For users in the European Economic Area (EEA) and Switzerland: F. Zawada, with his registered office at Hoza 29 Street, 00-521 Warsaw, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.
Totus ("we," "our," or "us") is committed to protecting your privacy and complying with applicable data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI chatbot service.
We collect personal data relating to you ("Personal Data") as follows:
When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions ("Technical Information"):
For purposes of US state privacy laws, we collect the following categories of Personal Data:
We may use Personal Data for the following purposes:
We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.
As noted above, we may use Content you provide us to improve our Services, for example to train the models that power our AI chatbot. You can opt out of our use of your Content to train our models through your account settings.
Your conversations may be used to train and improve our AI models. We implement measures to anonymize and de-identify data used for training purposes. Sensitive personal information is removed before training data is processed.
We prioritize working with AI providers that claim to implement Zero Data Retention (ZDR) policies, meaning they do not store your conversation data after processing. However, we cannot guarantee that these providers always follow their declared ZDR policies, and we are not responsible for any data retention practices of third-party providers that may occur despite their stated policies.
Primary Storage: LLM data is primarily stored and processed within Europe to ensure compliance with GDPR and other European data protection regulations.
Non-European Providers: When we use providers outside of Europe, we ensure appropriate legal safeguards are in place, including Standard Contractual Clauses (SCCs) and other legally valid transfer mechanisms as required by GDPR.
Services like our AI chatbot generate responses by reading a user's request and, in response, predicting the words most likely to appear next. In some cases, the words most likely to appear next may not be the most factually accurate. For this reason, you should not rely on the factual accuracy of output from our models.
If you notice that AI output contains factually inaccurate information about you and you would like to request a correction or removal of the information, you can submit these requests to privacy@totus.org, and we will consider your request based on applicable law and the technical capabilities of our models.
We do not sell your Personal Data or share Personal Data for cross-contextual behavioral advertising, and we do not process Personal Data for "targeted advertising" purposes (as those terms are defined under state privacy laws). We may disclose your Personal Data in the following circumstances:
To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of hosting services, customer service vendors, cloud services, content delivery services, support and safety monitoring services, email communication software, web analytics services, payment and transaction processors, and other information technology providers. Pursuant to our instructions, these parties will access, process, or store Personal Data only in the course of performing their duties to us.
If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a "Transaction"), your Personal Data may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
We may share your Personal Data, including information about your interaction with our Services, with government authorities, industry peers, or other third parties in compliance with the law (i) if required to do so to comply with a legal obligation, or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, users, or the public, or (vi) to protect against legal liability.
We may disclose Personal Data to our affiliates, meaning an entity that controls, is controlled by, or is under common control with Totus. Our affiliates may use this Personal Data in a manner consistent with this Privacy Policy.
When you join an Enterprise or business account, the administrators of that account may access and control your Totus account, including being able to access your Content. In addition, if you create an account using an email address belonging to your employer or another organization, we may share the fact that you have an account and certain account information, such as your email address, with your employer or organization to, for example, enable you to be added to their business account.
Certain features allow you to interact or share information with other users or third parties. Information you share with third parties is governed by their own terms and privacy policies, and you should make sure you understand those terms and policies before sharing information with them.
We'll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of factors, such as:
In some cases, the length of time we retain data depends on your settings. For example, temporary chats will not appear in your history and will be kept up to 30 days for safety purposes.
We implement commercially reasonable technical, administrative, and organizational measures designed to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. Therefore, you should take special care in deciding what information you provide to the Services. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.
Depending on where you live, you may have certain statutory rights in relation to your Personal Data. For example, you may have the right to:
You have the following rights to object:
You can exercise some of these rights through your Totus account. If you are unable to exercise your rights through your account, please submit your request to privacy@totus.org or dsar@totus.org.
You can contact our data protection officer at dpo@totus.org in matters related to Personal Data processing.
In order to protect your Personal Data from unauthorized access, change, or deletion, we may require you to verify your credentials before you can submit a request to know, correct, or delete Personal Data. If you do not have an account with us, or if we suspect fraudulent or malicious activity, we may ask you to provide additional Personal Data for verification. If we cannot verify your identity, we will not be able to honor your request.
You may also submit a rights request through an authorized agent. If you do so, the agent must present signed written permission to act on your behalf and you may also be required to independently verify your identity with us. Authorized agent requests can be submitted to dsar@totus.org.
Depending on where you live, you may have the right to appeal a decision we make relating to requests to exercise your rights. To appeal a decision, please send your request to dsar@totus.org.
If you have any unresolved complaints with us or our Data Protection Officer, you can reach out to the Irish Data Protection Commission as our lead supervisory authority for EEA users, or your local supervisory authority. For any unresolved complaints relating to the UK you can reach out to the Information Commissioner's Office and for Switzerland, to the Federal Data Protection and Information Commissioner.
Depending on where you live and subject to applicable exceptions, you may have the following privacy rights in relation to your Personal Data:
We process your Personal Data based on the following legal bases:
| Purpose of processing | Type of Personal Data processed | Legal basis |
|---|---|---|
| To provide, analyze, and maintain our Services | Account Information, User Content, Communication Information, Log Data, Usage Data, Device Information, Location Information, Cookies | Contractual necessity - processing user's prompts to provide a response |
| To improve and develop our Services and conduct research | All Personal Data categories | Legitimate interests - developing, improving, or promoting our Services |
| To communicate with you | Account Information, Communication Information, Usage Data | Contractual necessity for service communications; Consent for marketing communications |
| To prevent fraud and protect security | All Personal Data categories | Legal obligation and legitimate interests |
| To comply with legal obligations | All Personal Data categories | Legal obligation |
Totus processes your Personal Data on servers located outside of the EEA, Switzerland and the UK for the purposes described in this Privacy Policy. This includes processing and storing your Personal Data in our facilities and servers in the United States and other jurisdictions. While data protection law varies by country and these countries may not offer the same level of data protection as your home country, we apply the protections described in this policy to your Personal Data regardless of where it is processed.
When transferring Personal Data outside of the EEA, Switzerland or the UK, we rely on the following transfer mechanisms to comply with applicable data protection law:
For more information or to obtain a copy of the appropriate safeguards we have in place when transferring Personal Data, please contact us at privacy@totus.org.
We use cookies and similar technologies to operate and administer our Services, and improve your experience. If you use our Services without creating an account, we may store some of the information described in this policy with cookies, for example to help maintain your preferences across browsing sessions. For details about our use of cookies, please read our Cookie Notice.
Our Services are not directed to, or intended for, children under 13. We do not knowingly collect Personal Data from children under 13. If you have reason to believe that a child under 13 has provided Personal Data to Totus through the Services, please email us at privacy@totus.org. We will investigate any notification and, if appropriate, delete the Personal Data from our systems. Users under 18 must have permission from their parent or guardian to use our Services.
We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date on this page, unless another type of notice is required by applicable law.
Please contact support if you have any questions or concerns not already addressed in this Privacy Policy. Alternatively, you can write to us at privacy@totus.org or at the address provided in Section 1 (Data Controller).
You can contact our Data Protection Officer at dpo@totus.org in matters related to Personal Data processing.
For data subject rights requests, please contact dsar@totus.org.