PRIVACY POLICY
Effective Date: 05 February 2026
This Privacy Policy explains how UAB Such Much AI, company code 306405204, registered address Bukčių g. 6-38, Vilnius, LT-04127 Vilniaus m. sav., Lithuania, VAT number LT100017966319 (“Such Much AI”, “we”, “us”) processes personal data when you interact with our websites and Services marketed under RFPX and/or Such Much AI.
We process personal data in accordance with the GDPR (Regulation (EU) 2016/679), applicable Lithuanian data protection law, and EU/Lithuanian rules on cookies and similar technologies (ePrivacy rules).
No AI training by default. We do not use Customer Data, Outputs, or personal data to train AI models unless a Customer explicitly opts in in writing.
1) ScopeThis Policy applies to personal data processed in connection with:our websites (including rfpx.com, suchmuchai.com, suchmuch.ai), our web SaaS platform (AI-enabled document generation, dashboards, and organization-level administration),sales, onboarding, consulting, training, and support communications, andour social media pages where we act as page administrator.This Policy does not replace:our Terms of Service, orour Data Processing Agreement / Data Processing Terms (DPA) which apply when we process personal data on behalf of business/government Customers.
2) Controller vs Processor (important)Depending on the context, we act as either Controller or Processor:
A. Controller (our purposes)
We are the Controller for personal data relating to website operation, opt-in marketing, account administration, billing, CRM, support communications, and security of our systems.
B. Processor (Customer Data)
When a business/government Customer uploads documents or other content that includes personal data (“Customer Data”), we generally process that data on the Customer’s instructions as a Processor under GDPR Article 28. In that case:the Customer is the Controller,processing is governed by the DPA (available upon request), anddata subject requests should generally be addressed to the Customer first (e.g., your employer/agency). We assist the Customer as required by law and the DPA.
3) Personal data we processDepending on how you use the Services, we may process:
Account and organization data: name, work email, organization name, role/permissions, organization admin actions (e.g., inviting users, role changes).
Authentication and access data: login events, IP address, device/browser information, session identifiers.
Communications: messages and files you send us (support tickets, emails, onboarding/training communications).
Billing and transactional data: billing contact details, invoice details, VAT ID, payment status; card payment details are processed by our payment provider (e.g., Stripe) and we typically receive limited payment metadata.
CRM data (Attio): business contact details, communication history, and relationship notes for sales/account management.
Usage, diagnostics, and security logs: feature usage, performance metrics, error logs, and security/audit logs. Some logs may include snippets of prompts/inputs strictly for debugging, security, and abuse prevention.
Customer Data (Processor context): documents, prompts/inputs, and Outputs, to the extent a Customer uploads or creates them.
Special categories / criminal offence data: Customers must not submit special category data (GDPR Art. 9) or criminal offence data (Art. 10) unless we explicitly agree in writing and implement appropriate safeguards.
4) Purposes, legal bases, and retention (Controller processing)
We process personal data as Controller for the following purposes:
4.1 Provide and operate the Services (accounts, organization admin, authentication, support)Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and legitimate interests in operating the Services (Art. 6(1)(f)).Retention: for the lifetime of the account and generally up to 12 months after termination/inactivity (unless required longer for disputes, security, or legal obligations).
4.2 Billing, subscriptions, accounting, and tax compliance (including invoices/bank transfers)Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).Retention: accounting/tax records up to 10 years (or longer if required by applicable law).
4.3 CRM and sales account management (Attio)Legal basis: legitimate interests (Art. 6(1)(f)) in managing business relationships and responding to inquiries; contract steps where applicable (Art. 6(1)(b)).Retention: for the duration of the business relationship and up to 24 months after last meaningful contact, unless legal claims require longer retention.
4.4 Security, abuse prevention, and incident response (including audit/security logs)Legal basis: legitimate interests (GDPR Art. 6(1)(f)) in securing our Services, preventing abuse, and investigating incidents; and legal obligations where applicable (Art. 6(1)(c)).Retention: security/audit/activity logs are retained for up to 180 days, and longer only where needed for investigation, fraud prevention, or legal hold.
4.5 Service communications (transactional emails, important notices)Legal basis: contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).Retention: as needed to deliver and evidence communications.
4.6 Marketing communications (opt-in only)Legal basis: consent (Art. 6(1)(a)).Retention: until you withdraw consent/unsubscribe; we keep minimal suppression records to respect your preferences.
