Privacy Policy
Last updated: November 29, 2025
Our commitment: Petros AI is built on the principle of data sovereignty. Your documents never leave the European Union, are never used to train AI models, and you have full control over deletion at any time.
1. Who We Are
Petros AI is operated by GDA Consulting SARL, based in Luxembourg. We provide a document intelligence platform for legal and financial professionals.
- Business Name: GDA Consulting SARL
- Location: Luxembourg
- Contact: contact@gda.lu
- Website: https://petros.lu
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Name (optional)
- Organization/firm name
- Password (encrypted, never stored in plain text)
2.2 Documents You Upload
When you use our service, you may upload documents including:
- PDF files
- Word documents (.docx)
- Excel spreadsheets (.xlsx)
- Other supported file formats
Important: Your documents are stored exclusively in AWS data centers in Frankfurt, Germany (eu-central-1). They never leave the European Union.
2.3 Usage Data
We collect anonymized usage data to improve our service:
- Pages visited
- Features used
- Error logs
- Performance metrics
2.4 Waitlist & Marketing
If you join our waitlist, we collect your email address to send you product updates and launch announcements. You can unsubscribe at any time.
3. How We Use Your Data
We use your data for the following purposes:
- Providing the service: Processing your documents, generating AI responses, storing your conversations
- Authentication: Verifying your identity and securing your account
- Communication: Sending transactional emails, support responses, and (with consent) product updates
- Improvement: Analyzing anonymized usage patterns to improve features
- Legal compliance: Meeting our legal obligations under GDPR and Luxembourg law
4. AI Processing & Training
We do NOT train AI models on your data. Your documents and conversations are never used to train or fine-tune any AI models. This is contractually guaranteed through our enterprise agreement with our AI provider (AWS Bedrock).
When you ask questions about your documents:
- Relevant text chunks are sent to Claude AI (via AWS Bedrock in Frankfurt)
- The AI generates a response based solely on your document content
- No data is retained by the AI provider for training purposes
- All processing occurs within the EU (Frankfurt region)
5. Data Storage & Security
5.1 Where Your Data Lives
- Documents: AWS S3, Frankfurt (eu-central-1)
- Database: Supabase PostgreSQL, EU region
- AI Processing: AWS Bedrock, Frankfurt (eu-central-1)
- Authentication: Clerk, EU region
5.2 Security Measures
- All data encrypted at rest (AES-256)
- All data encrypted in transit (TLS 1.3)
- Role-based access controls
- Regular security audits
- Secure authentication with optional MFA
6. Data Sharing
We do NOT sell your data. We only share data with:
- Service providers: AWS (hosting), Supabase (database), Clerk (authentication), who are contractually bound to protect your data
- Legal requirements: When required by law or valid legal process
7. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Request limited processing of your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time for marketing communications
To exercise any of these rights, contact us at hello@petros.lu.
8. Data Retention
- Documents: Retained until you delete them or close your account
- Account data: Retained while your account is active, deleted within 30 days of account closure
- Audit logs: Retained for 2 years for compliance purposes
- Waitlist emails: Retained until you unsubscribe
9. Cookies
We use minimal, essential cookies:
- Authentication cookies: To keep you logged in
- Preference cookies: To remember your settings
- Analytics cookies: To understand usage (PostHog, EU-hosted, anonymized)
We do NOT use third-party advertising cookies or trackers.
10. International Transfers
Your data is processed exclusively within the European Union. We do not transfer personal data outside the EU/EEA.
11. Children's Privacy
Petros AI is a B2B service intended for business professionals. We do not knowingly collect data from children under 16. If you believe we have collected such data, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: contact@gda.lu
- Address: 177 Rue de Luxembourg, L-8077 Bertrange, Luxembourg
14. Supervisory Authority
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Luxembourg data protection authority:
- CNPD (Commission Nationale pour la Protection des Données)
- Website: https://cnpd.public.lu