← Back to app

Privacy Policy

Last updated: 20 May 2026

Summary. Knowledge is a private retrieval-augmented AI service. Customers upload documents (PDF, Word, Excel, PowerPoint, etc.) into their workspace; we extract, chunk and embed the text so the team can search, chat, and draft from it. Your documents are stored only in your workspace, isolated from every other customer at the database level. We do not share your documents with anyone, we do not use them to train AI models, and we do not allow our AI providers to use them for training either. The minimum personal data we collect about you is for sign-in, billing, and security.

Contents

1. Who we are

Knowledge is operated by olyteck from France under SIRET 993 174 499 00018. For the purposes of the EU General Data Protection Regulation (GDPR):

  • olyteck is the data controller for personal data we collect to operate your account (e.g. the email address of a user signing in, billing details).
  • For the documents and conversations your team uploads or types into Knowledge, we act as a data processor on behalf of your organisation (which remains the controller). Our obligations as processor are spelt out in the Data Processing Agreement.

Privacy contact: privacy@olyteck.com.

Data Protection Officer. As a small individual operator, olyteck is not required to appoint a Data Protection Officer under GDPR Art. 37 and has not appointed one. All data-protection enquiries are handled by the privacy contact above; if the scope of processing changes such that an appointment becomes required, we will update this section.

2. Data we collect

Account data (about you, the signed-in user)

The fields below are received from Microsoft Entra ID when you sign in — we do not collect them from you directly:

  • Email address and display name
  • Opaque user identifier and tenant identifier (the "oid" and "tid" claims) — used to recognise you on repeat logins
  • Workspace role (admin or member) and project memberships you have been granted within Knowledge
  • Timestamps: account creation, last login, session activity

Workspace content (about your documents and conversations)

  • The documents you upload — file name, file type, file size, and the extracted text in chunked form (see §3)
  • A numeric vector representation of each chunk used for semantic retrieval (an "embedding")
  • Conversation history: questions you ask the chat, answers returned, and the chunks cited as sources
  • Agents you configure: name, system prompt, model selection, project scope, output settings
  • Per-call audit log: which agent ran, when, how many tokens, latency, success or error, who triggered it

Usage data

  • IP address and user-agent of requests that hit the app (for abuse detection)
  • Audit log entries for privileged actions (logins, agent CRUD, billing changes, member promotions)

Billing data

  • Stripe customer identifier, subscription status, plan code, invoice metadata
  • We never store full card numbers or CVC — card data is entered into Stripe's hosted Checkout and stays at Stripe

3. What we store from your documents

Unlike a pure "scanner" product, Knowledge is a retrieval-augmented AI service — it works precisely because we store the text of your documents in a way that can be searched. Here is exactly what that looks like in our database:

What we store from your workspace. The original uploaded file (PDF, DOCX, XLSX, PPTX, CSV, image), the text extracted from it split into chunks with the citation metadata needed to point an answer at a specific page / sheet / row, a numeric vector representation of each chunk used for semantic retrieval, and document-level metadata (title, file type, page count, upload timestamp, uploader, project / tag assignments and per-project access lists).

What we do not store. We do not call Microsoft Graph against your tenant, so we never see mailbox content, calendar entries, Teams messages, or any other Microsoft 365 data outside what you explicitly upload. We do not hold OAuth refresh tokens — sign-in uses short-lived ID tokens. We do not set browser cookies on third-party domains (see the Cookie Policy). We do not store full payment-card numbers — card data is entered into Stripe’s hosted Checkout and stays at Stripe.

Tenant isolation. Every record that touches your content is bound to the tenant that owns it; every query that returns content filters on the session’s tenant identifier, never on a value taken from the request. Cross-tenant access attempts return a not-found response rather than a forbidden response, so the very existence of another customer’s data is not discoverable.

Deletion. Removing a document from your workspace marks its chunks and the associated vectors for deletion; they are hard-deleted within 24 hours. Deleting your tenant removes every record that belongs to it — see §9.

4. AI providers & training

This is the question every security buyer asks first: does our AI vendor use my documents to train their models? For Knowledge, the answer is no, at every layer:

  • We do not train any model. Your documents, queries, and conversations are never aggregated, anonymised, or otherwise used as training data by olyteck.
  • Our LLM sub-processors do not train on API traffic by default. All four providers we route requests to (Mistral, OpenAI, Anthropic, Google Gemini) publish a “no training on API customer data” stance for the endpoints we call. The exact policy wording and a link to each provider’s current statement are listed in Sub-processors §3, which we maintain as the single source of truth so that we update one page when a provider revises its policy.
  • The Word and Excel add-ins inherit the same guarantees. When an add-in sends document context to the agents API, that context flows through the same provider as a browser chat — the same no-training stance applies.

