Privacy Policy
of Website and Web App

Updated and Effective as of May 8, 2026

This Privacy Policy describes how Applabel LTD  – a company incorporated under the laws of the Republic of Cyprus (registration number HE 420476), with registered address at Panagioti Tsangari, 14, 1st floor, Flat/Office 1F, 4047, Limassol, Cyprus (collectively “we”, “us”, or “our”) – collects, uses, stores, transfers, and discloses personal information from Users in connection with our Services.

For the purposes of the General Data Protection Regulation 2016/679 (GDPR) and any implementing legislation, APPLABEL LTD is the data controller responsible for any personal data we process.We encourage you to read this Privacy Policy to better understand how we handle your data (Section 3, 4), your data privacy rights (Section 8), and the privacy controls available to you.

If any questions still need to be answered, please contact us at eliten@support-team.app

1. CONTENTS

  1. 1. Data Controller
  2. 2. Key Definitions
  3. 3. Categories of Data We Collect
  4. 4. Purposes and Legal Bases
  5. 5. Cookies and Tracking Technologies
  6. 6. Sharing of Personal Data
  7. 7. International Data Transfers
  8. 8. Your Rights (GDPR)
  9. 9. Data Retention
  10. 10. Data Security
  11. 11. AI Processing and User Content
  12. 12. Interest-Based Advertising
  13. 13. Children's Privacy
  14. 14. Third-Party Websites
  15. 15. Changes to This Policy
  16. 16. California Privacy Rights (CCPA)
  17. 17. Contact

2. KEY DEFINITIONS

The following terms are used throughout this Privacy Policy:

  • "Personal Data": any information relating to an identified or identifiable natural person ('data subject').
  • "Anonymous Data": data from which all identifiers have been irreversibly removed so that the individual cannot be identified or re-identified. Anonymous data is not Personal Data and is not subject to this Policy.
  • "Processing": any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject": the identified or identifiable natural person whose Personal Data is being processed - i.e., you.
  • "Legal Basis": the lawful ground under GDPR Article 6 that justifies a particular processing activity.
  • "Sub-processor": a third-party service provider engaged by us to process Personal Data on our behalf.
  • "User Content": text, files, prompts, or other material you submit to the Service for processing by AI tools.
  • "Service": the eliten.ai website, platform, and all associated AI tools and features available at https://app.eliten.ai/ (eliten).

Category

Examples of data collected

Identifiers

Full name (or chosen username), email address, username, encrypted password hash

Onboarding, Profile Data

Goals you set, skill level, task preferences, topics of interest, and other information you provide during onboarding or while using the eliten

Online Activity, Usage Data

Pages and features visited, AI tools used, session duration, click patterns, interactions with content, search queries within the Service, and error/performance logs

Commercial & Billing Data

Subscription plan selected, billing history, payment status, and renewal date (note: full payment card details are processed exclusively by Stripe and are never stored on our servers)

Device & Technical Data

IP address, browser type and version, operating system, device type and model, screen resolution, language settings, and time zone

Communications Data

Messages, feedback, support requests, and any other correspondence you send to us

User Content

Text, files, prompts, and other content you submit to AI tools for processing

Cookies & Tracking Data

See Section 5 for full details on cookies and tracking technologies

3.1 Data from Third Parties

3.1.1  If you register or authenticate via a third-party identity provider (e.g., Google Sign-In), we may receive your name, email address, and profile picture from that provider, subject to your privacy settings with them.
3.1.2  Stripe, our payment processor, may share transaction status and basic billing confirmation data with us as part of payment processing. We do not receive your full card number or bank account details.

3.2 Anonymised Data

3.2.1  We may anonymise or aggregate Personal Data so that it can no longer be associated with any individual. We may use such anonymised or aggregated data for research, product development, and statistical purposes without restriction, as it is not treated as Personal Data under applicable law.

