Privacy Policy
Reference document
This is niil's default, EU-first privacy policy (Datenschutzerklärung), provided for your review. For the hosted niil service (niil.ai / app.niil.ai) the binding version is published by Gradient Zero Deutschland GmbH (see below). For a self-hosted deployment, the organisation running the instance publishes the binding version with its own controller entity, address, and data-protection contact. This page is not legal advice.
Version 1.0
Who we are
niil is developed and operated by Gradient Zero Deutschland GmbH (gzero.ai). Gradient Zero Deutschland GmbH operates the hosted niil service at niil.ai / app.niil.ai and, for that service, is the controller for account/operational data and the processor for customer content (see the DPA). Its legal entity, registered address, and data-protection contact (DPO where required) are published in the hosted service's binding policy and imprint.
For self-hosted deployments, niil is developed by Gradient Zero Deutschland GmbH but operated by the organisation running the instance — that organisation is the operator/controller and publishes its own binding policy and data-protection contact.
What we process and why
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account data (name, email) | Provide and secure your account | Art. 6(1)(b) contract |
| Chat & document content | Deliver the chat / document-chat service | Art. 6(1)(b) contract |
| Usage & billing metadata | Metering, billing, abuse prevention | Art. 6(1)(b)/(f) |
| Security & audit logs | Security, compliance, incident response | Art. 6(1)(c)/(f) |
For business customers, content is processed on the customer's behalf as a processor under the DPA; the customer is the controller for that content.
Where your data is processed
Account data, chats, and documents are stored encrypted at rest in the EU. AI inference runs on EU-resident provider endpoints. We contract Zero Data Retention with AI providers where supported and never use your data to train AI models. Current sub-processors are listed in Sub-processors.
Retention & deletion
We retain data for the duration of the contract. You can delete individual chats and documents at any time, and request full export or erasure of your data in-product (GDPR Art. 15 / 17). On contract end, data is deleted or returned per the DPA, subject to statutory retention.
Security
We apply the technical and organisational measures in the TOM, including AES-256-GCM encryption at rest, TLS in transit, access control, tenant isolation, and audit logging.
Your rights
Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. See Data protection & GDPR for the in-product controls, and contact your niil operator's data-protection contact to exercise these rights.
Changes
We notify material changes in advance and publish the version and effective date.