5. How we use your data

  • To authenticate your sessions via Microsoft Entra ID single sign-on.
  • To run retrieval (semantic + full-text) over the documents in your workspace and produce grounded answers via the LLM you selected.
  • To run the Office add-ins (Word document audit, fill-section, summarize, translate; Excel bulk Q&A) against your workspace corpus.
  • To produce per-agent usage statistics for your admins (calls, tokens, latency, errors) and per-tenant plan-quota progress bars.
  • To bill you accurately and issue invoices through Stripe.
  • To send transactional email — sign-in notifications (when applicable), billing receipts, subscription state changes. These are part of the service; you cannot opt out without closing the account.
  • To detect abuse and secure the platform.
  • To comply with our legal and accounting obligations in France and the EU.

What we do not do: we do not sell or share your personal information for cross-context behavioural advertising; we do not use your documents, queries, or conversations to train AI models; we do not share your findings with advertisers; we do not scan or enumerate any Microsoft 365 tenant data outside what you explicitly upload.

7. Sub-processors

We use a short list of vendors to run the Service. Each acts as a data sub-processor under a written processing agreement. The Sub-processors page is the authoritative, version-dated list; the DPA repeats it with full legal references and the 30-day change-notice procedure. The high-level picture:

  • Hosting — application server, MariaDB database, and cron workers run on EU-27 infrastructure in France (Paris, PAR1).
  • Microsoft Ireland Operations Ltd. (Ireland, EU) — Microsoft Entra ID OIDC for single sign-on. Microsoft sees only the sign-in handshake; your documents are never sent to Microsoft.
  • Google Ireland Ltd. (EU) — Gemini embeddings model (gemini-embedding-001) for chunk embeddings on every upload. When a tenant picks a Gemini model for chat, queries also flow to Google.
  • Mistral AI (Paris, France) — chat completions for Mistral Small / Large when a tenant picks them.
  • OpenAI, LLC (US — SCCs + EU-US DPF) — chat completions for GPT-4o mini / GPT-4o / GPT-4 Turbo when a tenant picks them.
  • Anthropic, PBC (US — SCCs + EU-US DPF) — chat completions for Claude Haiku / Sonnet / Opus when a tenant picks them.
  • Stripe Payments Europe, Ltd. (Ireland) — subscription billing and EU VAT collection.
  • Transactional email provider — sends billing receipts and account-state notifications. \'From\' address is no-reply@olyteck.com.

8. Payments

Paid subscriptions are processed by Stripe Payments Europe, Ltd. (Ireland). We receive a transaction reference, amount, currency, subscription state, and the last four digits of the card. Full card data is entered directly into Stripe's hosted Checkout and never touches our servers. Stripe's privacy policy applies to that portion of the flow.

9. Storage & retention

Application data is hosted in France (Paris, PAR1) (EU-27). Default retention windows:

  • Account data — while your tenant is active, plus 30 days after deletion.
  • Documents, chunks, embeddings — while the document is in your workspace; deleted within 24 hours of removal.
  • Conversation history — set per plan: 30 days (Free / Starter), 365 days (Pro), 365 days (Enterprise, custom on request).
  • Agent call audit log — 24 months. Export available to Business / Enterprise plans.
  • Job history (ingestion / re-embedding runs) — 90 days for completed runs; failed runs kept indefinitely so an admin can retry.
  • Application audit log — 24 months.
  • Billing records — 10 years (required by French accounting law).

10. Sharing with third parties

We only share data with:

  • The sub-processors listed in §7, strictly to run the Service.
  • Tax authorities, lawyers, auditors, or courts when legally required.
  • A successor entity in case of merger or acquisition, under the same privacy commitments — we'd notify tenant admins by email at least 30 days before the transition takes effect.

All of the above are bound by written agreements with appropriate confidentiality and security obligations.

11. International transfers

The application server, database, and cron workers all run in France (Paris, PAR1) (EU-27). Where a sub-processor processes data outside the European Economic Area — notably OpenAI and Anthropic in the United States — transfers rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) and, where available, certification under the EU-US Data Privacy Framework. Stripe and Microsoft data flows stay in Ireland (EU).

