Privacy Policy

Last updated: March 12, 2026. This policy explains how s4p collects, uses, stores, shares, and protects personal data across its public website, sign-in flow, customer support, payment operations, and AI-assisted product features.

Read this policy together with our Terms of Use and Cookie Policy. If your organization has signed a data processing agreement, enterprise order form, or other negotiated contract with s4p, that agreement prevails where it expressly overrides this public notice.

1. Controller, Scope, and Roles

The service is operated by s4p OÜ, an Estonian company. For privacy requests, complaints, or formal data-protection inquiries, contact support@s4p.eu.

For direct consumer and standard business accounts, s4p acts as the data controller because it determines the purposes and means of processing for account administration, website operations, support, billing, and security.

For certain enterprise deployments, managed workspaces, or bespoke service configurations, s4p may act as a processor under customer instructions and a separate DPA.

This notice covers public pages, sign-up and sign-in, account administration, AI features, payment and invoice flows, security operations, and support communications. It does not replace privacy notices issued by third-party providers whose services you access separately through s4p.

2. Categories of Personal Data

  • Identity and account data: email address, username, hashed password, verification status, user role, and account lifecycle metadata.
  • Authentication and device-security data: session identifiers, CSRF token, sign-in timestamps, security-key metadata, and related audit timestamps.
  • Usage and technical telemetry: IP address, browser/user-agent, route access logs, error logs, rate-limit or abuse indicators, and device/session characteristics needed for safe operation.
  • Workspace and AI-submitted content: prompts, uploaded files, generated outputs, saved workspace artifacts, and related operational metadata such as model selection, token usage, and latency.
  • Billing and commercial data: order identifiers, invoices, transaction references, plan history, country, business or VAT fields you provide, and limited dispute-support records.
  • Support and communications data: contact forms, emails, support tickets, meeting notes, and service-related correspondence.
  • Legal acceptance and consent records: the current versions of the Terms of Use and Privacy Policy accepted during sign-in or registration, together with timestamps and method metadata, plus cookie-consent choices stored in the browser.

Please do not submit special-category data, government identifiers, confidential third-party datasets, or other highly sensitive information unless you have a documented lawful basis and a service configuration that permits that processing.

3. Purposes and GDPR Legal Bases

  • Contract performance, GDPR Article 6(1)(b): account creation, authentication, service delivery, responding to product requests, and administering your plan.
  • Legal obligations, GDPR Article 6(1)(c): invoicing, statutory accounting, tax compliance, lawful requests from authorities, and mandatory record retention.
  • Legitimate interests, GDPR Article 6(1)(f): service security, abuse prevention, debugging, platform resilience, fraud management, enforcing contracts, and defending or establishing legal claims.
  • Consent, GDPR Article 6(1)(a): optional analytics cookies and any other optional tracking or outreach that is clearly presented as consent-based.

We do not rely on consent for security-critical technologies that are strictly necessary to provide safe account access, protect sessions, prevent CSRF attacks, or store your cookie preferences.

Where legitimate interests apply, s4p aims to use proportionate controls, data minimization, and access restrictions so that business interests do not override your fundamental rights and freedoms.

4. AI Features, Human Review, and Automated Decisions

AI requests may be processed through s4p-managed infrastructure and external model providers selected to deliver the feature you invoke. We keep technical metadata such as provider name, model, token usage, latency, failure state, and abuse indicators to operate and secure the service.

Unless we expressly state otherwise in a product-specific notice or negotiated contract, s4p does not use customer content to train public or shared foundation models. For free or trial environments, limited internal review of prompts and outputs may occur to improve safety filters, evaluations, prompt templates, abuse detection, reliability, and product quality, using minimization and need-to-know access controls.

For Pro and Enterprise services, prompts, outputs, and workspace content are handled under heightened confidentiality controls and are not reused for generalized model training, except where necessary to deliver the service, investigate defects or misuse, comply with law, or where the customer separately authorizes that use.

s4p positions its AI functionality as assistive tooling. We do not intend this service to be used as a fully autonomous decision-maker for legal, employment, health, financial, credit, safety-critical, or similarly high-impact decisions without meaningful human review.

