Privacy Policy
Last Updated: February 24, 2026 Effective Date: Immediate
1. Introduction & Scope
This Privacy Policy explains how Tacitus Systems (“we,” “us,” or “our”) collects, uses, and protects personal data when you interact with our website (tacitussystems.com), submit contact forms, or create an account.
Scope limitation: This policy covers data collected through our website and direct business interactions. It does not govern the processing of Customer Data, Customer Content, or Vector Embeddings within the Cloud Bridge or Cortex infrastructure. The handling of such data is governed by the Data Processing Addendum and the Security Addendum.
For definitions of capitalized terms, refer to the Master Service Agreement, Section 2.
Data Controller
Tacitus Systems Ul. Krótka 7 97-200 Tomaszów Mazowiecki Poland Email: contact@tacitussystems.com
2. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR/RODO), we process personal data only when we have a valid legal basis. The following table maps each processing activity to its legal basis:
| Processing Activity | Data Processed | Legal Basis | GDPR Article |
|---|---|---|---|
| Website analytics | Page views, referrer, country (no personal data) | Legitimate interest (website improvement) | Art. 6(1)(f) |
| Contact and briefing request forms | Name, email, company, role, message content | Legitimate interest (responding to business inquiries) | Art. 6(1)(f) |
| Account creation (Cloud Bridge) | Username, email, billing details | Contract performance | Art. 6(1)(b) |
| Billing and invoicing | Company name, billing address, payment records | Legal obligation (Polish tax law) | Art. 6(1)(c) |
| Instance Telemetry (Cloud Bridge) | CPU/GPU utilization, uptime metrics, RAID health | Contract performance (service delivery and monitoring) | Art. 6(1)(b) |
3. Data We Collect
3.A Website Visitors
When you browse tacitussystems.com, we collect minimal metadata to ensure site reliability and analyze traffic trends.
- Analytics. We use Simple Analytics, an EU-hosted, privacy-first analytics service. Simple Analytics does not use cookies, does not collect personal data, and does not track individual visitors. All analytics data is aggregated and anonymous. No consent is required for Simple Analytics under GDPR or the ePrivacy Directive, as it does not access or store information on your device.
- Contact Forms. When you request a briefing or contact sales, we process the data you provide (Name, Email, Company, Role, Message) using Web3Forms as our form processing provider.
3.B Account Holders (Cloud Bridge)
If you subscribe to our Cloud Bridge service, we collect:
- Account Information. Username, email address, and billing details necessary for service provisioning and invoicing.
- Instance Telemetry. Non-personally-identifiable operational metrics (CPU/GPU utilization, uptime status, RAID health) used to maintain service reliability. Telemetry contains no Customer Data or Customer Content.
3.C Cortex Users (Hardware)
Once you operate a physical Cortex appliance, our data collection drops to near-zero:
- Supply Drop Manifests (State File). To provide software updates, you may manually upload a State File to our portal. This file contains hardware identifiers, software version numbers, and optionally operational telemetry (CPU/GPU utilization, RAID status, uptime metrics). It contains no Customer Data, Customer Content, or personally identifiable information.
- Flight Recorder Data. If you request support and voluntarily provide a diagnostic bundle, Tacitus Systems will receive a Flight Recorder bundle — an automatically PII-redacted, GPG-encrypted diagnostic log generated by the appliance. Before export, the system scrubs personally identifiable information using automated pattern-matching rules. The encrypted bundle can only be decrypted by Tacitus Systems support personnel. Providing a Flight Recorder bundle is entirely voluntary and only occurs when you initiate a support request and choose to submit the bundle.
4. Cookies
4.1 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential site functionality (session management, CSRF protection) | No |
4.2 No Analytics Cookies
Tacitus Systems uses Simple Analytics, which operates without cookies and without collecting personal data. As a result, no cookie consent banner is required for analytics purposes.
4.3 Minimal Cookie Footprint
The website uses only strictly necessary cookies required for core functionality. No third-party tracking cookies are set.