5) AI-specific privacy statements
EEA hosting and infrastructure. Customer Data is hosted by default in the EEA. Models used to generate Outputs run on EEA-based cloud infrastructure.
No third-party foundation model APIs. We do not process Customer Data via third-party foundation model APIs.
No training by default. We do not use Customer Data, Outputs, or personal data to train models unless a Customer explicitly opts in in writing.
Outputs and citations. Outputs may include reference sources/citations generated automatically; citations may be incomplete or incorrect and must be verified independently.
6) Enterprise “process-only / no storage” modeSome enterprise Customers may enable a “process-only / no storage” mode by written agreement (Order Form/DPA). In that mode, Customer Data is processed transiently and is not stored in the platform except where necessary for immediate processing and minimal operational/security logging.
By default (without such agreement), we store Customer Data and Outputs to provide the Services.
7) Cookies and similar technologiesWe use cookies and similar technologies to operate the websites and Services.
7.1 Essential cookies (no consent required)
Used for authentication, security, and core functionality.
7.2 Analytics/performance and monitoring (consent-based where required)
Subject to consent requirements under EU/Lithuanian ePrivacy rules, we use:
Google Analytics (analytics)
Hotjar (UX analytics/session insights)
PostHog (product analytics)
Sentry (error monitoring)These tools are used under their EU terms and data protection addenda and configured to support EU compliance. You can manage preferences via our cookie banner and/or settings where available.
7.3 No advertising cookies
We do not use advertising cookies/pixels (e.g., Meta Pixel, LinkedIn Insight Tag, Google Ads) unless we clearly inform you and obtain consent where required.
8) Sharing and recipientsWe share personal data only as necessary and under appropriate safeguards, including with:
Payment providers (e.g., Stripe) and banking/payment operations for invoices/bank transfers;
CRM (Attio) for sales and account management;
Customer support/communications (Intercom, configured for EU hosting) and email delivery providers;
Analytics/monitoring providers listed in Section 7 (subject to consent where required);
Professional advisors (legal/accounting) under confidentiality;
Authorities where required by law.
Subprocessors list: A current list of subprocessors is available upon request. Where applicable, we provide 30 days’ notice of material subprocessor changes, consistent with our DPA approach.We do not sell personal data.
9) International transfersWe market the Services only in the EU, and Customer Data is hosted by default in the EEA. However, certain vendors (especially analytics and payment providers) may involve processing or support access outside the EEA depending on configuration.Where personal data is transferred outside the EEA, we use GDPR Chapter V mechanisms such as an adequacy decision and/or EU Standard Contractual Clauses (SCCs) with supplementary measures where required.
10) Retention and deletion (including backups)We retain personal data only as long as necessary for the purposes described above, including legal compliance.Customer Data (Processor context): retention is primarily controlled by the Customer’s instructions and the DPA. As our operational baseline aligned to our Terms of Service:after termination, we provide a 30-day export window,we delete Customer Data from active systems within 30 days after the export window ends, andwe delete Customer Data from backups within 90 days thereafter,
unless legal hold or mandatory retention applies.
11) Security and incident handlingWe maintain commercially reasonable technical and organizational measures designed to protect personal data (e.g., encryption in transit, access controls, and monitoring).If a personal data breach occurs, we handle it in accordance with GDPR Articles 33–34, including notifications to the competent supervisory authority and affected individuals where required.
12) Your rights under GDPR
Depending on context and legal basis, you may have rights to: access, rectification, erasure, restriction, portability, object to processing based on legitimate interests, and withdraw consent (for consent-based processing).
If your data is within Customer Data uploaded by a Customer: the Customer is the Controller; please contact the Customer first. We will assist the Customer as required.To exercise rights relating to our Controller processing, contact info@suchmuchai.com.
13) Complaints
You can contact us with complaints at info@suchmuchai.com.
You also have the right to lodge a complaint with:
Valstybinė duomenų apsaugos inspekcija (VDAI)
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
14) Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice via email and/or in-Service notice and indicate an effective date (generally at least 30 days in advance unless a shorter period is required for security or legal reasons).