We do not currently make solely automated decisions that produce legal or similarly significant effects about you in the ordinary course of the public service without a separate notice or contractual framework.

5. Processors, Recipients, and International Transfers

We do not sell personal data. We disclose personal data only where reasonably necessary to operate s4p, comply with law, protect rights, or deliver a feature you request.

  • Hosting, infrastructure, logging, and security vendors.
  • Payment processors and related anti-fraud or billing providers.
  • Transactional email and customer-support tooling.
  • AI model or API providers needed to execute requested AI features.
  • Professional advisers, insurers, auditors, and authorities where legally required.

s4p expects processors to handle data only on documented instructions, subject to confidentiality, technical and organizational security obligations, and GDPR-compliant contractual protections. A current subprocessor list may be provided on request where appropriate.

Some providers may process data outside the EEA, including in the United States. Where that occurs, s4p relies on GDPR Chapter V transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, and supplementary safeguards where required.

6. Retention, Deletion, and Legal-Hold Rules

  • Account and contract data: retained while the account is active and for a limited post-closure period needed for restoration requests, fraud analysis, disputes, and limitation periods.
  • Authentication and security logs: typically retained for short to medium operational windows, often between 30 and 180 days, unless longer preservation is necessary for active incidents, abuse review, or legal defense.
  • Support records: usually retained for up to 24 months after the matter closes, unless a longer period is needed for an ongoing relationship or claim.
  • Invoices and tax/accounting records: retained for the periods required by applicable Estonian and EU accounting or tax rules, commonly up to 7 years.
  • Legal acceptance evidence: retained for the life of the account and afterward for the period reasonably required to prove contractual assent, manage disputes, and comply with record-keeping duties.
  • Cookie preferences: stored in your browser until you change them, clear local storage, or reset your browser profile.

We may delay deletion where data is subject to legal hold, payment disputes, unresolved fraud review, backup-cycle constraints, or a verified security investigation. Once retention is no longer justified, we delete or anonymize the data where reasonably feasible.

7. Data Subject Rights and Complaints

Subject to GDPR conditions and applicable exemptions, you may request access, rectification, erasure, restriction, objection, portability, and withdrawal of consent for consent-based processing.

We may ask for reasonable identity verification before disclosing or deleting data, especially where the request concerns authenticated account content or third-party information.

Requests should be sent to support@s4p.eu. We generally aim to respond within one month unless the request is unusually complex or numerous, in which case an extension permitted by law may apply.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (AKI): aki.ee/en.

8. Security, Confidentiality, and Incident Management

  • Transport encryption, secure-cookie settings, and CSRF protections for authenticated operations.
  • Role-based permissions, least-privilege access, and authentication controls including optional passkeys.
  • Logging, monitoring, rate controls, and abuse-detection workflows to protect the platform.
  • Controlled access to support, billing, and operational tools on a need-to-know basis.
  • Backups, recovery procedures, and change-management intended to reduce integrity and availability risks.

No internet service can be guaranteed completely secure. s4p therefore aims to reduce both the likelihood and impact of incidents through layered organizational and technical safeguards consistent with GDPR Article 32 principles.

If we confirm a personal-data breach, we follow containment, remediation, internal escalation, and notification processes, including GDPR Articles 33 and 34 where the legal threshold is met.

9. Children, Sensitive Data, and High-Risk Use Cases

s4p is not directed to children and is intended for users who can lawfully enter into a binding service contract. If we become aware that personal data was collected without valid authority, we will take steps to delete it.

You must not upload special-category personal data, medical data, legal files, confidential corporate materials, trade secrets, passwords, payment card data, or third-party personal data unless you have a documented lawful basis, proper authority, and a workflow that is appropriate for that material.

AI outputs may be incomplete, inaccurate, or biased. Human review remains mandatory before using the service for legal, HR, medical, financial, credit, security, safety, or other high-stakes matters.

10. Contact, Changes, and Versioning

Privacy contact: support@s4p.eu

We may update this policy when the service, subprocessors, legal requirements, or security controls change. Material changes are reflected with a revised date on this page, and we may require renewed legal acknowledgement during sign-in when the updated legal version becomes applicable.

This policy is drafted to explain s4p data practices transparently. It is not legal advice for your own organization or your independent compliance obligations.