CapMonster Cloud LLC Privacy Policy
1. Introduction
This Privacy Policy governs the processing of personal data in accordance with the laws of the European Union, the United States, and other applicable jurisdictions, including the GDPR, CCPA, CPRA, and the EU AI Act. The document sets out the rules for collecting, storing, using, protecting, and disclosing your information when interacting with CapMonster Cloud LLC websites (“Websites”), products, services, and applications (“Services”), as well as when participating in events or contacting the company.
2. Data Controller and Contact Information
Company: CapMonster Cloud LLC
EU Representative: CapMonster EU Representative
3. Notification upon Collection of Information (CCPA)
3.1 Categories of Collected Personal Data
| Category | Examples | Retention Period |
|---|
| Identifiers | Name, email, IP address, cookie ID, etc. | Until account deletion + 3 years |
| Commercial Information | Transaction history, payments, subscriptions | 5 years |
| Internet Activity | Pages, actions, search queries | Up to 24 months |
| Geolocation | City, country | Up to 24 months |
| Device Information | Browser, OS, device type, language | Up to 24 months |
| Communication Information | Correspondence, requests, complaints | Until dispute resolution + 3 years |
| Professional Information | Position, company | Until account deletion + 1 year |
3.2 Purposes of Personal Data Processing
- Provision of the Service
- Customer support
- Analytics and improvement
- Marketing (with consent)
- Security and compliance
- Legal obligations
4. Legal Grounds for Personal Data Processing (GDPR, Article 6)
| Purpose of Processing | Example Data | Legal Basis | Applicable Rule |
|---|
| Provision and Performance of the Service | Email, licence ID, IP address | Contract (Art. 6(1)(b)) | Contract performance |
| Payments and Taxes | Payment data, invoices | Legal obligations (Art. 6(1)(c)) | Tax law |
| Marketing | Email, cookie ID | Consent (Art. 6(1)(a)) | Explicit consent |
| Analytics | IP, cookies, logs | Legitimate interest (Art. 6(1)(f)) | Service improvement |
| Security | Access logs, IP | Legitimate interest (Art. 6(1)(f) | Protection of rights |
| Legal compliance | All data | Legal obligations (Art. 6(1)(c)) | Authorities’ requests |
Balance of interests assessment: Only the minimum necessary and anonymised data are used; users may opt out of analytics.
5. Protection and Storage of Personal Data
5.1 Technical and Organisational Measures
- Data encryption (TLS/SSL)
- Two-factor authentication, RBAC
- Logging, auditing, backup
- Physical security of servers
- Staff training on data protection
5.2 Access Restriction
Only authorised employees and contractors have access to data to the extent necessary, and all sign confidentiality agreements.
5.3 Data Storage Location
Data is stored in the EEA and the USA in accordance with GDPR and CCPA requirements.
5.4 Security Limitations
The company cannot guarantee absolute data security. Users must protect their account and report suspicious activity.
6. Personal Data Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|
| User account | Until account deletion + 3 years | GDPR Art. 17(3)(e) |
| Financial data | 5 years | Tax law |
| Access logs | 90 days | Legitimate interest |
| Cookies | Up to 24 months | User consent |
| Customer support | Until dispute resolution + 3 years | Legal obligations |
| Marketing consents | As long as consent is valid | GDPR Art. 7 |
6.1 Data Deletion Procedure
- Profile deletion — within 30 days
- Financial data — 5 years
- Complete data deletion — after retention period or by law
7. Transfer of Personal Data
7.1 Internal Transfer
Transfers between divisions, affiliated and subsidiary companies are carried out in accordance with the policy.
7.2 Transfer to Third Parties
- Service providers: hosting, payments, analytics, support, marketing — operate under DPA.
- Business transfer: in case of merger, sale of assets, bankruptcy.
- Legal compliance: upon authorities’ request, to protect rights.
- Law enforcement: disclosure only with legal basis and user notification (unless prohibited by law).
7.3 No Sale of Data
The company does not sell personal data to third parties for compensation. Data sharing for analytics is possible if permitted by law — users may opt out in their profile settings.
7.4 International Data Transfers
Transfers to the EEA, USA, and other countries are made under SCCs, with additional safeguards and legal assessment. Users may object to transfers to certain countries.
8. Data Subject Rights
8.1 Rights under the GDPR
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights regarding automated decisions
- Right to withdraw consent
- Right to lodge a complaint with a supervisory authority
8.2 Rights under CCPA/CPRA (California)
- Right to know
- Right to obtain a copy
- Right to deletion
- Right to opt out of sale
- Right to non-discrimination
- Right to correction
- Right to restrict use
8.3 Exercising Rights
Rights may be exercised via online form, email, or post. Responses are provided within the statutory period (GDPR — 30 days, CCPA — 45 days), with identity verification and free access (restrictions apply for unfounded/repetitive requests).
8.4 Data Retention for Legal Purposes
Aggregated and anonymised data may be retained to fulfil legal obligations.
9. Managing Your Privacy
9.1 Opting Out of Information Disclosure
Required data is mandatory for registration and service provision. Without it, the service is unavailable.
9.2 Opting Out of Marketing
- User account — change settings
- Link in email — unsubscribe
- Support — email with opt-out request
9.3 System Messages
System and service notifications cannot be disabled.
10. Cookies and Tracking Technologies
10.1 Types of Cookies
- Necessary — always enabled
- Functional — requires consent
- Analytics — requires consent (EU) or opt-out (California)
- Marketing — requires consent
10.2 Managing Cookies
- Consent banner — on the website upon first visit
- Browser settings
- “Do not sell my data” button (California)
10.3 Other Tracking Technologies
| Technology | Purpose | Management |
|---|
| Web Beacons | Page views, emails | As with cookies |
| Tags | Conversions, events | In privacy settings |
| Scripts | Behavioural data | As with cookies |
| Local Storage | Preferences | In browser |
11. Web Analytics
11.1 Google Analytics
Used to analyse traffic, with IP anonymisation and opt-out option.
11.2 Other Analytics Services
Mixpanel, Segment — managed via cookies consent.
12. Consent and Consent Management
12.1 When Consent Is Required
- Marketing communications
- Analytics and marketing cookies
- Special processing (profiling, automation)
12.2 How Consent Is Given
- Upon registration (explicitly)
- Banner upon first website visit
- In user account
12.3 Withdrawal of Consent
Consent withdrawal is effective from the moment the request is received and does not affect processing already carried out.
13. Linked Websites
13.1 Policy Scope Limitation
This policy does not apply to third-party websites linked from our site. You are advised to review their policies before providing data.
14. Automated Decisions and Profiling
The company does not use fully automated decision-making with legal consequences. Automated processes may be used for security, billing, quality rating, and fraud prevention, without affecting user rights. Users may request an explanation or appeal a decision.
15. Protection of Children’s Data
The service is not intended for persons under 18 years of age. The company does not collect such data, and registration and targeted marketing for children are excluded. If a child’s data is mistakenly obtained, it will be deleted and the parent/guardian notified.
16. Use of Artificial Intelligence
16.1 AI Systems
- Qwen3-VL (Alibaba Cloud) — image recognition and analysis, trained on open datasets, user data not used for training
- Mistral-7B-Instruct-v0.2 (Mistral AI) — text processing and generation, trained on open text datasets, user data not used for training
16.2 Classification under the EU AI Act
The AI systems used are considered limited-risk systems, not applied to high-risk tasks or decisions with legal consequences.
16.3 Transparency Requirements
- Users are informed about AI use
- Purposes, limitations, risks, and the possibility of explanation and appeal of AI decisions are stated
16.4 Risk Management
- Regular risk assessment and monitoring
- Staff training
- Documentation of usage and outcomes
- Bias testing
16.5 Training Data Information
The company does not use user data to train AI.
16.6 Training and Skills Development
The company conducts regular staff training on the following topics:
- AI risks and issues (bias, fairness, transparency)
- Ethical issues in AI and machine learning
- Legal and regulatory requirements (GDPR, EU AI Act, CCPA)
- Best practices in responsible AI development
- Documentation and reporting for AI systems
16.7 Model Training Data
Important clarification: CapMonster Cloud does not use user personal data for AI model training.
Model training:
- Qwen3-VL and Mistral-7B-Instruct-v0.2 are trained by their developers (Alibaba, Mistral AI)
- Training data collected by developers from open sources
- CapMonster Cloud user data not used in training
Model usage:
- CapMonster Cloud uses pre-trained models “as is”
- Models are not retrained on user data (without explicit consent)
Fine-tuning (if applicable):
- If in the future we conduct fine-tuning on user data, this will be:
- Explicitly stated in an updated Policy
- Require separate user consent
- Applied only with consent
16.8 Training Data Information (publication from August 2025)
In accordance with the EU AI Act, from August 2025 we publish the following information:
For Qwen3-VL:
- Description of the training dataset
- Dataset size (number of examples)
- Types of images in the dataset
- Data cleaning and filtering methods
- Bias testing
- Link to technical documentation
For Mistral-7B-Instruct-v0.2:
- Description of text datasets
- Dataset size
- Languages included in training
- Text processing methods
- Bias testing results
- Link to technical documentation
17. Licence Compliance
17.1 Apache 2.0
AI models are distributed under the Apache 2.0 licence, retaining notices of licence, authorship, and change documentation. Users are entitled to use the service commercially and request licence information.
18. Data Security and Breach Notification
In the event of a data breach, the company notifies supervisory authorities within 72 hours, and affected individuals without delay. A register of all incidents is maintained.
19. Policy Changes
For significant changes, notice is given 30 days before they take effect, published on the website and sent by email. Minor changes may be made without notice. Continued use of the service after publication of updates constitutes acceptance of the policy.
20. Contacts
A response is provided within 7 business days. If further information is required, the timeframe may be extended.
For other US states — the Attorney General of the relevant state.
21. Applicable Law and Jurisdiction
The policy is governed by the laws of the State of New York, as well as applicable EU, California, and other jurisdiction laws. All disputes are resolved first through negotiation. If negotiations are unsuccessful, disputes are resolved in the courts of the user’s country (EEA) or the State of New York (USA). The stricter law always takes precedence.
22. Final Provisions
The policy takes effect from 01 August 2025. Users are responsible for familiarising themselves with the current version. The document is deemed accepted upon first use of the service after publication or update.
© CapMonster Cloud LLC — 2025. All rights reserved.
CapMonster Cloud API
Extensão para navegadores