15) Contact
UAB Such Much AI
Bukčių g. 6-38, Vilnius, LT-04127 Vilniaus m. sav., Lithuania
Email: info@suchmuchai.com
This Privacy Policy explains how UAB Such Much AI, company code 306405204, registered address Bukčių g. 6-38, Vilnius, LT-04127 Vilniaus m. sav., Lithuania, VAT number LT100017966319 (“Such Much AI”, “we”, “us”) processes personal data when you interact with our websites and Services marketed under RFPX and/or Such Much AI.
We process personal data in accordance with the GDPR (Regulation (EU) 2016/679), applicable Lithuanian data protection law, and EU/Lithuanian rules on cookies and similar technologies (ePrivacy rules).
No AI training by default. We do not use Customer Data, Outputs, or personal data to train AI models unless a Customer explicitly opts in in writing.
1) ScopeThis Policy applies to personal data processed in connection with:our websites (including rfpx.com, suchmuchai.com, suchmuch.ai), our web SaaS platform (AI-enabled document generation, dashboards, and organization-level administration),sales, onboarding, consulting, training, and support communications, andour social media pages where we act as page administrator.This Policy does not replace:our Terms of Service, orour Data Processing Agreement / Data Processing Terms (DPA) which apply when we process personal data on behalf of business/government Customers.
2) Controller vs Processor (important)Depending on the context, we act as either Controller or Processor:
A. Controller (our purposes)
We are the Controller for personal data relating to website operation, opt-in marketing, account administration, billing, CRM, support communications, and security of our systems.
B. Processor (Customer Data)
When a business/government Customer uploads documents or other content that includes personal data (“Customer Data”), we generally process that data on the Customer’s instructions as a Processor under GDPR Article 28. In that case:the Customer is the Controller,processing is governed by the DPA (available upon request), anddata subject requests should generally be addressed to the Customer first (e.g., your employer/agency). We assist the Customer as required by law and the DPA.
3) Personal data we processDepending on how you use the Services, we may process:
Account and organization data: name, work email, organization name, role/permissions, organization admin actions (e.g., inviting users, role changes).
Authentication and access data: login events, IP address, device/browser information, session identifiers.
Communications: messages and files you send us (support tickets, emails, onboarding/training communications).
Billing and transactional data: billing contact details, invoice details, VAT ID, payment status; card payment details are processed by our payment provider (e.g., Stripe) and we typically receive limited payment metadata.
CRM data (Attio): business contact details, communication history, and relationship notes for sales/account management.
Usage, diagnostics, and security logs: feature usage, performance metrics, error logs, and security/audit logs. Some logs may include snippets of prompts/inputs strictly for debugging, security, and abuse prevention.
Customer Data (Processor context): documents, prompts/inputs, and Outputs, to the extent a Customer uploads or creates them.
Special categories / criminal offence data: Customers must not submit special category data (GDPR Art. 9) or criminal offence data (Art. 10) unless we explicitly agree in writing and implement appropriate safeguards.
4) Purposes, legal bases, and retention (Controller processing)
We process personal data as Controller for the following purposes:
4.1 Provide and operate the Services (accounts, organization admin, authentication, support)Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and legitimate interests in operating the Services (Art. 6(1)(f)).Retention: for the lifetime of the account and generally up to 12 months after termination/inactivity (unless required longer for disputes, security, or legal obligations).
4.2 Billing, subscriptions, accounting, and tax compliance (including invoices/bank transfers)Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).Retention: accounting/tax records up to 10 years (or longer if required by applicable law).
4.3 CRM and sales account management (Attio)Legal basis: legitimate interests (Art. 6(1)(f)) in managing business relationships and responding to inquiries; contract steps where applicable (Art. 6(1)(b)).Retention: for the duration of the business relationship and up to 24 months after last meaningful contact, unless legal claims require longer retention.
4.4 Security, abuse prevention, and incident response (including audit/security logs)Legal basis: legitimate interests (GDPR Art. 6(1)(f)) in securing our Services, preventing abuse, and investigating incidents; and legal obligations where applicable (Art. 6(1)(c)).Retention: security/audit/activity logs are retained for up to 180 days, and longer only where needed for investigation, fraud prevention, or legal hold.
4.5 Service communications (transactional emails, important notices)Legal basis: contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).Retention: as needed to deliver and evidence communications.
4.6 Marketing communications (opt-in only)Legal basis: consent (Art. 6(1)(a)).Retention: until you withdraw consent/unsubscribe; we keep minimal suppression records to respect your preferences.