4. PURPOSES AND LEGAL BASES FOR PROCESSING

We process your Personal Data only where we have a valid legal basis under Article 6 GDPR. The table below explains each processing activity, the data categories involved, and the applicable legal basis.

Purpose

Description and examples

Data categories

Legal basis

Provide and administer the Service

Creating and managing your Account; enabling access to AI tools; customising your experience based on your profile; troubleshooting technical issues.

Identifiers, Onboarding & Profile Data, Online Activity, User Content

Performance of contract (Art. 6(1)(b))

Process payments and billing

Charging your payment method via Stripe; issuing payment confirmations and receipts; managing renewals, upgrades, and cancellations.

Identifiers, Commercial & Billing Data

Performance of contract (Art. 6(1)(b))

Send transactional communications

Email confirmations, payment receipts, renewal reminders, billing alerts, password resets, security notifications, and other account-related updates.

Identifiers (email address)

Performance of contract (Art. 6(1)(b))

Customer support

Responding to your enquiries, technical support requests, and billing disputes; resolving complaints; maintaining records of interactions for quality and training.

Identifiers, Communications Data, Online Activity

Legitimate interests (Art. 6(1)(f))*

Service improvement and research

Analysing how users interact with the Service; identifying popular or underperforming features; conducting internal research; testing new tools and features before release.

Online Activity, Device & Technical Data, Onboarding & Profile Data

Legitimate interests (Art. 6(1)(f))*

Security and fraud prevention

Detecting and preventing unauthorised access, account takeover, abuse, spam, fraud, and other harmful activity; monitoring for violations of our Terms of Service; protecting the integrity of the Service.

Identifiers, Online Activity, Device & Technical Data

Legitimate interests (Art. 6(1)(f))*

Marketing communications

Sending you updates about new features, promotional offers, and other relevant news - only where you have opted in or where permitted by applicable law based on prior purchase history.

Identifiers (email), Online Activity

Consent (Art. 6(1)(a)) - you may withdraw at any time

Interest-based advertising

Using anonymised or pseudonymised data to serve relevant advertisements and measure campaign effectiveness; personalising content shown to you. See Section 12.

Online Activity, Device & Technical Data, Cookies

Legitimate interests (Art. 6(1)(f))*Consent (Art. 6(1)(a)) where required; otherwise Legitimate interests (Art. 6(1)(f))*

Push notifications

Sending confirmations, reminders, and relevant product updates as push notifications, if you have enabled this on your device.

Identifiers, Online Activity

Consent (Art. 6(1)(a)) - disable at any time in device settings

Legal compliance and defence of claims

Complying with applicable laws and regulations, including tax, accounting, and consumer protection law; responding to lawful requests from courts and regulatory authorities; establishing, exercising, or defending legal claims.

All relevant categories

Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))*

* Where we rely on legitimate interests as our legal basis, we have carried out a balancing test and assessed that our interests are not overridden by your fundamental rights and freedoms. You may object to processing on this basis at any time (see Section 8).

5. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies (collectively 'cookies') on the Service. A cookie is a small text file stored on your device when you visit our website. We use cookies to operate the Service, understand how you use it, remember your preferences, and show you relevant content and advertising.

5.1 Categories of Cookies

Category

What they do and consequences of disabling

Strictly Necessary

Essential for the Service to function: user authentication, session management, security tokens, and access to paid content. Cannot be disabled without breaking the Service.

Functional

Remember your preferences (e.g., language, last tool used, onboarding progress). Disabling them may reduce convenience but the Service will remain functional.

Performance / Analytics

Collect pseudonymised or anonymised data on how users interact with the Service - pages visited, features used, session length - to help us improve. Enabled only with your consent.

Targeting / Marketing

Used to measure the effectiveness of advertising campaigns and to serve personalised marketing. Enabled only with your consent. Disabling does not affect Service functionality but may result in less relevant advertising.

