1. Introduction
This Privacy Policy describes how Stazion ApS ("Stazion," "we," "us," or "our") collects, uses, stores, and protects personal data when you use our AI-powered sales platform ("Service"). Stazion helps sales teams upload product documents, extract products, generate proposals, and run the RFQ/RFx workflow to draft, send, and learn from quote responses grounded in the organization's own documents.
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Danish data protection laws.
2. Data Controller
Stazion ApS CVR: 46244028 Husumgade 31, 4. 15, 2200 København N, Denmark
For privacy inquiries, contact us at: vb@stazion.ai
3. Data We Collect
3.1 User Account Data
When you create an account or sign in, we collect:
- Profile Information: Email address, display name, and, if you provide them, company name, job title, phone number, website, and profile photo (avatar)
- Account Identifiers: Your user ID and the identifier of the organization you belong to
- Authentication Data: Login credentials managed by our authentication provider (passwords are never stored in plain text), session tokens, and email verification status
3.2 Organization Directory Data
To run the Service within your organization, we collect:
- Organization Profile: Organization name and email domain
- Membership and Roles: Which users belong to your organization and their role (owner, admin, or member)
3.3 Documents and Content You Upload
The core of the Service is analysis of documents you provide. We collect and process:
- Uploaded Files: PDFs, Word, Excel, and PowerPoint documents such as product brochures, catalogs, specifications, RFQ/RFx documents, and related materials
- Extracted Content: Text and layout extracted from your files (including via optical character recognition for scanned documents), extracted product data (names, categories, specifications, features), and document metadata (file name, type, size, page count, indexing status)
- Search Indexes (Embeddings): Numeric representations of document chunks that power semantic search and retrieval
Your documents may contain personal data (for example names, contact details, or pricing tied to individuals). You are responsible for ensuring you have a lawful basis to upload such content.
3.4 RFQ/RFx and Communications Data
When you use the RFQ/RFx workflow, we process:
- Line Items and Quotes: Extracted RFQ line items, quantities, pricing, compliance assessments, and generated quote and response documents
- Outbound Email: Emails sent on your behalf to buyers and teammates, including recipient, subject, and message content
- Teams Messages: Messages sent to teammates and one-click reply links, plus the replies captured back from the asked teammate
- Buyer Feedback: Debrief and feedback content you record against RFQ lines
3.5 Integration Data
If you connect optional integrations, we access and store:
- Microsoft 365 (Microsoft Graph): OAuth access and refresh tokens (encrypted at rest), your Microsoft tenant identifier, and the permissions needed to send email as you and to send and receive Teams messages on your behalf
- Merge.dev (CRM and Knowledge Bases): Where configured, customer and account context such as accounts, opportunities, and contacts, and metadata from connected file storage or knowledge bases, used to enrich the sales context
3.6 Analytics Data
In our production environment, we use Amplitude to understand how users interact with the Service:
- Usage Events: Page views, feature interactions, form interactions, and clicks
- Session Data: Session duration, referral source, and UTM campaign parameters
- Session Replay: A sampled subset of sessions may be recorded to diagnose usability issues
- Identifiers: User ID and session ID
Analytics is not enabled on local or development environments.
3.7 Technical and Log Data
We collect technical information needed to operate and secure the Service, including IP address, browser and device information, and application logs.
4. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Service | Contract performance (Art. 6(1)(b)) |
| Analyze documents, extract products, and build search indexes | Contract performance (Art. 6(1)(b)) |
| Generate proposals and RFQ/RFx responses | Contract performance (Art. 6(1)(b)) |
| Send email and Teams messages on your behalf | Contract performance (Art. 6(1)(b)) |
| Send service notifications | Contract performance (Art. 6(1)(b)) |
| Improve our Service | Legitimate interest (Art. 6(1)(f)) |
| Product analytics and usage insights | Legitimate interest (Art. 6(1)(f)) |
| Respond to support requests | Contract performance (Art. 6(1)(b)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
5. AI Processing of Your Content
The Service relies on third-party AI providers to deliver its core features. When you use document analysis, product extraction, proposal generation, the RFQ/RFx workflow, or search, relevant content from your documents and queries is transmitted to these providers for processing:
- Anthropic (Claude): Product extraction, RFQ line and requirement extraction, compliance assessment, and proposal and chat generation. Document text and related context are sent.
- OpenAI: Generation of contextual summaries for document chunks and creation of search embeddings. Document text and chunks are sent.
- Cohere: Optional reranking of search results, where a query and candidate document snippets are sent to improve relevance.
- Google Cloud (Document AI): Optical character recognition and text extraction from uploaded PDFs and images, where the file content is sent for processing.
