Privacy Policy

Individual Entrepreneur Polshchykov Roman (Registration No: 2939422257), trading as Sigmalion ("Sigmalion", "we", "us", "our") is the data controller responsible for your personal data. We are a software engineering and AI consultancy serving clients in the EU, UK, and US.

Registered address: Peace St, 57, ap. 198, Kharkiv, Kharkivs'ka oblast, 61000, Ukraine
Tax ID: 2939422257

Sigmalion is established outside the European Economic Area. Because we offer our services to data subjects in the Union, the GDPR applies to our processing activities under Article 3(2)(a). We have therefore designated a representative in the Union — see Section 7.

If you have any questions about this policy or how we handle your data, contact us at team@sigmalion.io.

We collect personal data only when you actively provide it or when it is generated by your use of our website:

• Contact information — name, email address, and any message you send via our contact form or email.
• Inquiry details — project description, budget range, timeline, and other information you voluntarily share when requesting a consultation.
• AI assistant messages — text you send to the chat widget on our site. These messages are sent to Google (Gemini API, USA) to generate a response. According to Google's Gemini API Additional Terms of Service, when billing is enabled (paid tier) prompts and responses are logged by Google for a limited period solely for abuse-detection and safety monitoring, and are not used to train Google's models. We additionally retain our own copy for up to 90 days (see Section 6).
• Technical / security logs — when an authorised user accesses the admin area (/crm) we record the IP address, browser User-Agent and login outcome for up to 30 days for security monitoring.
• Communication records — email correspondence and notes from calls or meetings conducted in the course of a project engagement.

We do not deploy web analytics, advertising pixels, retargeting cookies, or any third-party tracking on the public pages of this site.

We do not collect payment card data directly — all billing is handled by third-party processors that are independently PCI-DSS compliant.

We use your personal data for the following purposes:

• Responding to your inquiries and providing the services you request.
• Managing client relationships and project delivery.
• Sending service-related communications (project updates, invoices, and similar).
• Improving our website and understanding how visitors interact with our content.
• Complying with legal obligations (e.g., tax, accounting, anti-money-laundering).

We do not sell your personal data, use it for automated profiling, or send unsolicited marketing emails.

We are committed to AI safety: we do not use client data to train any third-party or proprietary AI models. We advocate for and implement local-first or zero-retention AI architectures for our clients.

Where the GDPR applies, we rely on the following legal bases:

We share your data only where necessary:

• Sub-processors — see the table below for the third-party services that process your data on our behalf under written data-processing agreements (Article 28 GDPR).
• Professional advisors — accountants, lawyers, or auditors where required for legal or compliance purposes.
• Authorities — where required by law, regulation, or court order.

A full, up-to-date sub-processor list including indirect sub-processors of our providers is available on request at team@sigmalion.io.

All third-party processors are bound by contractual data-protection obligations. Transfers outside the EEA rely on the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) where applicable, otherwise on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with supplementary measures where required.

We apply the GDPR storage-limitation principle (Article 5(1)(e)): personal data is retained only for as long as necessary for the purposes described in this policy or as required by law.

Automatic deletion for chat history and admin logs is enforced by a scheduled database job that runs daily. You may request earlier deletion where no statutory retention obligation applies — see Section 7.

Under GDPR and UK data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data where there is no lawful reason to retain it.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at team@sigmalion.io. We will respond within 30 days. You may also contact our EU Representative (see below) or the UK Information Commissioner's Office (ICO) at ico.org.uk, or lodge a complaint with the supervisory authority in your EU member state — see our GDPR Notice for the full list.

Our public pages do not set any cookies and do not deploy any web analytics, advertising pixels, retargeting tags, or social-media tracking. We do not run a cookie consent banner because there are no non-essential cookies or similar identifiers to consent to.

Inside our admin area (/crm), we use browser sessionStorage to keep an admin-entered access key for the duration of the session. This is strictly necessary for the authentication of an authorised user and is therefore exempt from the consent requirement under Article 5(3) of the ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), as clarified by the Article 29 Working Party Opinion 04/2012 (WP194).

Our AI chat widget stores a single flag in sessionStorage so the privacy notice is not shown twice in the same browser tab. This is also strictly necessary and stores no personal data.

We follow the principle of Least Privilege (PoLP) and use industry-standard encryption for all data at rest and in transit.

We take data security seriously. All data is transmitted over encrypted connections (TLS). Access to personal data is restricted to team members who need it to perform their role, and we conduct regular reviews of our data-handling practices. A scheduled database job purges expired chat history and admin logs daily (see Section 6). In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours in accordance with Article 33 GDPR, and inform affected individuals without undue delay where required under Article 34 GDPR.

Our services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes your acceptance of the revised policy.