5.2 Cookie Consent
5.2.1  When you first visit the Service, a cookie consent banner allows you to accept all cookies, accept strictly necessary cookies only, or customise your preferences by category. You can change your preferences at any time via the cookie settings link in the website footer.
5.2.2  Withdrawing consent does not affect the lawfulness of cookie processing carried out before withdrawal.
5.3 Third-Party Cookies
5.3.1 Some cookies are set by or on behalf of third-party providers (including Stripe for payment security, and analytics providers). These providers operate under their own privacy policies, which we encourage you to review.
5.4 Managing Cookies
5.4.1  Most browsers allow you to control cookies through their settings - you can block or delete cookies at the browser level. Please be aware that blocking strictly necessary cookies will prevent the Service from functioning. For more information, visit www.allaboutcookies.org.

6. THIRD-PARTY PROCESSING OF PERSONAL DATA

6.1  We do not sell, rent, or trade your Personal Data to third parties. We share Personal Data only as described in this Section and with your explicit consent where required.
6.2 Sub-processors (Service Providers)We engage trusted third-party companies that process Personal Data on our behalf under written data processing agreements (DPAs), in accordance with our instructions, and subject to confidentiality and security obligations. Current categories of sub-processors are:

Sub-processor category

Purpose and representative example

Payment processor

Processing transactions, managing billing and refunds - Stripe, Inc. (stripe.com/privacy)

Cloud hosting & infrastructure

Hosting the Service, data storage, and backup - primary server locations: Cyprus and Germany (EU)

AI model providers

Powering the AI tools in the Service - all AI requests are routed through our own backend; AI providers process only the data we send them and are bound by DPAs prohibiting them from using your data for model training

Email delivery provider

Sending transactional and marketing emails

Analytics provider

Measuring and analysing Service usage to improve features

Customer support software

Managing and responding to support tickets and enquiries

6.3 Legal Requirements
6.3.1  We may disclose Personal Data to courts, law enforcement agencies, regulatory authorities, or other public bodies where we are required to do so by applicable law, court order, or other binding legal process, or where we reasonably believe disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the Company's legal rights; (c) prevent or investigate suspected illegal activity or fraud; or (d) protect the safety of users or the public.
6.4 Business Transfers
6.4.1  If the Company is involved in a merger, acquisition, restructuring, or sale of all or a portion of its assets, Personal Data may be transferred to the acquiring entity or its advisors as part of that transaction. We will notify you of any such transfer and the choices available to you, via email to your registered address and/or via a prominent notice on our website, before your data is subject to any materially different privacy policy.

7. International Data Transfers

7.1  We are based in Cyprus, an EU Member State, and aim to process your Personal Data within the EEA. Our primary server infrastructure is located in Cyprus and Germany (both EU). However, some of our sub-processors are based or have operations outside the EEA.
7.2  Where we transfer Personal Data to sub-processors located outside the EEA, we ensure an adequate level of protection through one or more of the following mechanisms:
Transfers to countries benefiting from a European Commission adequacy decision (e.g., the UK, Switzerland, and others listed at https://commission.europa.eu/law/law-topic/data-protection);
Standard Contractual Clauses (SCCs) adopted by the European Commission, in the appropriate module (Controller-to-Processor or Processor-to-Processor);
Binding Corporate Rules, Codes of Conduct, or other recognised safeguards under Chapter V GDPR.
7.3  To obtain information about the specific safeguards applied to any particular transfer, or to request a copy of any applicable SCCs, please contact us at legal@applabel.tech.

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR and applicable national data protection law. We will respond to all verified requests within one calendar month of receipt. In complex or numerous requests, we may extend this period by a further two months, with notice to you.

Right

What it means and how to exercise it

Right of Access (Art. 15)

Obtain confirmation of whether we process your Personal Data and, if so, receive a copy of it along with supplementary information about how, why, and on what basis it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate Personal Data or completion of incomplete data we hold about you.

