Privacy Policy

At Cension AB, we prioritize your online privacy and are committed to protecting the Personal Data that you share with us.

1. Introduction

This Privacy Policy explains how Cension AB (“Cension”, “we”, “us”, or “our”) collects, uses, maintains, and discloses information from users (“you”, “your”) of our website, platform, and related services (collectively, the “Service”).

Cension is a Swedish company registered under Organization Number 559470-4768, with its seat at Rådmansgatan 80A, 113 60 Stockholm, Sweden. We provide an AI-powered platform for product metadata enrichment, automation, and related analytical tools. We process Personal Data in accordance with applicable data-protection laws, including the EU and UK General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and applicable U.S. state privacy statutes (including the CCPA/CPRA) in force during the Term. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations.

By using the Service, you acknowledge this Privacy Policy. For any inquiries or concerns regarding this Privacy Policy or your Personal Data, please contact us at hello@cension.ai.

1.2 Definitions

In this Privacy Policy, the following terms have the meanings set out below. Capitalized terms not otherwise defined here have the meanings given to them in our Terms & Conditions or Data Processing Addendum (DPA).

• “Personal Data”: Any information relating to an identified or identifiable natural person, as defined under applicable data-protection laws.
• “Customer Content”: Data that you or your authorized users upload, generate, or transmit through the Service, including datasets, catalog records, product metadata, files, prompts, prompt rules, configurations, annotations, and edits.
• “Content”: Your Input (Customer Content you provide to the Service) and Output (AI-generated outputs, enrichments, derived metadata, and rankings the Service produces from your Input). Content is licensed to Cension under Section 3.1 of our Terms & Conditions to provide, maintain, develop, and improve the Service.
• “Account Profile Data”: Your name, email address, hashed password, billing information, and similar personal identifiers associated with your Cension account. Account Profile Data is distinct from Content and is not used to develop or improve the Service.
• “Service Data”: Any data relating to the use, support, operation, or security of the Service, collected directly or indirectly by Cension for its own purposes — including application logs, request timings, error traces, model and provider selections, input and output token counts, credit accounting, and similar operational, diagnostic, and telemetry signals. Service Data may contain Personal Data; where it does, such Personal Data is processed by Cension as an independent controller on the basis of its legitimate interests, as further described in Section 11.3 and in our DPA.

2. Information Collection and Usage

In this section, we outline the types of data Cension AB collects, our methods of data collection, the purposes for collecting this data, and how we address user consent and control.

2.1 Types of Data Collected

Cension AB collects a range of information to effectively provide and enhance our services:

• Personal Identification Information: Including names, email addresses, phone numbers, and postal addresses for communication and personalization of services.
• Usage and Technical Data: Information about how you interact with our services, such as IP addresses, browser types, page visits, and duration of visits, crucial for service optimization and security.
• Financial Information: Details related to financial transactions processed securely for billing and payment purposes.

2.2 Methods of Data Collection

We collect data through various methods to enhance our service offerings:

• Direct User Inputs: Information such as your name, email address, and content of your communications is collected when you register for our services, subscribe to our newsletter, or contact us for support.
• Automated Data Collection: Our website uses cookies and tracking technologies to understand your preferences and your interactions with our service. For detailed information, please refer to our Cookie Policy.
• Federated Sign-In: If you choose to sign in to the Service via a federated identity provider (for example, Sign-in with Google), we receive the basic profile information that provider returns to us for authentication purposes, such as your name, email address, and profile picture.

2.3 Purpose of Data Collection

The data collected by Cension AB is used for several key purposes:

• Service Provision: Facilitating the delivery and maintenance of our services, including customer support and administrative tasks.
• Service Improvement: Analyzing service usage to implement improvements, develop new features, and maintain the performance and reliability of the Service.
• Legal and Business Compliance: Adhering to legal obligations and enhancing our business strategies and operations.

