Privacy Policy

Last updated: 5 May 2026

This policy explains what personal data Gundur collects, why we collect it, who we share it with, and what rights you have under the EU General Data Protection Regulation (GDPR) and the Dutch implementation thereof (Uitvoeringswet AVG, "UAVG").

Plain-language summary: we collect the minimum we need to run the service. We do not sell your data. We do not run advertising or analytics trackers. We use a handful of well-known providers (Google Firebase, Brevo, Typesense, Google Vertex AI) to host and process data on our behalf. You can ask us to export or delete your data at any time.

1. Who we are (data controller)

The data controller for personal data processed through Gundur is:

• Trading name: Gundur
• Operated by: Pedro Neves, sole proprietorship (eenmanszaak)
• Registered office: The Netherlands
• KvK number: 95247718
• VAT (BTW) number: NL005140265B92
• Privacy contact: privacy@gundur.ai

We have not appointed a Data Protection Officer; our processing does not meet the GDPR Art. 37 thresholds. Privacy requests are handled directly by the controller at the address above.

2. What data we collect

a. Account information

• Email address (required to sign in)
• Display name (optional, shown on the documents you publish)
• Password hash (managed by Firebase Authentication; we never see your plaintext password)
• If you sign in with Google: the Google account email and basic profile information you authorise
• Account preferences (e.g. notification settings)

b. Content you create

• Diagnostic and remedy documents, their titles, body text, categories, tags, and inline media you upload
• Diagnostic trees you assemble and the relationships between documents
• Comments and replies you post
• Likes, reports, and similar engagement actions

c. Technical data

• Server logs containing IP address, user agent, timestamp, and request path. Used for security, debugging, and abuse prevention. Retained for up to 90 days unless an incident requires longer retention.
• Firebase App Check / reCAPTCHA Enterprise signals used to distinguish humans from bots.

d. Communications

• Transactional emails we send you (sign-up confirmation, notifications you opted into, password reset, etc.).
• Any correspondence you send to our support or privacy mailboxes.

We do not knowingly collect special categories of personal data (health, biometric, political opinions, etc.). Please do not upload such data into your documents.

3. Why we process it (purposes and legal bases)

Where we rely on legitimate interest, we have balanced our interest against your privacy rights and concluded that the processing is proportionate. You can object to legitimate-interest-based processing at any time — see "Your rights" below.

4. AI features and your content

Gundur uses AI to help draft and enrich diagnostic content. When you use an AI feature (for example, generating a starter chain or suggesting branches), the relevant prompt — which may include text you have entered — is sent to Google's Vertex AI / Gemini API for inference.

• We do not train any model on your private content.
• Google's Vertex AI API processes the prompt to generate a response and, per the Vertex AI terms in force, does not use your prompts to train Google's foundation models when accessed through the paid API.
• AI-generated suggestions are drafts. You remain responsible for what you publish.
• If you publish a document, its content becomes visible to other users of Gundur subject to our Terms of Service.

5. Who we share data with (processors)

We use the following sub-processors to operate Gundur. Each processes data on our behalf under a data-processing agreement (or equivalent contractual safeguards):

We do not sell personal data and do not share it with third parties for advertising or marketing.

6. International transfers

Some of our processors (notably Google) are headquartered outside the EU and may transfer data to the United States. Where personal data is transferred outside the European Economic Area, we rely on:

• The EU–US Data Privacy Framework (DPF) where the recipient is certified (Google is DPF-certified), and/or
• Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate by additional technical and organisational measures.

7. Where your data is stored

Firestore — our primary database — is currently hosted in Google's nam5 multi-region (North America). We selected this configuration during early development; we plan to evaluate a move to a European multi-region for future deployments. If you have specific data-residency requirements, contact us before signing up.

8. Retention

• Account data: retained while your account exists. Deleted within 30 days of account deletion, except where law requires longer retention (e.g. tax records).
• Published content: if your content has been forked, referenced, or linked into others' diagnostic trees, the rendered text may remain in those trees after you delete your account, anonymised from your identity. You can request narrower scrubbing by emailing privacy@gundur.ai.
• Server logs: up to 90 days, longer if needed for an active security incident or legal claim.
• Email correspondence: retained for up to 24 months for support continuity, then deleted.
• Backups: automated database backups roll over within 30 days; deleted data persists in backups for up to that window before being overwritten.

9. Your rights (GDPR)

As a data subject in the EU, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — delete your account and associated personal data, subject to the retention exceptions above.
• Restriction — limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where we relied on consent, you can withdraw it at any time without affecting prior lawful processing.
• Lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or your local EU supervisory authority.

To exercise any of these rights, email privacy@gundur.ai. We will respond within 30 days. We may need to verify your identity before we act on a request.

10. Security

We take reasonable technical and organisational measures to protect your data — encrypted transport (TLS), encrypted storage at rest via our cloud providers, principle-of-least-privilege access controls, App Check enforcement on backend endpoints, and audit logging. No system is perfectly secure; if a breach occurs that affects your rights and freedoms, we will notify you and the Autoriteit Persoonsgegevens as required by GDPR Art. 33–34.

11. Children

Gundur is not directed at children. The minimum age to use Gundur is 16, which matches the Dutch UAVG (Article 8 GDPR digital-services consent age in the Netherlands). If you believe a child has created an account, contact us and we will delete it.

12. Cookies

See our Cookie Policy for details on what we store in your browser and why.

13. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). AI-generated content suggestions are not decisions about you.

14. Changes to this policy

If we change this policy materially, we will update the "Last updated" date above and, where the change affects your rights, notify you by email or an in-product banner before it takes effect.

15. Contact

For any privacy question, request, or complaint, email privacy@gundur.ai.