Right to Erasure / 'Right to Be Forgotten' (Art. 17)

Request deletion of your Personal Data where it is no longer necessary for the original purpose, where you withdraw consent (and no other legal basis applies), where you successfully object to processing, or where processing was unlawful. You may also request account deletion via your account settings.

Right to Restriction of Processing (Art. 18)

Request that we limit processing of your Personal Data in certain circumstances, for example while the accuracy of data you contest is being verified.

Right to Data Portability (Art. 20)

Receive a copy of Personal Data you provided to us in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and the right to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to Object (Art. 21)

Object at any time to processing based on our legitimate interests, including profiling for that purpose. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests. You also have an absolute right to object to processing for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time for any processing activity based solely on your consent (e.g., marketing emails, analytics cookies). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to Opt Out of Targeted Advertising

Opt out of interest-based advertising at any time via our cookie preferences centre, or by adjusting your device privacy settings: • iOS: Settings > Privacy & Security > Tracking • Android: Settings > Google > Ads > Opt out of Ads Personalisation You may also opt out via aboutads.info/choices or youronlinechoices.eu (EEA users).

Right Not to Be Subject to Automated Decisions (Art. 22)

Not to be subject to a decision based solely on automated processing - including profiling - that produces significant legal or similarly significant effects on you, except where permitted by law, necessary for a contract, or based on your explicit consent. If such processing applies, you have the right to request human review.

Right to Lodge a Complaint

File a complaint with a supervisory authority at any time. See below for details.

8.1  To exercise any of the above rights, please submit a written request to legal@applabel.tech. Include your name, registered email address, and a clear description of the right you wish to exercise. We may ask you to verify your identity before proceeding. There is no charge for submitting a request, though we may charge a reasonable fee for manifestly unfounded or excessive requests.
8.2  You have the right to lodge a complaint with a competent supervisory authority. You may contact the supervisory authority in your country of habitual residence or place of work. A list of all EU/EEA supervisory authorities is available at edpb.europa.eu.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. We apply the following retention periods:

Data category

Retention period and rationale

Account and profile data

For the duration of your active Account, plus up to 3 years after Account deletion, to enable us to handle outstanding matters, legal claims, or regulatory enquiries

Payment and billing records

7 years from the relevant transaction date, as required by applicable accounting, tax, and financial record-keeping law

User Content submitted to AI tools

Processed in real time to generate your requested Output; not stored beyond the current active session unless you explicitly save work within the Service interface

Usage and analytics data

Up to 24 months, after which data is aggregated or irreversibly anonymised

Customer support communications

3 years from the date of last interaction, for quality assurance and legal claim purposes

Marketing consent records

Until you withdraw consent, plus 3 additional years for evidentiary purposes

Security and fraud prevention logs

Up to 12 months, unless a specific incident requires investigation over a longer period, in which case the relevant data is retained for the duration of that investigation

Cookie consent records

For the duration of the consent, or up to 12 months from the date of collection, in accordance with e-Privacy guidance

At the end of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised. Account deletion requests are processed within a reasonable timeframe, subject to the retention periods above and any legal hold requirements.

10. Data Security

10.1  We implement appropriate technical and organisational measures (TOMs) to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures include:
Encryption of all data in transit using TLS 1.2 or higher (HTTPS);
Encryption of passwords using industry-standard one-way hashing algorithms (e.g., bcrypt);
Pseudonymisation and tokenisation of certain categories of Personal Data where appropriate;
Role-based access controls limiting data access to authorised personnel with a genuine business need;
Multi-factor authentication (MFA) for internal systems and administrative access;
Regular security assessments, penetration testing, and vulnerability management;
Contractual data protection and security obligations for all sub-processors;
Incident response procedures aligned with GDPR breach notification requirements.
10.2  You can also help protect your Account by choosing a strong, unique password, keeping your credentials confidential, and not sharing your Account with others. Please notify us immediately at eliten@support-team.app if you suspect any unauthorised access to your Account.
10.3  No method of transmission over the internet or method of electronic storage is completely secure. While we use commercially reasonable security measures, we cannot guarantee the absolute security of your Personal Data. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority as required under Articles 33–34 GDPR (within 72 hours of becoming aware of the breach, where feasible).

