Privacy Policy

What we collect

Website visitors: We collect anonymized usage data through Plausible Analytics — a privacy-first, cookie-free analytics tool. No personal data is collected from website visitors. No cookies are set. No cross-site tracking occurs.

Schema audit requests: When you submit a schema audit request, we collect your name, email address, company name, and any documents or information you voluntarily provide. This data is used solely to evaluate your request and respond to you.

Platform users: For authenticated platform users, we process: name, email address, organization affiliation, and activity logs necessary for service delivery, audit trails, and security monitoring.

Legal basis

We process personal data under the following legal bases per GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — Processing necessary to deliver the Talonic platform and respond to schema audit requests.
• Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, and service improvement.
• Legal obligation (Art. 6(1)(c)) — Tax and accounting requirements, regulatory compliance.

Data retention

Schema audit request data is retained for the duration of the business relationship plus 12 months, unless a longer retention period is required by law. Platform activity logs are retained for 24 months. Anonymized analytics data is retained indefinitely.

You may request deletion of your personal data at any time by contacting hello@talonic.com.

Third-party processors and sub-processors

Talonic uses the following third-party services to deliver the platform:

• Microsoft Azure (Germany West Central) — Infrastructure hosting, compute, and storage. All data remains within EU boundaries.
• Mistral AI (via Azure AI Foundry) — Large language model inference for document extraction. Accessed through Azure's EU infrastructure; no data is sent to Mistral directly.
• Plausible Analytics (EU-hosted) — Privacy-first website analytics. No personal data is collected. No cookies are used. Fully GDPR-compliant without a cookie banner.
• Vercel (Edge network) — Website hosting and delivery. Static assets served from edge; no personal data is processed by Vercel.

A complete sub-processor list is included in our Data Processing Agreement, available on request.

Data subject rights

Under the GDPR, you have the right to:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete personal data.
• Erasure — Request deletion of your personal data where there is no compelling reason for continued processing.
• Restriction — Request restriction of processing in certain circumstances.
• Data portability — Receive your personal data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interest.

To exercise any of these rights, contact hello@talonic.com. We will respond within 30 days.

Data Processing Agreement

A GDPR-compliant Data Processing Agreement (DPA) is available for enterprise customers and covers: sub-processor list, data subject rights procedures, breach notification timelines, technical and organizational measures, and cross-border transfer mechanisms.

Request a DPA at hello@talonic.com.

Contact for data requests

For all privacy-related inquiries, data subject requests, or DPA requests:
hello@talonic.com

You also have the right to lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).