5. Third-Party Processors
We work with a limited number of service providers who act as data processors under Article 28 GDPR. We maintain Data Processing Agreements with each processor.
| Processor | Purpose | Data Processed | Location | DPA in Place |
|---|---|---|---|---|
| Scaleway | Cloud infrastructure (Cloud Bridge hosting) | Encrypted volumes, VM hosting | EU (France/Poland) | Yes |
| Web3Forms | Contact form processing | Name, email, company, role, message | EU/Global | Yes |
| Simple Analytics | Website analytics | Aggregated page views, referrer, country (no personal data) | EU (Netherlands) | Yes |
Cortex exemption: In Cortex Mode, all document processing occurs on the Customer’s air-gapped hardware. No third-party processors are involved in Customer Data operations.
6. International Data Transfers
6.1 Customer Data (Cloud Bridge)
All Cloud Bridge infrastructure is hosted within the European Economic Area (Scaleway, France/Poland). Customer Data does not leave the EEA.
6.2 Website Analytics
Simple Analytics is hosted within the European Union. No analytics data is transferred outside the EEA.
6.3 Contact Form Data
Web3Forms processes contact form submissions. Where processing occurs outside the EEA, transfers are governed by Standard Contractual Clauses.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy.
| Data Category | Retention Period | Basis |
|---|---|---|
| Website analytics | Aggregated and anonymized; no individual-level data retained | No personal data collected |
| Contact form submissions | Indefinitely, unless you request deletion | Legitimate interest (Art. 6(1)(f)); right to erasure available upon request (Art. 17) |
| Account information (Cloud Bridge) | Indefinitely, unless you request deletion | Legitimate interest (Art. 6(1)(f)); right to erasure available upon request (Art. 17) |
| Billing and tax records | 5 years from the end of the fiscal year in which the transaction occurred | Polish tax law obligation (Ordynacja podatkowa) |
| Instance Telemetry | Retained for the duration of the service agreement plus 24 months | Contract performance and legitimate interest |
| Flight Recorder Data | Duration of the related support case plus 90 days | Deleted after case resolution |
8. Data Breach Notification
In the event of a personal data breach:
- Supervisory Authority. We will notify the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO) within 72 hours of becoming aware of a breach, as required by Article 33 GDPR.
- Affected Data Subjects. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, as required by Article 34 GDPR.
- Customers (Cloud Bridge/Cortex). We will notify affected Customers within 48 hours of becoming aware of a breach affecting their infrastructure, in accordance with the Security Addendum.
9. Your Rights (RODO/GDPR)
Under the General Data Protection Regulation, you have the following rights:
| Right | Description | GDPR Article |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | Art. 15 |
| Rectification | Request correction of inaccurate personal data | Art. 16 |
| Erasure | Request deletion of your personal data (“right to be forgotten”) | Art. 17 |
| Restriction | Request that we restrict processing of your data | Art. 18 |
| Data Portability | Receive your data in a structured, commonly used, machine-readable format | Art. 20 |
| Objection | Object to processing based on legitimate interest | Art. 21 |
| Withdraw Consent | Withdraw consent for processing based on consent (e.g., analytics cookies) at any time | Art. 7(3) |
Encryption and Data Accessibility. In some cases, particularly for Cortex users, personal data processed by the system may be cryptographically protected using keys held exclusively by the Customer. If encryption keys are lost (e.g., loss of the Master Mnemonic), data may be permanently unrecoverable, even upon a valid erasure or access request. Tacitus Systems bears no responsibility for data that is irretrievable due to encryption key loss. This limitation applies only to Customer Data stored on the Cortex appliance; it does not affect your rights regarding personal data that Tacitus Systems directly holds (such as contact form submissions or account information).
How to Exercise Your Rights
Submit your request by email to contact@tacitussystems.com. We will respond within 30 days of receipt. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Exercising your rights is free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, in accordance with Article 12(5) GDPR.
Right to Lodge a Complaint
You have the right to lodge a complaint with the Polish supervisory authority:
Urzad Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland Website: https://uodo.gov.pl
10. Automated Decision-Making
Tacitus Systems does not use personal data collected through this website for automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.
For information about AI-assisted processing within the Cloud Bridge or Cortex infrastructure, refer to the AI Policy.
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy by: (a) posting the updated policy on our website with a revised “Last Updated” date, and (b) sending notice to the email address associated with your account (if applicable) at least fourteen (14) days before the changes take effect.
12. Contact
For privacy inquiries, data subject requests, or questions about this policy:
Tacitus Systems Ul. Krótka 7 97-200 Tomaszów Mazowiecki Poland Email: contact@tacitussystems.com