Mizantropic.ai

Privacy Policy

Last updated: April 6, 2026

1. Introduction and Scope

This Privacy Policy explains how personal data is processed when you access or use Mizantropic.ai and related website functions, including chat interfaces, access controls, legal pages, support channels, and technical security functions (the "Service").

The Service is positioned as an internal AI solution hosted on local infrastructure and intended for local knowledge bases and internal organizational data workflows.

This policy applies to visitors, individual users, administrators, customer representatives, and other persons whose personal data is processed through website-level operations controlled by the Operator.

2. Identity of Controller

For the controller activities described in this policy, the data controller is:

Daniel Vnuk
Stubicka cesta 134C
49 243 Oroslavje
Croatia

3. Contact Details

Primary privacy contact: admin@dvnuk.com

This contact channel may be used for privacy requests, rights requests, and data protection inquiries related to controller processing under this policy.

4. When We Act as Controller

The Operator acts as controller for website-level and platform-security processing decisions, including for example:

- Website delivery and baseline technical operation.

- Session and access security for protected admin/log interfaces.

- Security logging, abuse prevention, and incident investigation.

- Support, administrative, and legal/compliance correspondence.

- System integrity controls, diagnostics, and service reliability operations.

- Compliance with legal obligations and defense of legal claims.

5. When Customer or Organization Acts as Controller

For customer-uploaded, customer-connected, or customer-managed organizational datasets, the relevant customer organization is generally responsible as controller (or independent controller), unless a different allocation is expressly agreed in writing.

Where legally required, any processor/sub-processor relationship must be documented through separate contractual documentation (for example a data processing agreement and related annexes).

This public Privacy Policy is a transparency notice only and does not by itself constitute a Data Processing Agreement (DPA), joint-controller arrangement, or instruction set for customer datasets.

Enterprise or internal deployment models may require separate contractual privacy documentation, including role allocation, security annexes, transfer mechanisms, and retention instructions.

6. Categories of Personal Data

Depending on use context, the following categories may be processed:

- Identity and contact data (for example name, business email, role, organization, support contact details).

- Account and authentication data for restricted access areas (for example username and session metadata).

- User-provided content (for example prompts, messages, support submissions, feedback text).

- Technical and usage data (for example IP address, user-agent, timestamps, request context, error diagnostics).

- Security and audit data (for example access attempts, session events, abuse indicators).

- Consent/preference records and browser-side continuity settings.

7. Sources of Personal Data

Personal data may be obtained:

- Directly from you when you submit forms, prompts, requests, or account details.

- Automatically from browser/device interactions with the Service.

- From authorized customer or organizational administrators who manage access or deployment settings.

- From legal or operational communications sent to the Operator.

The Service does not intentionally source personal data from unrelated commercial data-broker datasets for standard website operation.

8. Purposes of Processing

Website-level controller processing may be carried out for the following purposes:

- Delivering and operating the Service and related website functions.

- Authenticating users and maintaining secure access sessions.

- Detecting, preventing, and responding to abuse, unauthorized access, and security incidents.

- Maintaining service stability, performance diagnostics, and operational continuity.

- Handling support, administrative, and enterprise communications.

- Meeting legal obligations and maintaining documentation for legal defense, compliance, and audit requirements.

- Managing cookie/local-storage preference choices and continuity settings where applicable.

9. Legal Bases by Purpose (GDPR Article 6)

Website operation and technical delivery.
Data: technical identifiers, request metadata, limited content context where required.
Legal basis: Article 6(1)(f) GDPR (legitimate interests in secure and reliable operation); Article 6(1)(b) where processing is necessary to provide requested service functionality.
Retention logic: generally short operational windows, then rotation/deletion unless needed longer for incident/legal reasons.
Typical recipients: hosting/infrastructure and technical maintenance providers under confidentiality obligations.

Account access and authentication for restricted areas.
Data: username, authentication/session data, access timestamps, security event data.
Legal basis: Article 6(1)(b) GDPR for requested access functionality; Article 6(1)(f) GDPR for account and platform security.
Retention logic: while access remains active and for a defined post-event security period.
Typical recipients: infrastructure/security support providers on a need-to-know basis.

