Privacy Policy

What we collect

Website visitors: We collect anonymized usage data through Plausible Analytics — a privacy-first, cookie-free analytics tool. No personal data is collected from website visitors. No cookies are set. No cross-site tracking occurs.

Schema audit requests: When you submit a schema audit request, we collect your name, email address, company name, and any documents or information you voluntarily provide. This data is used solely to evaluate your request and respond to you.

Platform users: For authenticated platform users, we process: name, email address, organization affiliation, and activity logs necessary for service delivery, audit trails, and security monitoring.

MCP connector data: We process the files, queries, and schemas your AI agent sends to our tools only to perform requested operations against your isolated Talonic workspace. Data is stored at app.talonic.com, never used for AI training, never shared.

ChatGPT App (OpenAI Apps SDK)

Talonic is available as an app inside ChatGPT via the OpenAI Apps SDK. When you invoke Talonic from ChatGPT, the following applies:

Data in the request path: When you use the Talonic app in ChatGPT, OpenAI transmits the inputs you direct to Talonic (the files, document references, queries, and schema parameters your prompt provides) to the Talonic MCP server so we can perform the requested operation against your isolated Talonic workspace. OpenAI acts as the channel through which these requests reach us; OpenAI's handling of your ChatGPT conversation is governed by OpenAI's own privacy policy.

Purpose: We process this data solely to execute the document operation you requested (for example, extracting structured data, converting to markdown, or running a schema) and to return the result to you in ChatGPT. We do not use it for any other purpose.

Recipients: Inputs are processed by Talonic GmbH and our infrastructure sub-processors (listed below). OpenAI is a recipient only insofar as it relays your request to Talonic and delivers our response back to your ChatGPT session.

Data minimization: Talonic's tools request only the minimum information required to perform the function you invoke. We do not request broad profile data, and we do not collect data "just in case."

Restricted data: Talonic does not request or knowingly collect payment card information, protected health information, government identifiers (such as social security numbers), or authentication secrets (such as API keys, passwords, or one-time codes) through the ChatGPT app. Do not submit such data through the app.

No training, no profiling: Content you send through the Talonic app is never used to train AI models, and we do not use it for surveillance, behavioral profiling, or advertising. We do not pull, reconstruct, or infer your wider ChatGPT chat history; we receive only the inputs your prompt directs to Talonic.

Retention and deletion: Inputs and outputs are stored in your isolated workspace at app.talonic.com under the retention terms described in "Data retention" below. You can request deletion of your data at any time by contacting info@talonic.ai.

Legal basis

We process personal data under the following legal bases per GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — Processing necessary to deliver the Talonic platform and respond to schema audit requests.
• Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, and service improvement.
• Legal obligation (Art. 6(1)(c)) — Tax and accounting requirements, regulatory compliance.

Data retention

Schema audit request data is retained for the duration of the business relationship plus 12 months, unless a longer retention period is required by law. Platform activity logs are retained for 24 months. Anonymized analytics data is retained indefinitely.

You may request deletion of your personal data at any time by contacting info@talonic.ai.

Third-party processors and sub-processors

Talonic uses the following third-party services to deliver the platform:

• Microsoft Azure (Germany West Central) — Infrastructure hosting, compute, and storage. All data remains within EU boundaries.
• Mistral AI (via Azure AI Foundry) — Large language model inference for document extraction. Accessed through Azure's EU infrastructure; no data is sent to Mistral directly.
• Plausible Analytics (EU-hosted) — Privacy-first website analytics. No personal data is collected. No cookies are used. Fully GDPR-compliant without a cookie banner.
• Vercel (Edge network) — Website hosting and delivery. Static assets served from edge; no personal data is processed by Vercel.

A complete sub-processor list is included in our Data Processing Agreement, available on request.

Data subject rights

Under the GDPR, you have the right to:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete personal data.
• Erasure — Request deletion of your personal data where there is no compelling reason for continued processing.
• Restriction — Request restriction of processing in certain circumstances.
• Data portability — Receive your personal data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interest.

To exercise any of these rights, contact info@talonic.ai. We will respond within 30 days.

Data Processing Agreement

A GDPR-compliant Data Processing Agreement (DPA) is available for enterprise customers and covers: sub-processor list, data subject rights procedures, breach notification timelines, technical and organizational measures, and cross-border transfer mechanisms.

Request a DPA at info@talonic.ai.

Contact for data requests

For all privacy-related inquiries, data subject requests, or DPA requests:
info@talonic.ai

You also have the right to lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).