12. Your rights

If you are in the EU, the UK, or otherwise subject to GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct data that is inaccurate or incomplete
  • Delete your account and, on request from a tenant administrator, your tenant's documents and conversations
  • Export your data in a portable format (per-agent call history is exportable in CSV; document re-download is available from the workspace UI)
  • Restrict or object to specific processing activities
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with the French data-protection authority (CNIL) at cnil.fr

To exercise any of these rights, email privacy@olyteck.com from the address associated with your account. We respond within 30 days.

13. Automated processing

The Service routes your questions to a Large Language Model and returns the model's response, grounded in chunks retrieved from your workspace. These are decision-support outputs, not automated decisions producing legal effects on individual data subjects within the meaning of GDPR Art. 22. We do not profile individuals, score employees, or use the Service's output to feed any external automated decision system.

Quality varies by model and by prompt. The Terms of Service set out our position on hallucinations and the customer's responsibility to review outputs before they're used for material decisions.

14. Security

The full technical and organisational measures are described in the Security overview and the DPA §5. Key points:

  • Encrypted transport (TLS 1.2 or higher) for all traffic.
  • Strict per-tenant isolation; cross-tenant access attempts return a not-found response so the existence of other tenants is not disclosed.
  • Microsoft Entra ID single sign-on with PKCE — no application-managed passwords.
  • API keys are stored as cryptographic hashes; per-key rate limit, monthly token budget, IP allowlist, and origin lock are enforced on every call.
  • State-changing requests are CSRF-protected and audit-logged.
  • Daily off-site database backup, 30-day rolling window, encrypted at rest.

No online service can promise absolute security. If you suspect a breach affecting your data, email security@olyteck.com immediately. We will acknowledge within 24 hours and, where the breach is confirmed, notify affected tenant admins within 72 hours of awareness as required by GDPR Art. 33.

15. Cookies & analytics

The only cookies Knowledge sets without asking are the strictly necessary ones for login (PHP session, CSRF). Inside the authenticated app we run no third-party analytics. On public marketing pages we may, in the future, add a privacy-preserving server-side counter (no cookies) or a consent-gated GA4 tag — until then, the marketing pages are analytics-free. The full breakdown is in the Cookie Policy.

16. Marketing email

The only emails we send today are transactional: account confirmation, billing receipts, plan-state changes, security notifications. These are sent on the basis of contract performance (Art. 6(1)(b) GDPR) and you cannot opt out without closing the account.

If we ever introduce an optional product-tips newsletter, enrolment will be by an unticked-by-default checkbox at signup, with a one-click unsubscribe link and an List-Unsubscribe header per RFC 8058. We will record consent on your user row (timestamp + source) and remove you from the list immediately on withdrawal.

17. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights. This section is your "notice at collection".

  • Categories of personal information we collect. Identifiers (work email, Entra OID/TID), professional information (your role in the workspace), internet/network activity (IP for abuse detection, sign-in timestamps), commercial information (subscription plan), and user content (the documents and queries you submit).
  • Sources. Directly from you when you sign in, upload, or query; from Microsoft Entra when you authenticate.
  • Business purposes. Operating, securing and improving the Service; billing; transactional email; legal compliance.
  • Sale or sharing. We do not "sell" personal information and do not "share" it for cross-context behavioural advertising as those terms are defined under the CPRA. We have therefore not enabled a "Do Not Sell or Share My Personal Information" link.
  • Sensitive personal information. The Service is a B2B tool. We do not intentionally collect or use sensitive personal information and we do not use it to infer characteristics about you.
  • Retention. See §9.
  • Your rights. Right to know, delete, correct, limit use of sensitive personal information (not relevant — see above), and the right not to be discriminated against for exercising these rights. Email privacy@olyteck.com from your account address; we respond within 45 days (extendable once by 45 days, with notice, as permitted by the CPRA).
  • Authorised agent. You may appoint an agent to act on your behalf. We will require proof of the agent's authority and may require you to verify your identity directly with us.

18. Minors

Knowledge is a B2B tool intended for use by authorised members of an organisation. It is not directed at children under 16. If you believe a minor has signed up, email us and we will close the account and delete the data.

19. Changes to this policy

When we make a material change we update the "Last updated" date at the top and, where the change affects your rights, notify tenant admins by email. Continued use after the change means you accept the updated policy.

20. Contact

Questions about privacy? Email privacy@olyteck.com — or the general support address support@olyteck.com. Security incidents: security@olyteck.com.

Operator: olyteck — SIRET 993 174 499 00018.