Legal · Data Protection

Privacy Policy – AI Tuning

Last updated: 22 November 2025

This Privacy Policy explains how AI Tuning (operated by Sandrex Group EOOD, “we”, “us”) collects, uses and protects personal data when you visit our website aituning.io, contact us or use our services. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Bulgarian data protection law.

1. Data Controller & Contact Details

Controller
Sandrex Group EOOD (trading as “AI Tuning”)
Registered seat
Varna, Bulgaria
bul. “Narodni Buditeli” No. 13A, floor 2, ap. 3, 9003
Company ID / UIC
206370019
VAT status
Not VAT registered in Bulgaria at this time.
Website
https://aituning.io
General contact
E-mail: [email protected]
Tel: +3590884895284
Contact for privacy matters
E-mail: [email protected]
Postal address: same as registered seat
Data Protection Officer
Currently not appointed.
For all data protection questions, please contact: [email protected].
Supervisory Authority
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Website: cpdp.bg

2. Scope of this Privacy Policy

This policy applies to:

  • Visitors to the website aituning.io and its sub-pages;
  • Individuals contacting us via e-mail, contact forms or scheduling tools;
  • Prospective and existing clients of AI Tuning;
  • Participants in webinars, consultations or other events organised by us.

It does not apply to processing carried out by our clients on their own infrastructure when they deploy models that we have trained for them as processors or independent controllers. In such cases, our role and responsibilities are defined in the respective service agreement and data-processing agreement (DPA).

3. Categories of Personal Data We Process

Depending on how you interact with us, we may process the following categories of data:

  • Identification and contact details – name, company, role, e-mail, phone, billing details.
  • Communication data – messages you send us, notes from discovery calls or consultations, support tickets.
  • Technical and usage data – IP address, device and browser type, timestamps, basic usage logs, error logs.
  • Analytics data – pseudonymised visit and event data collected via our self-hosted Matomo instance.
  • Contract and billing data – service contracts, invoices, payment status (no full card data is stored by us).
  • Training data for models – documents, text corpora or datasets you provide to fine-tune or evaluate models. We expect you to provide only data that you are lawfully allowed to share with us.
  • Marketing and cookie preferences – newsletter opt-ins, cookie consent choices, event registrations, communication preferences.

4. Purposes and Legal Bases for Processing

We process personal data only when there is a valid legal basis under Article 6 GDPR. The main purposes and legal bases are:

Purpose Categories of data Legal basis
Operating the website, ensuring security and performance Technical and usage data, IP address, logs Legitimate interest (Art. 6(1)(f) GDPR) in running a secure, reliable website and preventing abuse.
Basic web analytics (self-hosted Matomo) Analytics data, technical and usage data Depending on configuration and jurisdiction: legitimate interest (Art. 6(1)(f) GDPR) with data minimisation, and/or your consent (Art. 6(1)(a) GDPR) via our cookie banner.
Responding to enquiries and providing pre-sales information Identification and contact details, communication data Legitimate interest (Art. 6(1)(f) GDPR) in answering requests; or steps prior to entering into a contract (Art. 6(1)(b) GDPR).
Providing and managing our services (consulting, fine-tuning, hosting) Identification, contact, contract, billing and training data Performance of a contract (Art. 6(1)(b) GDPR); legal obligations in accounting and tax law (Art. 6(1)(c) GDPR).
Improving and monitoring our services Technical and usage data, analytics data, aggregated training metrics Legitimate interest (Art. 6(1)(f) GDPR) in improving service quality, stability and security while respecting your privacy.
Sending newsletters or event information Identification and contact details, marketing preferences Consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via the unsubscribe link or by contacting us.
Running marketing and remarketing campaigns (LinkedIn / Meta pixels) Technical and usage data, pixel IDs, page views, conversion events Consent (Art. 6(1)(a) GDPR) for “Marketing” cookies and pixels, given via our cookie banner. Pixels only run after your opt-in.
Compliance and defence of legal claims Any relevant data categories Legitimate interest (Art. 6(1)(f) GDPR) in establishing or defending legal claims; legal obligations (Art. 6(1)(c) GDPR).

5. Where We Obtain Personal Data From

We primarily receive data directly from you when you:

  • visit and use our website;
  • accept or reject cookies and optional tracking;
  • fill in a contact or booking form;
  • request a proposal or sign a contract with us;
  • send us datasets or documents for model training and evaluation.