Security logging, abuse prevention, and incident response.
Data: IP/device metadata, request traces, security logs, relevant prompt/context records tied to incident handling.
Legal basis: Article 6(1)(f) GDPR (security, abuse prevention, integrity, legal defense); Article 6(1)(c) where disclosure/retention is required by law.
Retention logic: typically 30-180 days for routine security logs; longer where incident, dispute, or legal hold requires.

Support and enterprise communications.
Data: name, email, organization details, correspondence content, follow-up records.
Legal basis: Article 6(1)(b) GDPR for handling requested pre-contractual/contractual communication; Article 6(1)(f) GDPR for service administration and record continuity.
Retention logic: generally up to 24 months after final correspondence, unless legal/compliance needs justify longer retention.

Compliance, legal obligations, and legal defense.
Data: records necessary to demonstrate compliance, respond to lawful requests, and establish/exercise/defend claims.
Legal basis: Article 6(1)(c) GDPR where legally required; Article 6(1)(f) GDPR for legal defense and accountability.
Retention logic: for statutory periods or as reasonably necessary for claims, disputes, audits, or legal holds.

Cookie/local-storage preference management and optional settings.
Data: consent/preference flags, preference timestamps, local browser settings entries.
Legal basis: Article 6(1)(a) GDPR where consent is required for optional categories; Article 6(1)(f) GDPR for strictly necessary technical storage where consent is not legally required.
Retention logic: until preference change/reset, browser deletion, or technical replacement.

10. Legitimate Interests Explanation

Where Article 6(1)(f) GDPR is used, the Operator relies on legitimate interests in information security, service integrity, abuse prevention, operational reliability, legal compliance readiness, and defense of legal claims.

These interests are applied with proportionality controls, including access restrictions, data minimization, retention limits, and controlled disclosure on a need-to-know basis.

You may object to processing based on Article 6(1)(f) GDPR in accordance with Section 19 of this policy.

11. Restricted Data and Prohibited Submissions

Unless expressly agreed in writing and lawfully supported, users must not submit or expose through the Service:

- Special categories of personal data under GDPR Article 9.

- Personal data relating to criminal convictions/offenses under Article 10.

- Regulated confidential datasets, payment credentials, private keys, legal privilege material, or comparable high-risk information.

Users and customer organizations remain responsible for lawful collection, lawful basis, minimization, classification, permissions, and internal governance of submitted data.

12. AI-Specific Processing Notice

The Service may process inputs to classify requests, retrieve or transform information, and generate output text. AI-assisted outputs may be inaccurate, incomplete, outdated, or contextually unsuitable.

The Service is not a substitute for professional legal, financial, tax, medical, cybersecurity, or other regulated judgment.

Users are responsible for implementing appropriate human review and validation before relying on outputs, especially in high-impact or regulated contexts.

The Operator does not independently verify the legality of customer-submitted datasets unless specifically agreed in a separate engagement scope.

13. Recipients, Processors, and Sub-processors

Personal data is not sold. Disclosure is limited to legitimate need-to-know contexts, including:

- Hosting, infrastructure, and operational security providers.

- Technical support and maintenance providers.

- Professional advisers under confidentiality obligations.

- Competent public authorities where disclosure is legally required.

Where third-party processing qualifies as processor activity under GDPR, appropriate Article 28 arrangements are used where legally required.

Any enterprise-specific processor/sub-processor chain for customer datasets is handled through separate contractual documentation and is not established solely by this public policy.

14. International Transfers

Processing is generally intended to remain local or within the EEA. If personal data is transferred outside the EEA, transfer mechanisms required under GDPR Chapter V are applied as appropriate to the scenario (for example adequacy decisions or Standard Contractual Clauses).

Additional enterprise transfer documentation may be provided where required by the deployment model.

15. Retention Periods

Retention is purpose-limited and risk-based. Typical retention logic is as follows:

- Security/access logs: generally 30-180 days, subject to extension for incidents, abuse investigations, disputes, or legal hold requirements.