2.4 User Consent and Control

Respecting user autonomy is a cornerstone of our data practices:

• Opt-in/Opt-out Options: We provide clear choices regarding marketing communications and the use of cookies, respecting your data preferences.
• Our use of Content: Cension may use the Content you provide to and generate within the Service — meaning your Input (e.g., imported datasets, catalog records, prompts, prompt rules, edits, annotations, configurations) and Output (e.g., AI-generated enrichments, derived metadata, rankings) — to provide, maintain, develop, and improve the Service, as licensed under Section 3.1 of our Terms & Conditions. Cension does not use your Account Profile Data (name, email address, password, billing information) to develop or improve the Service. You may submit a written objection to our use of your Content to develop or improve the Service by emailing hello@cension.ai from the administrative contact on your account; Cension will action valid objections within a reasonable time. Customer Content transmitted to third-party foundation-model or other AI providers strictly to generate outputs you have requested is processed by those providers under their standard API terms, under which API inputs and outputs are not used to train those providers’ generally-available models. The current list of such providers is published at /sub-processors.
• Data Access and Management: In accordance with data protection laws, you have the right to access, update, or request the deletion of your personal data.

2.5 Legal Bases for Processing

Cension processes Personal Data only where a valid legal basis applies under applicable data-protection laws:

• Performance of a contract: to provide, maintain, and support the Service you have requested under our Terms & Conditions or any other agreement with you.
• Legitimate interests: to secure the Service, prevent fraud and abuse, generate aggregate analytics, develop and improve the Service, and deliver administrative and billing communications, where these interests are not outweighed by your privacy rights.
• Consent: for non-essential cookies, marketing communications, and any other processing that requires consent under applicable law. You may withdraw consent at any time, without affecting the lawfulness of prior processing.
• Legal obligations: to comply with bookkeeping rules, tax and export-control obligations, court orders, and other legal duties.
• Vital interests: in rare cases, to protect the vital interests of an individual, for example in response to a medical emergency.

Cension does not engage in automated decision-making that produces legal or similarly significant effects on individuals within the meaning of GDPR Article 22.

3. Data Sharing, Disclosure, and Third-Party Interactions

In this section of our privacy policy, we detail how Cension AB handles the sharing and disclosure of your personal data and our interactions with third-party services.

3.1 Data Sharing and Disclosure

Cension AB shares and discloses information under certain circumstances to facilitate our services, comply with legal obligations, and enhance our business operations:

• With Service Providers: We share data with cloud hosting providers, payment processors, and customer support services under strict data protection agreements.
• Legal and Regulatory Compliance: In cases of legal requests by authorities, we disclose data as required by law.

3.2 Data Processing Addendum (DPA)

For customers requiring a formal framework for GDPR compliance, our current Data Processing Addendum (DPA) is published as a PDF on our website. Any customer may execute a countersigned DPA by contacting hello@cension.ai; once signed, the DPA controls over these Terms and this Privacy Policy to the extent of any conflict. A list of the external sub-processors that receive Customer Data is available at /sub-processors.

3.3 Third-Party Services and Safeguards

Third parties that process Customer Personal Data on our behalf — including cloud infrastructure providers, foundation-model and AI providers, payment processors, analytics services, and communications providers — are contractually bound to data-protection obligations substantially equivalent to those set out in our DPA. The current list of these sub-processors is maintained at /sub-processors. Where you elect to connect the Service to a third-party integration or external website, your interaction with that third party is governed by that party’s own privacy policy and terms, and you should review them before providing Personal Data.

4. Data Security and Storage

Cension AB’s approach to data security and storage is comprehensive, ensuring the utmost protection of your personal data.

4.1 Data Security Measures

Cension maintains administrative, physical, technical, and organizational security measures appropriate to the risk of the processing. These include industry-standard encryption in transit and at rest, role-based access controls, network-level access restrictions for production systems, and structured audit logging. Detailed technical and organizational measures — including controls currently in active development — are set out in Annex 2 of our published DPA.

4.2 Data Storage and Processing Locations

Your data is stored and processed in secure facilities. We ensure:

• Compliance with international data protection regulations, particularly GDPR for users in the EEA.
• Data storage in jurisdictions that offer robust data protection.