11. AI Processing and User Content

11.1  When you submit User Content to the Service (e.g., text for summarising, rewriting, or translation), that content is transmitted to our AI model infrastructure and/or third-party AI model providers for the purpose of generating your requested Output. The following principles apply:
User Content is processed solely and exclusively to provide you with the AI Output you requested;
We do not use your User Content to train, fine-tune, or improve AI models - neither our own nor those of third-party providers - without your explicit, separately obtained consent;
All AI processing requests are routed through our own backend infrastructure; there is no direct connection between your device and third-party AI providers;
AI model providers processing User Content on our behalf are bound by DPAs that expressly prohibit them from using the data for their own model training or any other purpose;
User Content is not stored beyond the current active session unless you explicitly save work within the Service.
11.2  We recommend that you do not submit sensitive categories of Personal Data (such as health information, financial account details, government-issued identification numbers, or biometric data) as User Content, as the Service is not designed to handle such data and doing so unnecessarily increases risk.

12. Interest-Based Advertising

12.1  We and our advertising partners may use cookies and similar tracking technologies to collect data about your activity on the Service and on other websites and apps over time, in order to show you advertisements that may be of interest to you. This practice is sometimes called 'interest-based' or 'behavioural' advertising.
12.2  You have the following options to limit interest-based advertising:
Decline advertising cookies in our cookie consent banner or via the cookie settings link in the footer;
Visit the Digital Advertising Alliance opt-out tool at aboutads.info/choices (US) or youronlinechoices.eu (EU/EEA);
Adjust your device settings:   iOS: Settings > Privacy & Security > Tracking - turn off 'Allow Apps to Request to Track'   Android: Settings > Google > Ads > Opt out of Ads Personalisation
Install a browser opt-out extension or ad blocker.
12.3  Opting out does not mean you will see no ads at all; it means the ads you see will not be personalised based on your browsing behaviour. You will continue to see contextual or generic advertising.

13. Children's Privacy

13.1  The Service is not directed at, and we do not knowingly collect Personal Data from, individuals who are under the age of 18.
13.2  For residents of EEA and UK countries, users under 16 years of age are considered children for the purposes of this Policy, unless the applicable national data protection legislation of their country specifies a different age threshold (but in no event lower than 13).
13.3  We consider the minimum age threshold for all users globally to be 13 years old, except where mandatory local law requires a higher threshold. If you are under the applicable minimum age, please do not use the Service or provide us with any Personal Data.
13.4  If you are a parent or guardian and become aware that a child has created an Account or provided Personal Data through the Service without appropriate consent, please contact us immediately at eliten@support-team.app. We will promptly investigate and take the necessary steps to delete the relevant data and close the Account.ble timeframe, subject to the retention periods above and any legal hold requirements.

14. Third-Party Websites and Services

14.1  The Service may contain links to, or integrations with, third-party websites, applications, or services. This Privacy Policy does not apply to those third parties. We are not responsible for the content, data practices, or privacy policies of any linked third-party service. We encourage you to review the privacy policy of any third-party service before sharing your Personal Data with it.
14.2  Our Service uses Stripe for payment processing. When you make a payment, you are also interacting with Stripe's platform, which is governed by Stripe's own Privacy Policy at https://stripe.com/privacy. We encourage you to review it.

15. Changes to This Privacy Policy

15.1  We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email to your registered address at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this document and, where required by law, seek your renewed consent.
15.2  Where a change is not material (e.g., minor clarifications, corrections, or updates to contact details), we may update this Policy without individual notice, relying on the updated version being posted on our website.
15.3  Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acknowledgment of the changes. If you do not agree with the updated Policy, you should stop using the Service and may request deletion of your Account and Personal Data.

