Privacy Policy

Section 01

1. Data Controller Identification and Scope

Akui Solutions S.L. ("Akui", "we") is the entity responsible for the ConsulPoint platform, a B2B SaaS solution for organizational intelligence, process automation, document management, AI assistants, agents, and collaborative workspaces. This Policy explains in detail how personal and business data processed in ConsulPoint is collected, used, stored, shared, and protected, including data flows from integrations with Google APIs, Meta APIs, Microsoft APIs, Salesforce APIs, HubSpot APIs, Slack APIs, Telegram APIs, , Anthropic APIs, and OpenAI APIs, as well as the hosting and data infrastructure provided by OVHcloud, when the user or client organization explicitly authorizes such connection or deployment. When ConsulPoint acts on behalf of a client organization, Akui operates as a data processor in accordance with Article 28 of the GDPR. In these scenarios, the client organization assumes the role of data controller regarding the data of its users, employees, clients, suppliers, or other data subjects. For any privacy-related inquiries, the official contact is privacy@akui.solutions.

Section 02

2. Data Protection Principles

ConsulPoint is governed by the following fundamental data protection principles: Lawfulness, fairness, and transparency — we inform clearly and unambiguously about what data is processed, through what technical means it is obtained, and for what exact purpose. Purpose limitation — data is used solely and exclusively to provide, secure, maintain, and optimize the operational functionalities contracted within the platform. Data minimization — we request and process only the strictly necessary data for the correct deployment of the features configured by the user. Confidentiality and security — we implement rigorous technical and organizational controls to safeguard data integrity both in transit and at rest. Client control — we provide self-management tools so the organization can manage its users, permissions, workspaces, integrations, and internal retention policies. European residency and sovereignty — we prioritize the use of storage and processing infrastructure located in the European Union or the European Economic Area (EEA), safeguarding data sovereignty against unregulated transfers through the use of European infrastructure providers.

Section 03

3. Data ConsulPoint May Process

ConsulPoint may process the following data categories depending on the features activated by the organization:

Section 04

4. Specific Use of API and Corporate Service Data

When an organization or user proactively links third-party services to ConsulPoint, the platform requests only the minimum essential permission scopes under secure OAuth environments or authorized cryptographic tokens. Akui commits to strict compliance with Google, Meta, Microsoft, Salesforce, HubSpot, Slack, Telegram, Anthropic, and OpenAI policies. The following mandatory restrictions apply:

Section 05

5. Processing Purposes

Data collected by ConsulPoint is processed for the following legitimate purposes: (1) Provision, technical maintenance, and security of user accounts and segregated corporate workspaces on the platform. (2) Execution of conceptual searches, text summaries, internal knowledge base indexing, advanced workflow automation, and interconnection through software agents and advanced language models. (3) Technical integration and secure processing of information flows from Google Workspace, Meta conversational infrastructure, Microsoft 365 Cloud environment, CRM suites Salesforce and HubSpot, collaboration tools Slack, corporate messaging Telegram, and Anthropic's advanced AI pipeline. (4) Technical support for operational incidents, proactive monitoring against fraud or unauthorized access, and ensuring the logical integrity of the system. (5) Internal administrative management, consumption billing, token quota control, Service Level Agreement (SLA) compliance, and fiscal obligations.

Section 06

6. Legal Bases

The legal basis for processing data in ConsulPoint depends on the specific context of the processing, grounded in: the execution of a contract or adoption of pre-contractual measures with the client organization; the explicit consent given by the end user when authorizing OAuth integrations, AI tokens, or specific API scopes; the legitimate interest of Akui in protecting software security, preventing fraud, ensuring environmental stability, and optimizing technical infrastructure; strict compliance with mandatory legal obligations; and adherence to the instructions duly documented in the Data Processing Agreement signed with the corporate client.