- Chat and operational request logs: generally kept within configured rotation limits (currently maximum entry-based rotation) and typically not longer than 12 months unless required for incident/compliance/legal-defense purposes.

- Support and administrative correspondence: generally up to 24 months after closure of the request, unless a longer period is required for legal/compliance reasons.

- Account/session-related metadata for restricted interfaces: while account access remains active and for a limited post-deactivation security and audit window.

- Consent/preference records: until changed, withdrawn, reset, or technically replaced.

- Browser local storage data: retained on your device until you clear browser data, remove the entry, or it is overwritten by newer local data.

Retention periods may be extended where reasonably necessary to establish, exercise, or defend legal claims, satisfy legal obligations, or preserve evidence for security incident handling.

16. Security Measures

The Operator applies technical and organizational measures appropriate to risk, including access controls, role-based restrictions, session security settings, logging, and operational safeguards.

Security controls are periodically reviewed and adapted to context, but no online service can guarantee absolute security.

Users and customer organizations remain responsible for secure credential handling and for avoiding unnecessary or unlawful submission of personal data.

17. Personal Data Breaches

Where a personal data breach is identified, incident response procedures are applied, including containment, assessment, remediation, and documentation.

Notifications to supervisory authorities and affected persons are made where required under GDPR Articles 33 and 34 and applicable Croatian law.

18. Automated Decision-Making and Profiling

The Service is not intended to make solely automated decisions producing legal effects or similarly significant effects on individuals within the meaning of GDPR Article 22, unless a specific use case is explicitly documented and accompanied by required legal safeguards.

19. Data Subject Rights

Subject to legal conditions and exceptions, data subjects may request:

- Access (Article 15 GDPR).

- Rectification (Article 16 GDPR).

- Erasure (Article 17 GDPR).

- Restriction of processing (Article 18 GDPR).

- Data portability (Article 20 GDPR).

- Objection to processing (Article 21 GDPR), including objection to processing based on legitimate interests.

- Withdrawal of consent for consent-based processing, without affecting processing carried out before withdrawal.

Requests may be submitted to admin@dvnuk.com. Identity verification may be required where appropriate. Responses are generally provided within one month, subject to extension where legally permitted.

20. Complaint Rights

You have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The primary supervisory authority for the Operator is:

Agencija za zaštitu osobnih podataka
Ulica Metela Ožegovića 16
HR - 10 000 Zagreb
Hrvatska
E-mail: azop@azop.hr
Web: http://www.azop.hr

21. Cookies and Browser Local Storage

The Service uses a mixed client-storage model that includes both cookies and browser local storage.

Strictly necessary technologies. For protected admin/login functions, strictly necessary session cookies may be used for authentication and session security. These are required for secure operation of those restricted areas.

Browser local storage used by the public interface. The website currently stores continuity/preference data in local storage, including keys such as mizantropic_history_v2, miz_cookie_consent_v1, and miz_cookie_preferences_v1.

Optional categories. The cookie settings interface includes optional Analytics and Personalization preference categories. These categories require user choice where legally required. As currently implemented in this website codebase, these options are preference flags and are not used to automatically enable third-party analytics advertising trackers by default.

Local browser storage may create privacy risk on shared or public devices. If you use a shared device, you should sign out where relevant and clear browser cookies/site data/local storage after use.

Additional details are available at Cookie settings.

22. Third-Party Links

The Service may include links to third-party websites or services not controlled by the Operator. Processing on third-party services is governed by their own terms and privacy notices.

23. Children

The Service is not directed to children under 18 years of age. If personal data of a child is identified in a context without valid legal basis, reasonable steps will be taken to remove or restrict such data as appropriate.

24. Changes to This Policy

This Privacy Policy may be updated to reflect legal, technical, or operational changes. The current version is published on this page with its update date.

Where required by applicable law, additional notice or consent handling will be implemented for material changes.

25. Contact

For privacy and data protection requests under this policy, contact: admin@dvnuk.com.