16. Additional Rights for California Residents (CCPA/CPRA)

16.1  This Section applies exclusively to residents of the State of California and supplements the other provisions of this Privacy Policy. It is provided pursuant to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, 'CCPA'). Terms defined in the CCPA have the same meaning when used in this Section.
16.2 Categories of Personal Information CollectedIn the preceding 12 months, we have collected the following categories of personal information from California consumers:

CCPA Category

Examples collected

Business / commercial purpose

Identifiers

Name, email address, IP address, user ID, cookie identifiers

Account creation, authentication, billing, communications, security

Personal Information (Cal. Civ. Code §1798.80(e))

Name and email address

Account management, billing

Internet or other electronic network activity

Browsing/interaction data, features used, session data, error logs

Service operation, analytics, security, fraud prevention

Commercial information

Subscription plan, purchase and billing history

Payment processing, account management

Geolocation data

Approximate location derived from IP address

Regional pricing, compliance

Inferences drawn from personal information

User preferences and interests inferred from onboarding data and usage patterns

Service personalisation

16.3 Sources of Personal Information
We collect personal information directly from you (when you register, make a purchase, or use the Service), automatically from your device (through cookies and usage data), and from third-party providers (e.g., Stripe for payment confirmation, identity providers for social login).
16.4 Business Purposes for Disclosure
16.4.1  We do not sell personal information, as that term is defined in the CCPA. In the preceding 12 months, we have not sold any personal information of California consumers to third parties.
16.4.2  We may share personal information with service providers (sub-processors) for our own business purposes as described in Section 6.2 of this Policy. We do not share personal information with non-affiliated companies for their independent direct marketing purposes without your permission. This is consistent with California's 'Shine the Light' law (Civil Code § 1798.83).
16.5 Your California Privacy Rights
California residents have the following rights under the CCPA:
Right to Know: request disclosure of the specific pieces and categories of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we have shared it, covering the preceding 12 months;
Right to Access: request a copy of the personal information we have collected about you during the preceding 12 months;
Right to Delete: request that we delete personal information we have collected from you, subject to certain exceptions (e.g., where retention is required to complete a transaction, comply with a legal obligation, or exercise legal rights);
Right to Correct: request correction of inaccurate personal information we maintain about you;
Right to Opt Out of Sale or Sharing: opt out of the sale or sharing of your personal information for cross-context behavioural advertising. As noted above, we do not currently sell personal information, but you may still submit an opt-out request;
Right to Limit Use of Sensitive Personal Information: request that we limit our use of sensitive personal information (as defined in CPRA) to specific permitted purposes;
Right of Non-Discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny services, charge different prices, provide a different quality of service, or suggest that you will receive different treatment for exercising these rights.

16.6 How to Submit a California Privacy Request
16.6.1  To exercise any of your California privacy rights, please submit a request by email to eliten@support-team.app with the subject line "California Privacy Request". Include your full name, registered email address, and a description of the right you wish to exercise. We will need to verify your identity and California residency before processing your request.
16.6.2  We will respond to a verifiable consumer request within 45 calendar days of receipt. If we require additional time (up to a further 45 days), we will notify you in writing. We will provide the information free of charge, up to twice per 12-month period.
16.6.3  You may designate an authorised agent to submit a request on your behalf. We will require written proof of the agent's authorisation and may verify your identity directly with you.

17. Contact and Data Subject Requests

For any questions about this Privacy Policy, to exercise your data subject rights (including GDPR and CCPA rights), or to raise a concern about how we handle your personal data, please contact us:

Applabel LTD
Registration number: HE 420476
Panagioti Tsangari, 14, 1st floor, Flat/Office 1F, 4047, Limassol, Cyprus
Data protection / GDPR / CCPA enquiries: legal@applabel.techGeneral support: eliten@support-team.appapplabel@support-team.appWebsite: https://app.eliten.ai/