4.3 International Data Transfer

Our primary application infrastructure, databases, and file storage are hosted within the European Union at an enterprise cloud provider. However, Customer Content may be transmitted outside the European Economic Area — typically to the United States — when it is processed by third-party sub-processors (for example, foundation-model and embedding providers) or when you enable features that integrate with search, media, or community platforms operated outside the EEA. The current list of sub-processors, together with their category, region, and transfer mechanism, is published at /sub-processors.

Such transfers rely on the following mechanisms:

• The EU–US Data Privacy Framework (DPF), where the recipient is DPF-certified.
• The EU Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor), for recipients not covered by an adequacy decision.
• The UK International Data Transfer Addendum issued by the UK ICO, or the Swiss FADP adaptations, where UK or Swiss personal data is involved.

The complete list of sub-processors, their categories, and the regions in which they operate is maintained at /sub-processors.

4.4 Data Retention Policy

Our approach to data retention is governed by the principle of holding data only as long as necessary:

• Retention periods are determined based on the purpose of data collection and legal requirements.
• Upon expiration of the retention period, data is securely deleted or anonymized.

We regularly review our data retention policies to ensure compliance with current laws and best practices.

4.5 User Rights and Communication

We recognize and respect your rights concerning your personal data:

• Users have the right to access, rectify, or request deletion of their personal data.
• Users can exercise their rights by contacting our privacy contact at hello@cension.ai. We aim to respond to verified requests within the period required by applicable data-protection law (typically thirty (30) days) and will notify you if we need additional time as permitted by law.

Regular updates are made to our privacy policy to reflect changes in practices or legal standards.

5. User Rights and Personal Data Management

This section focuses on the rights that users have concerning their personal data and how they can exercise these rights.

• Access and Control: Users have the right to access the personal data that Cension AB holds about them and control its use.
• Rectification: Users can request the correction of inaccurate or incomplete data.
• Data Portability: Users have the right to receive a copy of their data in a structured, commonly used format.
• Consent Withdrawal: Where processing is based on consent, users have the right to withdraw consent at any time.

Cension AB is committed to honoring these rights and providing mechanisms for users to manage their personal data effectively.

5.1 Children’s Data

The Service is not directed to, nor intended for, individuals under the age of eighteen (18), and we do not knowingly collect Personal Data from anyone under that age. By using the Service, you represent that you are at least eighteen (18) years old, or the age of majority in your jurisdiction, whichever is greater. If we become aware that we have collected Personal Data from a minor without appropriate parental consent, we will take reasonable steps to delete that information. If you believe a minor has provided us with Personal Data, please contact us at hello@cension.ai.

5.2 Sensitive and Special-Category Data

Cension does not intentionally collect, and instructs customers not to upload, special-category or sensitive personal data, including protected health information (PHI), primary payment-card data (PAN / CVV), biometric identifiers, government-issued identifiers, precise geolocation, or any other data within the scope of GDPR Article 9, unless expressly authorized under a separately signed Enterprise Service Agreement. You are responsible for ensuring that Customer Content submitted to the Service does not contain such data outside of any authorized use case. Cension disclaims responsibility for any such data submitted in breach of this Section.

5.3 No Sale or Sharing of Personal Data

Cension does not “sell” Personal Data and does not “share” Personal Data for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA) and similar U.S. state privacy laws.

6. Analytics, Tracking, and Payments

Cension does not currently use third-party advertising, remarketing, or cross-site behavioral tracking technologies on the authenticated Cension application.

If we introduce product analytics or advertising technologies in the future, we will update this Privacy Policy and our Cookie Policy, and where required by law we will present a consent interface to users in the EEA and UK before any non-essential cookies are set. The cookies and local-storage keys actually used by the Service today are described in the Cookie Policy.

6.1 Payments Processing

For paid subscriptions and metered usage, we use Stripe as our sole payment processor. Card details are collected directly by Stripe through Stripe Elements or Stripe Checkout; Cension does not receive, store, or transmit full primary account numbers or CVV values. Please see Stripe’s Privacy Policy.

7. Third-Party Links and Services

Interactions with Third-Party Services: Our Service may contain links to or interactions with third-party websites, products, or services. These are provided for convenience and are not under our direct control.