Section 07

7. Artificial Intelligence, Anthropic, OpenAI, and No-Training Commitment

ConsulPoint natively and integrally implements advanced Artificial Intelligence models — preferentially using the Claude commercial model family by Anthropic, PBC, and GPT models by OpenAI (OpenAI OpCo, LLC) — to respond to user requests for semantic processing, document generation, advanced conceptual searches, and autonomous agent orchestration. Akui maintains an unwavering technological commitment with its key providers: no client content, submitted prompt, generated output, vector embedding, or data from connected APIs is used to train foundational or commercial models. Calls directed to Anthropic's and OpenAI's APIs are bound by their respective commercial use policies, which explicitly stipulate that client data is not retained for public service improvement or used in AI calibration tasks without individualized affirmative consent from the responsible party. Users are advised that responses generated by AI systems may contain inaccuracies or technical biases. It is the client organization's responsibility to critically validate outputs before using them as the basis for high-impact corporate operational decisions.

Section 08

8. Data Sharing, Sub-processors, and Infrastructure Sovereignty with OVHcloud

Akui Solutions S.L. only shares or delegates data access to third-party sub-processors when it is technically essential to deploy the ConsulPoint service. As a strategic pillar of sovereignty and regulatory compliance, Akui has selected OVHcloud (OVH Hispano / OVH Groupe SAS) as its primary provider of cloud infrastructure, dedicated servers, persistent storage, logical networks, and managed databases. All our sub-processors, critically including OVHcloud, Anthropic, and OpenAI (for delegated API services), are bound by formalized data processing agreements containing obligations identical to or greater than those set forth in this policy, requiring full GDPR compliance, maintenance of strict security audits, and an absolute prohibition on commercializing business data.

Section 09

9. International Transfers, Residency, and European Sovereignty

By architectural and engineering design, ConsulPoint guarantees data sovereignty and strict European residency through the use of OVHcloud data centers located within the European Union (primarily in regions of France, Germany, and Spain). All persistence of client databases, audit logs, file storage, and vector embeddings of ConsulPoint is strictly carried out in these isolated European OVHcloud regions. In those exceptional cases where the invocation of an advanced AI model through Anthropic's commercial API requires temporary processing, data is transmitted in ephemeral encrypted form under agreements covered by Standard Contractual Clauses (SCCs) of the European Commission or under specific EU data isolation configurations formally contracted to protect the information flow against unregulated cross-border transfers.

Section 10

10. Security

To repel physical, logical, and operational threats, Akui continuously applies the following advanced security measures: (1) Robust cryptographic encryption of all communications in transit (TLS 1.3) and secure storage of data at rest using industry-validated algorithms (AES-256) deployed on secure storage arrays and OVHcloud dedicated servers. (2) Strict access control architecture, based on granular role assignment, verified identities, and strict logical isolation per workspace and client organization, preventing cross-tenant leaks (multi-tenant isolation). (3) Complete traceability through audited logging of relevant events, administrative access, API calls, and critical system actions protected in immutable log environments. (4) Secured secrets management and OAuth tokens via corporate Key Vaults with severely restricted access under the principle of least privilege. (5) Advanced network-level anti-DDoS mitigation systems natively provided by OVHcloud's perimeter infrastructure, ensuring high availability, resilience, and isolation against denial-of-service attacks.

Section 11

11. Retention, Deletion, and Access Revocation

Data is retained only for the strictly necessary period to fulfill the service purposes, execute the current commercial agreement, or respond to legal obligations and normative liability limitation periods. The client organization retains full authority to request complete export or definitive deletion of its data from OVHcloud servers at any time. The user or system administrator can immediately withdraw or revoke credentials, API keys (such as Anthropic's), and access granted to ConsulPoint through the platform's integrations panel or directly from the associated platforms (Google Workspace console, Meta Business Suite, Microsoft Entra ID, Salesforce AppExchange, HubSpot Connected Apps, Slack App Directory, or Telegram security settings). Once authorization is revoked, ConsulPoint will immediately halt any access attempts. Historical deletion requests sent to privacy@akui.solutions are executed within a maximum of 72 business hours, securely purging the associated physical disks and instances.

Section 12

12. Data Subject Rights

Natural persons whose data is processed in ConsulPoint have the legal right to exercise their rights of access, rectification, erasure (right to be forgotten), objection, restriction of processing, data portability, and withdrawal of previously granted consents. These rights can be exercised by sending a formal communication accompanied by an identity verification document to privacy@akui.solutions. In cases where Akui acts strictly as a data processor on behalf of an organization, the request will be forwarded to the data controller (the corporate client) for resolution in accordance with the law. Data subjects also have the right to lodge a formal complaint with the competent supervisory authority (in Spain, the Spanish Data Protection Agency — AEPD).