5) AI-specific privacy statements
EEA hosting and infrastructure. Customer Data is hosted by default in the EEA. Models used to generate Outputs run on EEA-based cloud infrastructure.
No third-party foundation model APIs. We do not process Customer Data via third-party foundation model APIs.
No training by default. We do not use Customer Data, Outputs, or personal data to train models unless a Customer explicitly opts in in writing.
Outputs and citations. Outputs may include reference sources/citations generated automatically; citations may be incomplete or incorrect and must be verified independently.
6) Enterprise “process-only / no storage” modeSome enterprise Customers may enable a “process-only / no storage” mode by written agreement (Order Form/DPA). In that mode, Customer Data is processed transiently and is not stored in the platform except where necessary for immediate processing and minimal operational/security logging.
By default (without such agreement), we store Customer Data and Outputs to provide the Services.
7) Cookies and similar technologiesWe use cookies and similar technologies to operate the websites and Services.
7.1 Essential cookies (no consent required)
Used for authentication, security, and core functionality.
7.2 Analytics/performance and monitoring (consent-based where required)
Subject to consent requirements under EU/Lithuanian ePrivacy rules, we use:
Google Analytics (analytics)
Hotjar (UX analytics/session insights)
PostHog (product analytics)
Sentry (error monitoring)These tools are used under their EU terms and data protection addenda and configured to support EU compliance. You can manage preferences via our cookie banner and/or settings where available.
7.3 No advertising cookies
We do not use advertising cookies/pixels (e.g., Meta Pixel, LinkedIn Insight Tag, Google Ads) unless we clearly inform you and obtain consent where required.
8) Sharing and recipientsWe share personal data only as necessary and under appropriate safeguards, including with:
Payment providers (e.g., Stripe) and banking/payment operations for invoices/bank transfers;
CRM (Attio) for sales and account management;
Customer support/communications (Intercom, configured for EU hosting) and email delivery providers;
Analytics/monitoring providers listed in Section 7 (subject to consent where required);
Professional advisors (legal/accounting) under confidentiality;
Authorities where required by law.
Subprocessors list: A current list of subprocessors is available upon request. Where applicable, we provide 30 days’ notice of material subprocessor changes, consistent with our DPA approach.We do not sell personal data.
9) International transfersWe market the Services only in the EU, and Customer Data is hosted by default in the EEA. However, certain vendors (especially analytics and payment providers) may involve processing or support access outside the EEA depending on configuration.Where personal data is transferred outside the EEA, we use GDPR Chapter V mechanisms such as an adequacy decision and/or EU Standard Contractual Clauses (SCCs) with supplementary measures where required.
10) Retention and deletion (including backups)We retain personal data only as long as necessary for the purposes described above, including legal compliance.Customer Data (Processor context): retention is primarily controlled by the Customer’s instructions and the DPA. As our operational baseline aligned to our Terms of Service:after termination, we provide a 30-day export window,we delete Customer Data from active systems within 30 days after the export window ends, andwe delete Customer Data from backups within 90 days thereafter,
unless legal hold or mandatory retention applies.
11) Security and incident handlingWe maintain commercially reasonable technical and organizational measures designed to protect personal data (e.g., encryption in transit, access controls, and monitoring).If a personal data breach occurs, we handle it in accordance with GDPR Articles 33–34, including notifications to the competent supervisory authority and affected individuals where required.
12) Your rights under GDPR
Depending on context and legal basis, you may have rights to: access, rectification, erasure, restriction, portability, object to processing based on legitimate interests, and withdraw consent (for consent-based processing).
If your data is within Customer Data uploaded by a Customer: the Customer is the Controller; please contact the Customer first. We will assist the Customer as required.To exercise rights relating to our Controller processing, contact info@suchmuchai.com.
13) Complaints
You can contact us with complaints at info@suchmuchai.com.
You also have the right to lodge a complaint with:
Valstybinė duomenų apsaugos inspekcija (VDAI)
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
14) Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice via email and/or in-Service notice and indicate an effective date (generally at least 30 days in advance unless a shorter period is required for security or legal reasons).
15) Contact
UAB Such Much AI
Bukčių g. 6-38, Vilnius, LT-04127 Vilniaus m. sav., Lithuania
Email: info@suchmuchai.com