We may also receive limited business contact details from publicly available sources (such as LinkedIn or company registers) when we perform B2B outreach in our legitimate interest to develop our business. You can object to such processing at any time (see Section 10).

6. Recipients and Data Processors

We do not sell or rent your personal data. We share it only where necessary and subject to appropriate safeguards, with:

  • Hosting and infrastructure providers – servers and storage located in the EU (including our own servers in Bulgaria) used to host this website, analytics and project data.
  • Content delivery and security provider – Cloudflare, which provides CDN, security and performance optimisation for our website.
  • E-mail and productivity tools – Zoho (EU data centres) for e-mail and related services.
  • Analytics platform – our self-hosted Matomo instance, operated by Sandrex Group EOOD on EU-based infrastructure.
  • Marketing and advertising partners – LinkedIn and Meta (Facebook/Instagram) where you have consented to marketing pixels in our cookie banner.
  • Billing and accounting providers, banks and payment processors – to issue invoices and process payments.
  • External advisors (e.g. legal, tax, technical) where required.

All processors that act on our behalf do so on the basis of written contracts and follow our documented instructions in line with Article 28 GDPR.

7. International Data Transfers

Our aim is to store and process personal data within the European Economic Area (EEA) wherever possible. This applies in particular to our website hosting, self-hosted Matomo analytics and Zoho EU e-mail environment.

If, in exceptional cases, data must be transferred to countries outside the EEA (for example through Cloudflare’s global network or when using LinkedIn or Meta pixels), we only do so where:

  • an adequacy decision of the European Commission applies; and/or
  • we or our partners use Standard Contractual Clauses (SCCs) or other appropriate safeguards; and
  • additional technical and organisational measures are implemented where necessary.

Further information on the safeguards used by these providers can be found in their respective privacy and data processing documentation.

8. Data Retention

We keep personal data only as long as necessary for the purposes described above, or to comply with legal retention obligations. In general:

  • Contact and enquiry data – normally up to 24 months after last interaction, unless a contract is concluded or a longer retention period is required by law.
  • Contract and billing data – kept for up to 10 years in line with accounting and tax law.
  • Technical logs – typically 6–24 months, unless needed longer for security incidents or legal claims.
  • Analytics data (Matomo) – stored in pseudonymised form for a period that allows us to analyse usage trends (usually 12–36 months), after which data may be aggregated or deleted.
  • Training datasets – stored for the duration of the project and any agreed retention period in the DPA, then securely deleted or returned to you.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access – to obtain confirmation whether we process your data and to receive a copy.
  • Right to rectification – to have inaccurate or incomplete data corrected.
  • Right to erasure – to request deletion of your data where legal grounds apply (“right to be forgotten”).
  • Right to restriction of processing – in certain circumstances.
  • Right to data portability – to receive data you provided to us in a structured, commonly used format.
  • Right to object – to processing based on our legitimate interests, including direct marketing.
  • Right to withdraw consent – at any time, where processing is based on consent. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before fulfilling your request.

10. Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your country of residence or at our main establishment in Bulgaria:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Website: cpdp.bg
E-mail: [email protected]

11. Cookies and Similar Technologies

Our website uses cookies and similar technologies to ensure basic functionality and, where you consent, to analyse traffic and run marketing and remarketing campaigns.

We use a consent management tool (currently Complianz) to display a cookie banner and record your choices. You can choose between different categories (e.g. “Necessary”, “Analytics”, “Marketing”) and change or withdraw your consent at any time via the cookie settings link on our site.

In particular:

  • Necessary cookies are required for the basic operation and security of the site and are used without consent on the basis of our legitimate interests.
  • Analytics cookies / Matomo may be used either in a strictly necessary, cookieless configuration or, where cookies are set, based on your consent.
  • Marketing cookies / pixels (e.g. LinkedIn Insight Tag, Meta Pixel) are only activated if you explicitly opt in to “Marketing” cookies in the banner.

For details on the specific cookies, providers, purposes and storage periods, please refer to our separate Cookie Policy.

12. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

We may use aggregated, anonymised or pseudonymised data to improve our models and services. Where client datasets are used to improve models beyond the scope of a specific project, this will be governed by a separate agreement and only with appropriate legal basis and safeguards.

13. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. These measures include, among others, access controls, encryption in transit, regular security updates, network segmentation and restricted access to training datasets and logs.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, legal requirements or best practices. The current version is always available at aituning.io/privacy-policy. We will indicate the date of the last update at the top of this page and, where appropriate, inform you via e-mail or on the website.

If you have questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected].