Privacy & GDPR

Who we are

CELLLS is an AI-powered research tool that lets you build tables that fill themselves. We're incorporated in the Netherlands and operate entirely on European infrastructure. Our aim is to keep every part of this service — hosting, AI, payments, error tracking — within European hands.

For the purposes of GDPR, CELLLS acts as the data controller for account and usage data. The research data you put into your grids belongs to you — we process it only to operate the service.

What data we collect

We collect only what we need to run the service:

• — Account data — your name and email address, used to create and manage your account.
• — Billing data — your subscription status. We never see or store your payment card details — these go directly to Paddle.
• — Grid data — the rows, columns, and cell values you create. This is your data and we process it solely to deliver the AI research functionality you asked for.
• — Usage data — basic logs (IP address, browser type, pages visited) used for security monitoring and improving the service.
• — Session cookies — used to keep you logged in. We don't use advertising cookies or third-party tracking pixels.

Legal basis for processing

We process your data under these lawful grounds:

• — Contract — to provide the service you signed up for: running AI research jobs, storing your grids, sending you account emails.
• — Legitimate interests — to monitor for errors and abuse, improve reliability, and keep the service secure.
• — Legal obligation — to retain billing records as required by Dutch and EU tax law.

Your GDPR rights

Under GDPR you have the following rights — all exercisable by emailing us.

Sub-processors — all European

We deliberately choose European suppliers wherever possible. Every infrastructure and AI provider we use is headquartered in the EU or EEA. The one exception is Paddle (UK), which operates under UK GDPR — an equivalent framework — and contractual safeguards are in place.

Provider	Country	Purpose	Data involved
UpCloud (via Ploi)	Finland	App hosting, database, queue workers	All account and grid data
BunnyCDN	Slovenia	CDN, DDoS protection, DNS	Static assets, IP addresses
Orq.ai	Netherlands	AI agent orchestration	Grid row context sent per job
Mistral AI	France	AI language models (via Orq.ai)	Grid row context sent per job
Bugsink	Netherlands	Error tracking (self-hosted)	Error stack traces, no personal data
Paddle	United Kingdom	Payment processing	Name, email, billing address

Where your data lives

Your data is stored on UpCloud servers within the European Economic Area. It does not leave the EEA, with the sole exception of payment processing by Paddle (UK), which is governed by UK GDPR and Standard Contractual Clauses. We have no plans to use US-based infrastructure.

International data transfers

Where data does cross EEA borders (currently only Paddle for billing), we rely on one or more of the following safeguards:

• — An adequacy decision by the European Commission (UK GDPR is currently considered adequate)
• — Standard Contractual Clauses (SCCs) approved by the European Commission

Security

We apply both technical and organisational measures to protect your data:

No method of transmission is 100% secure, but we take reasonable and commercially standard measures to protect your data.

How long we keep your data

• — Active account data — kept for as long as your account is active.
• — After account deletion — personal data is deleted within 30 days. Anonymised usage statistics may be retained.
• — Billing records — retained for 7 years as required by Dutch tax law.
• — Server logs — retained for 30 days for security purposes, then deleted.

Data Processing Agreement

If you use CELLLS as part of a business and need a Data Processing Agreement (DPA) for your own GDPR compliance, we're happy to provide one. A DPA formalises the controller–processor relationship and documents the technical and organisational measures we apply.

To request a DPA, email privacy@cellls.com with the subject "DPA request".