Section 13

13. Business Confidentiality

Akui Solutions S.L. assumes a binding confidentiality obligation regarding all non-public information belonging to its corporate clients or individual users. This includes integrated source code, operational know-how, business strategies, user prompts, Anthropic model outputs, structured files, and communications from connected external platforms. This confidential information is protected and may only be disclosed with prior consent or by virtue of a binding legal requirement issued by a competent authority.

Section 14

14. Trademark Use and Partner and Infrastructure References

Any reference to logos, trade names, or registered trademarks of the following companies is made exclusively for informational purposes to describe technical integrations, and does not imply sponsorship, official certification, or corporate association with Akui Solutions S.L.

• Google and Gmail are trademarks of Google LLC.
• Meta and WhatsApp are trademarks of Meta Platforms, Inc.
• Microsoft, Teams, and Outlook are trademarks of Microsoft Corporation.
• Salesforce is a trademark of Salesforce, Inc.
• HubSpot is a trademark of HubSpot, Inc.
• Slack is a trademark of Slack Technologies, Inc.
• Telegram is a trademark of Telegram FZ-LLC.
• Anthropic, Claude, and their logos are trademarks of Anthropic, PBC.
• OpenAI, ChatGPT, and their logos are trademarks of OpenAI OpCo, LLC.
• OVHcloud, OVH, and their logos are registered trademarks of OVH Groupe SAS.

Section 15

15. Changes to This Policy

Akui reserves the right to update, modify, or amend the terms of this privacy policy to reflect technological innovations, legal adaptations, or operational changes in data processing. In the event that a modification introduces material or substantial changes to how personal data or information from integrated APIs and services (Google, Meta, Microsoft, Salesforce, HubSpot, Slack, Telegram, Anthropic, or OVHcloud infrastructure) is processed, organizations will be notified with reasonable advance notice, and, if legally required, the user consent capture process will be reactivated before the new policies take effect.

Section 16

16. Summary Statement for Verification Processes (App Review, OAuth Marketplaces & Data Governance)

Section 17

17. Annex: Suggested Contractual Clause for Enterprise Clients

Akui Solutions S.L., as provider of the ConsulPoint technology solution, formally undertakes to process data supplied by the End Client solely for the strict provision, operational maintenance, security deployment, authorized technical support, and infrastructure optimization of the contracted platform, all in strict compliance with the GDPR, LOPDGDD, and the clauses established in the applicable Data Processing Agreement. Data provided by the End Client, including but not limited to data and information extracted from Google APIs, Meta APIs, Microsoft APIs, Salesforce APIs, HubSpot APIs, Slack APIs, Telegram APIs, prompts and inputs sent to Anthropic and OpenAI APIs, generated responses, attached documents, vector embeddings, and their associated logical metadata, will be persistently hosted in OVHcloud's sovereign European infrastructure and will not be commercialized, sold, leased, used for advertising impacts, transferred to data intermediaries, or used under any circumstances for training or improving Akui's or third-party artificial intelligence models, except under an explicit, prior, documented, and legally structured mandate from the End Client. Akui Solutions S.L. will continuously implement advanced logical security measures, strict confidentiality controls, perimeter anti-DDoS mitigation, the principle of least privilege in technical access, traceability auditing, and data residency in the European space, providing appropriate legal safeguards for any indispensable international transfer.

Section 18

18. Regulatory and Third-Party References Used as Basis

This policy is based on Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR); Spanish Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD); Google API Services User Data Policy, including transparency, least privilege, Limited Use Core Principles, and Secure Data Handling requirements; Meta Platform Terms and Developer Policies; Microsoft APIs Terms of Use and Microsoft Graph Data Connect policies; Salesforce Developer Terms and HubSpot API Terms of Use; Slack API Terms of Service and Telegram API/Bot Terms of Service; Anthropic Commercial Terms and Data Processing Addendum (DPA); OpenAI Terms of Use and Enterprise Privacy Policy, including corporate governance for commercial APIs, prompt zero-retention, and prohibition of Claude LLM training; OVHcloud Data Protection Agreement (DPA) and cloud sovereignty policies; Google Partner Marketing Hub - Terms for using Google Brand Features; and the initial ConsulPoint technical documentation focused on integrations and unified OAuth verification.