We do not use your content, including document content or queries, to train our own or any third party's general-purpose AI models. These AI providers are engaged only to process your content in order to provide the Service, under terms that prohibit using that content to train their models. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
6. Data Sharing and Third Parties
We share data with the following third-party service providers (subprocessors):
6.1 Anthropic
- Purpose: AI processing for extraction, compliance, and proposal generation
- Data Shared: Document content, RFQ content, and user queries
- Privacy Policy: https://www.anthropic.com/legal/privacy
6.2 OpenAI
- Purpose: Document chunk contextualization and search embeddings
- Data Shared: Document content and chunks
- Privacy Policy: https://openai.com/policies/privacy-policy/
6.3 Cohere
- Purpose: Reranking of search results (optional)
- Data Shared: Search queries and candidate document snippets
- Privacy Policy: https://cohere.com/privacy
6.4 Google Cloud Platform (Google LLC)
- Purpose: Document AI for text extraction and optical character recognition, and temporary processing storage
- Data Shared: Uploaded document files
- Location: EEA region
- Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
6.5 Supabase
- Purpose: Database, authentication, and file storage (primary data store)
- Data Shared: Account data, organization data, uploaded documents and extracted content, RFQ data, and encrypted integration tokens
- Location: EEA
- Privacy Policy: https://supabase.com/privacy
6.6 Microsoft Corporation
- Purpose: Sending email as the user, Teams messaging, and authentication where Microsoft 365 is connected
- Data Shared: OAuth credentials, email content and metadata, and Teams message content
- Privacy Policy: https://privacy.microsoft.com/
6.7 Merge.dev (Merge API, Inc.)
- Purpose: Unified integration with CRM, file storage, and knowledge bases (optional)
- Data Shared: Integration credentials and synced customer and account context
- Privacy Policy: https://www.merge.dev/legal/privacy-policy
6.8 Vercel Inc.
- Purpose: Application hosting and serverless execution
- Data Shared: Application traffic, logs, and operational metrics
- Location: EEA (Stockholm, Sweden)
- Privacy Policy: https://vercel.com/legal/privacy-policy
6.9 Resend
- Purpose: Inbound and transactional email handling
- Data Shared: Email content and metadata
- Privacy Policy: https://resend.com/legal/privacy-policy
6.10 Amplitude Inc.
- Purpose: Product analytics and usage tracking
- Data Shared: User ID, session ID, usage events, and sampled session replays
- Location: EU data region
- Privacy Policy: https://amplitude.com/privacy
7. Cookies and Tracking Technologies
7.1 Cookies and Storage We Use
| Cookie/Storage | Type | Purpose | Duration |
|---|---|---|---|
| Authentication cookies | HttpOnly Cookie | Session authentication and login | Session / token lifetime |
| Amplitude storage | Cookie / localStorage | Analytics and session tracking | Up to 1 year |
| User preferences | localStorage | Theme settings and dismissed notifications | Until cleared |
7.2 Managing Cookies
You can manage or disable cookies through:
- Browser Settings: Most browsers allow you to block or delete cookies
- Analytics Opt-Out: Contact us at vb@stazion.ai to opt out of analytics
Note: Disabling the authentication cookie will prevent you from using the Service, as it is required for login.
8. Data Retention
We retain your personal data as follows:
- Account Data: Retained while your account is active
- Organization Data: Retained while the organization subscription is active
- Uploaded Documents and Extracted Content: Retained while your account is active, or until you delete the document
- RFQ/RFx and Communications Data: Retained while your account is active
- Integration Tokens: Retained while the integration is connected, and deleted when you disconnect it
- Analytics Data: Retained for up to 12 months
- Logs: Retained for a limited period for security and troubleshooting
Upon Account Deletion: Personal data is deleted within 30 days of your deletion request. Some data may be retained longer if required by law or for legitimate business purposes (for example billing records).
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption at Rest: Sensitive integration credentials (such as Microsoft refresh tokens) are encrypted using AES-256-GCM authenticated encryption
- Encryption in Transit: All data is transmitted over HTTPS/TLS
- Access Controls: Role-based access and row-level security isolate each organization's data
- Authentication: Secure session management, with OAuth state protected against cross-site request forgery
- Infrastructure: Hosted on enterprise cloud infrastructure with security controls
10. International Data Transfers
Your core personal data (account data, uploaded documents, and search indexes) is hosted within the European Economic Area (EEA). Some subprocessors, in particular the AI providers used for processing, are located outside the EEA, including in the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Applied to transfers to processors outside the EEA without an adequacy decision
- Adequacy Decisions: Relied upon where applicable, including the EU-US Data Privacy Framework where the subprocessor is certified
- Supplementary Measures: Encryption and data minimization applied where appropriate
- Processor Agreements: All subprocessors are bound by Data Processing Agreements
11. Your Rights
Under GDPR, you have the following rights regarding your personal data:
11.1 Right of Access (Art. 15)
Request a copy of the personal data we hold about you.
11.2 Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
11.3 Right to Erasure (Art. 17)
Request deletion of your personal data (the "right to be forgotten").
11.4 Right to Restriction (Art. 18)
Request limitation of processing of your personal data.
11.5 Right to Data Portability (Art. 20)
Receive your personal data in a structured, machine-readable format.
11.6 Right to Object (Art. 21)
Object to processing based on legitimate interests.
11.7 Rights Related to Automated Decision-Making (Art. 22)
We do not make decisions based solely on automated processing that produce legal effects.
How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: vb@stazion.ai
Response Time: We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.
Verification: We may need to verify your identity before processing your request.
12. Children's Privacy
Our Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending email notification for significant changes (if you have an account)
We encourage you to review this policy periodically.
14. Supervisory Authority
If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Danish Data Protection Agency:
Datatilsynet Carl Jacobsens Vej 35 2500 Valby, Denmark Website: https://www.datatilsynet.dk/ Email: dt@datatilsynet.dk
15. Contact Us
For any questions about this Privacy Policy or our data practices:
Email: vb@stazion.ai
Mailing Address: Stazion ApS Husumgade 31, 4. 15, 2200 København N, Denmark