User Responsibility: When engaging with third-party services, users are subject to the terms and conditions and privacy policies of these third parties. Users should review these policies to understand how their data is handled.

8. International Data Transfers

Cension AB is established in Sweden and hosts its primary infrastructure in the European Union. However, delivering the Service necessarily involves transfers of Customer Content to third-party sub-processors located in the United States (principally for LLM inference and text embeddings) and, in some cases, to sub-processors in other jurisdictions.

8.1 Cross-Border Transfer Mechanisms

For every international transfer we rely on at least one of the following lawful transfer mechanisms: (i) the EU–US Data Privacy Framework where the recipient is DPF-certified; (ii) the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) approved by the European Commission; (iii) the UK International Data Transfer Addendum; or (iv) the Swiss FADP equivalents. For the purposes of the EU SCCs, the governing law is Sweden and the competent supervisory authority is the Swedish Authority for Privacy Protection (IMY).

8.2 Safeguarding Measures

Customer Content is transmitted using industry-standard encryption in transit, stored with provider-managed encryption at rest, and accessed under role-based controls. Where Customer Content is transmitted to third-party foundation-model or other AI providers strictly to generate outputs you have requested, we rely on those providers’ standard API terms, under which API inputs and outputs are not used to train those providers’ generally-available models. Our own use of Customer Content to develop and improve the Service is described in Section 11.2.

8.3 Transfer Fallback

If any transfer mechanism we rely upon becomes invalid or ceases to apply, Cension will, in good faith, assess and implement an alternative lawful mechanism where commercially reasonable. Where no such alternative is available, Cension may suspend or reconfigure the affected processing activity without liability to customers.

9. Policy Updates and Jurisdiction

In this section, we outline how updates to this privacy policy are managed and the legal jurisdiction under which it falls.

9.1 Policy Updates Notification

Method of Notification: We will inform users of any significant updates to our privacy policy through direct communication channels such as email or via announcements on our website.

Responsibility to Stay Informed: We encourage users to regularly review our privacy policy to stay informed of any changes.

9.2 Jurisdiction and Governing Law

Swedish Law: This privacy policy is governed by and construed in accordance with the laws of Sweden. Any disputes arising in relation to this policy will be subject to the exclusive jurisdiction of the Swedish courts.

International Considerations: If you are located in a jurisdiction that grants you mandatory consumer-protection or data-protection rights under local law, those provisions will take precedence to the extent they conflict with this Privacy Policy. International transfers of Personal Data are governed by the mechanisms described in Section 8.

10. Contact for Privacy Concerns

10.1 Designated Contact Point

Contact Information: For any privacy-related inquiries or concerns, users can reach us at hello@cension.ai.

Active Response: Our team is dedicated to addressing your privacy concerns promptly and effectively.

11. Special Considerations & GDPR Roles

11.1 Controller and Processor Roles

Under the General Data Protection Regulation (GDPR) and similar data-protection laws, Cension operates simultaneously in multiple roles depending on which data and which processing activity is at issue. We make this structure explicit below so that there is no ambiguity about the legal basis on which each activity is performed.

• Cension as Data Controller for Account Profile Data. When you create and operate a Cension account, Cension is the Controller of your Account Profile Data (for example, name, email address, hashed password, billing details, and support correspondence). This data is used to set up and operate your account, process payments, authenticate you, and communicate with you about the Service.
• Cension as Data Processor for Personal Data inside Content. To the extent the Content you upload to or generate within the Service contains Personal Data relating to third parties (for example, employee names or customer email addresses that incidentally appear in an uploaded dataset), Cension processes that Personal Data as a Data Processor, acting on your documented instructions and in accordance with our Data Processing Addendum (DPA). The processor role applies only to the Personal Data subset of Content; it does not displace or limit Cension’s separately granted license over Content itself.
• Cension’s independent rights over Content. Cension’s broader license to use Content itself — including non-personal product data, prompts, prompt rules, edits, annotations, configurations, and AI Output — to operate, develop, and improve the Service (including the training, fine-tuning, evaluation, and operation of Cension’s proprietary AI and ML models, search, indexing, and ranking systems, and other components of the Service) is separately granted under Section 3.1 of our Terms & Conditions and further described in Section 11.2 below. This activity is performed by Cension in its own capacity for its own purposes; it is not a processor activity and is not limited by your documented instructions under the DPA.
• Cension as Controller for Service Data. Cension processes Service Data (operational, diagnostic, and telemetry signals) as an independent Controller for its own business purposes, as further described in Section 11.3 and in Section 9 of the DPA.

