional Sentry tracking via the cookie banner.
• Security and rate limiting (legitimate interests): Detecting abuse, enforcing usage limits via Upstash Redis, and protecting the integrity of the platform.
• Legal compliance (legal obligation): Retaining billing records and responding to lawful requests from Romanian or EU authorities.

We do not sell your personal data. We share data only with the following sub-processors who help us deliver the Staffken service:

• Stripe — payment processing and subscription management. stripe.com/privacy
• Anthropic — AI language model (Claude API) used to generate virtual employee responses. Knowledge excerpts and chat messages are sent to Anthropic for inference. anthropic.com/privacy
• OpenAI — embedding model (text-embedding-3-small) used to index your knowledge content. Knowledge text is sent to OpenAI to generate vector embeddings. openai.com/policies/privacy-policy
• Supabase — database, authentication, and file storage, hosted on EU servers. supabase.com/privacy
• Resend — transactional email delivery (invitations, password resets, billing notifications). resend.com/privacy
• Sentry — error monitoring and performance diagnostics. sentry.io/privacy
• Vercel — cloud hosting, serverless compute, and anonymous analytics. vercel.com/legal/privacy-policy
• Upstash — rate limiting via Redis, used to store short-lived request counters. upstash.com/privacy

All sub-processors are contractually required to process data only as instructed and to maintain appropriate security measures.

We retain data for the following periods:

• Account data — retained while your account is active. Deleted within 30 days of account closure or deletion.
• Knowledge content (files, documents, embeddings) — deleted within 30 days of account deletion.
• Chat history — retained while your account is active and deleted within 30 days of account deletion.
• Payment records — retained for 7 years as required by Romanian and EU financial regulations.
• Error logs — retained for up to 90 days in Sentry.
• Rate-limit counters — automatically expire within 24 hours (per-day counters) or 31 days (per-month counters) in Upstash Redis.

PAŞCOVICI ŞERBAN-CONSTANTIN II is based in Romania (EU/EEA). Some sub-processors, including Anthropic, OpenAI, and Stripe, are based in the United States. When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on the sub-processor's participation in an approved data transfer framework.

As a resident of the European Economic Area, you have the following rights over your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate data by updating your account profile or by contacting us.
• Right to erasure — request deletion of your personal data. Deleting your account initiates deletion of all associated data within 30 days, subject to legal retention obligations (e.g., billing records).
• Right to data portability — request an export of your data in a machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to restrict processing — request that we limit how we use your data while a dispute is resolved.
• Right to withdraw consent — where processing is based on consent (e.g., optional cookies), you can withdraw it at any time via the cookie banner or browser settings.

To exercise any right, email us at privacy@staffken.com. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or your local data protection authority.

We implement industry-standard security measures: encryption in transit (TLS 1.2+), encryption at rest for stored data, Row Level Security (RLS) on all database tables to prevent cross-tenant data access, and strict access controls. Our infrastructure is hosted on Supabase (EU servers) and Vercel.

No method of electronic storage is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@staffken.com.

Staffken uses a small number of cookies. Essential cookies (required to keep you signed in) cannot be declined. Optional analytics and error-monitoring cookies can be accepted or declined via the consent banner shown on your first visit.

For a full list of cookies, their purpose, and how to control them, see our Cookie Policy.

Staffken is a B2B platform intended for business users aged 18 and over. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us immediately at privacy@staffken.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the platform. Continued use of Staffken after a change takes effect constitutes your acceptance of the revised policy.

For any privacy-related questions, requests, or complaints, contact us at: