GDPR Notice
Information for individuals in the EEA and UK about how we process personal data and your rights under the GDPR.
Effective date: 13 May 2026
1. Overview
This GDPR Notice supplements our Privacy Policy and provides specific information required under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR as retained in UK law. It applies to individuals located in the European Economic Area (EEA) and the United Kingdom whose personal data is processed by Individual Entrepreneur Polshchykov Roman (Registration No: 2939422257), trading as Sigmalion.
2. Data Controller
The data controller responsible for your personal data is:
Individual Entrepreneur Polshchykov Roman (Registration No: 2939422257), trading as Sigmalion
Email: team@sigmalion.io
Because we are established outside the European Economic Area but offer our services to data subjects in the Union, the GDPR applies to our processing under Article 3(2)(a).
We do not currently have a statutory obligation to appoint a Data Protection Officer (DPO). For all data-protection enquiries, contact us directly at the email above or via our EU Representative (see Section 3).
3. EU Representative (Article 27 GDPR)
Under Article 27 GDPR, as a controller established outside the Union processing personal data of EU data subjects, we have designated a representative in the Union to act as a point of contact for supervisory authorities and data subjects on all matters related to GDPR compliance.
[Representative name — to be appointed]
[Postal address in an EU Member State]
Email: team@sigmalion.io
Until the formal appointment is finalised, please direct all GDPR enquiries to team@sigmalion.io and we will route them appropriately.
4. Lawful Bases for Processing
We rely on the following lawful bases under Article 6 GDPR:
Art. 6(1)(b) — Contract
Processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract.
Art. 6(1)(c) — Legal obligation
Processing is necessary to comply with a legal obligation, including tax, accounting, and anti-money-laundering requirements under UK and EU law.
Art. 6(1)(f) — Legitimate interests
Processing is necessary for our legitimate interests — responding to enquiries, improving our website, and running our business — provided these are not overridden by your interests or fundamental rights.
Art. 6(1)(a) — Consent
Where we process data based on your consent (e.g., optional newsletter), you may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Your Rights Under GDPR
As a data subject under the GDPR or UK GDPR, you have the following rights:
Right of access (Art. 15)
You may request a copy of the personal data we hold about you, along with information on how it is used.
Right to rectification (Art. 16)
You may ask us to correct inaccurate or complete incomplete personal data.
Right to erasure (Art. 17)
You may request deletion of your personal data where there is no lawful ground to retain it ('right to be forgotten').
Right to restriction (Art. 18)
You may ask us to restrict processing of your data in certain circumstances, for example while a complaint is being resolved.
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21)
You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.
Rights related to automated decision-making (Art. 22)
We do not engage in solely automated decision-making or profiling that produces legal or similarly significant effects.
To exercise any of these rights, email team@sigmalion.io. We will respond within 30 days (or 3 months for complex requests, with notice). We will not charge a fee unless requests are manifestly unfounded or excessive.
6. Sub-processors
We engage the following sub-processors under written contracts compliant with Article 28 GDPR. These processors act only on our documented instructions and are bound to equivalent confidentiality and security obligations.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Google LLC | AI chat responses (Gemini API) | USA | EU–US Data Privacy Framework + SCCs |
| Supabase Inc. | PostgreSQL database, file storage | USA + EU regions | Signed DPA + SCCs |
| Vercel Inc. | Website hosting and global edge CDN | USA + global edge | Signed DPA + SCCs |
Google retains prompts and responses sent to the Gemini API for a limited period (paid tier; not used for model training), as described in the Gemini API Additional Terms of Service. The exact retention period is being clarified with Google Cloud Support and will be published here once confirmed.
The current list of indirect sub-processors used by our providers (e.g. Supabase's underlying cloud infrastructure) is available on request at team@sigmalion.io.
7. International Data Transfers
Where personal data is transferred outside the European Economic Area, we rely on the following safeguards under Chapter V GDPR:
- Transfers to Google LLC (USA) — covered by the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), with the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a contractual fallback.
- Transfers to Supabase Inc. and Vercel Inc. (USA) — covered by signed Data Processing Addenda incorporating the EU Standard Contractual Clauses under Article 46(2)(c) GDPR, with supplementary measures as recommended by the European Data Protection Board.
The EU–US Data Privacy Framework is currently subject to legal challenge in Case T-553/23 Latombe v Commission, which was dismissed by the EU General Court on 3 September 2025; an appeal before the Court of Justice of the European Union is pending. Should the DPF be invalidated, transfers to Google LLC will rely on the SCCs with supplementary measures.
8. Retention Periods
In accordance with the storage-limitation principle (Article 5(1)(e) GDPR), we retain personal data only as long as necessary:
- Lead / contact-form submissions — 7 years (UA / EU accounting and tax obligations).
- AI chat messages — 90 days, then automatically purged by a scheduled database job.
- Admin access logs — 30 days, then automatically purged.
- Email correspondence and engagement records — 7 years.
You may request earlier deletion of your data where no statutory retention obligation applies.
9. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with a supervisory authority.
UK — Information Commissioner's Office (ICO)
ico.org.uk — 0303 123 1113
EU — Relevant national supervisory authority
Contact the data protection authority in your EU member state of habitual residence or place of work. The full list is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.
We ask that you contact us first at team@sigmalion.io so we have the opportunity to resolve your concern directly.
10. Updates to This Notice
We may update this GDPR Notice from time to time to reflect changes in our practices or applicable law. When we do, we will revise the effective date above. We encourage you to review this page periodically.
Questions about your data rights?
Email us at team@sigmalion.io and we will get back to you within one business day.