11.2 Our Use of Content

Cension may use the Content you provide to and generate within the Service to provide, maintain, develop, and improve the Service, as licensed under Section 3.1 of our Terms & Conditions. This includes the development and improvement of Cension’s AI/ML models, search, indexing, and ranking systems, and other components of the Service.

For clarity, “Content” means Input (the data you provide to the Service — for example, imported datasets, catalog records, prompts, prompt rules, edits, annotations, and configuration) and Output (AI-generated outputs, enrichments, derived metadata, and rankings produced by the Service based on your Input). Content does not include Account Profile Data (your name, email address, password, or billing information), which we do not use to develop or improve the Service.

This Section applies uniformly to all users of the Service, regardless of subscription tier. It is subject to any separately signed agreement with Cension (such as a Data Processing Addendum or Enterprise Service Agreement), which controls to the extent of any conflict in accordance with Section 12 below.

Objection. You may submit a written objection to our use of your Content to develop or improve the Service by emailing hello@cension.ai from the administrative contact on your account. Cension will action valid objections within a reasonable time. An objection does not affect (i) our use of Content strictly to operate the Service for you and handle your requests, (ii) our retention and use of aggregated, de-identified, or non-identifying learnings already derived from Content prior to the objection, (iii) our use of Content as necessary to comply with law, enforce our Terms, or keep the Service safe, or (iv) our processing of Service Data as described in any applicable Data Processing Addendum. Nothing in this paragraph limits any rights you have under applicable data protection laws.

Operational heuristics. Cension may derive aggregated, product-agnostic operational heuristics (for example, column-name patterns, context-type aliases, and value-type hints) from processing activity and store these in shared reference datasets that the Service uses to interpret and organize future inputs. No user-identifying or account-identifying data is persisted in those reference datasets.

Third-party foundation-model and AI providers. Where Content is transmitted to third-party foundation-model or other AI providers strictly to generate outputs you have requested, those providers process the Content under their standard API terms. Under those terms, API inputs and outputs are not used to train those providers’ generally-available models. The current list of these providers is published at /sub-processors.

11.3 Operational Telemetry and Service Data

In order to operate, meter, bill, secure, support, and improve the Service, Cension collects Service Data as defined in Section 1.2. Service Data includes structured application logs, request timings, error traces, model and provider selections for generations, input and output token counts, credit accounting, and similar operational, diagnostic, and telemetry signals. Service Data is retained in our cloud-logging and database systems under security controls equivalent to those applied to other Customer Personal Data.

Cension processes Service Data as an independent controller for its own business purposes, including to operate, meter, bill, secure, support, and develop the Service, to investigate fraud, spam, and wrongful or unlawful use of the Service, and to maintain, optimize, and improve the Service. Aggregated, de-identified, and non-identifying patterns derived from Service Data may be retained and used by Cension indefinitely for any lawful purpose. Where Service Data contains Personal Data, Cension processes such Personal Data on the basis of its legitimate interests, and statutory data-subject rights under applicable data-protection law remain unaffected. The full scope of our Service Data processing is set out in Section 9 of our DPA.

12. Order of Precedence

While this Privacy Policy outlines our general data practices, we recognize that certain organizations require specific compliance frameworks. In the event of any conflict or inconsistency between this Privacy Policy and a separate written contract manually signed by both you and Cension AB (such as a formal Data Processing Addendum or a custom Enterprise Service Agreement), the terms of that signed external agreement shall take full precedence over this Privacy Policy regarding the subject matter in conflict.