Privacy Policy
Last updated: May 9, 2026
This Privacy Policy explains how Esan Neural Computing (Eneco) ("Esan", "we", "us", "our") collects, uses, shares and protects personal data when you use the Esan website at esan.ai and the Esan AI agent product (together, the "Service"). It also describes your rights under the EU General Data Protection Regulation ("GDPR") and the Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights ("LOPDGDD").
By using the Service you confirm that you have read and understood this Policy. If you do not agree, do not use the Service.
1. Who is the controller of your data
The data controller, as defined in Art. 4(7) GDPR, is:
- Legal name: Esan Neural Computing (Eneco)
- Form: Operating as an individual sole proprietor in Spain
- Location: Donostia – San Sebastián, Spain
- Contact (privacy): hey@esan.ai
Tax identification number (NIF) is available on written request to the contact address above for any data subject exercising their rights or any supervisory authority.
We have not appointed a Data Protection Officer because our processing activities do not meet the thresholds of Art. 37 GDPR. You can still raise any privacy concern via the contact email above; we will route it to the person responsible for privacy matters.
2. What data we collect
We process the following categories of personal data:
2.1 Account data
- Email address
- Display name (optional)
- Authentication identifiers (Supabase user id, OAuth provider identifiers if you sign up with Google or GitHub)
- Hashed password (never the plaintext)
2.2 Profile and Memory data
- Self-declared profile fields you set in Settings (nickname, occupation, "about you" notes)
- "Memories" you save explicitly — short rules you want the agent to remember across sessions (e.g. "I prefer Tailwind for CSS")
2.3 Conversation data
- Messages you send to the agent
- Files you upload
- Agent responses, including tool calls, search results, code execution outputs and generated artifacts
- Metadata: timestamps, session ids, model identifier, token counts
2.4 Connector data (third-party services)
When you connect a third-party service (Gmail, Google Drive, Google Calendar, GitHub, Slack, Notion, etc.) we receive and process data from that service as needed to fulfil your instructions:
- OAuth tokens issued by the provider (access token + refresh token), stored encrypted at rest with AES symmetric encryption (pgcrypto on PostgreSQL)
- Scopes you have granted
- Service-specific data retrieved only when an agent action requires it (e.g. an email's content when you ask to summarise it). This data is processed in memory and is NOT persisted on Esan's servers beyond the duration of the request
2.5 Technical data
- IP address, user agent, device type
- Pages viewed, features used, error reports
- Cookies strictly necessary for the Service (session, CSRF). We do not use advertising or cross-site tracking cookies.
2.6 Billing data (when applicable)
If you subscribe to a paid plan, our payments processor (Stripe Payments Europe Ltd) collects your billing email and card details. We never see or store your card number — only the last four digits, brand and an opaque customer id.
3. Why we process your data and on what legal basis
Each processing operation has a specific legal basis under Art. 6(1) GDPR:
| Purpose | Legal basis |
|---|---|
| Operate the Service (sign-up, chat, sessions, files) | Contract performance — Art. 6(1)(b) |
| Connect to third-party apps you authorise (Gmail, Drive...) | Contract performance — Art. 6(1)(b) |
| Send transactional email (password reset, security) | Contract performance — Art. 6(1)(b) |
| Detect and prevent abuse, fraud, security incidents | Legitimate interest — Art. 6(1)(f) |
| Comply with legal obligations (tax, lawful requests) | Legal obligation — Art. 6(1)(c) |
| Send product updates / marketing email | Consent — Art. 6(1)(a) (you can withdraw it at any time) |
| Analytics aggregated and anonymised | Legitimate interest — Art. 6(1)(f) |
4. Google API Services — Limited Use
Esan's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use Google user data to provide and improve the user-facing Esan AI agent features that you have explicitly requested.
- We do not transfer Google user data to third parties for serving advertisements, including retargeting.
- We do not use Google user data for any purpose unrelated to providing or improving user-facing features.
- We do not allow humans to read your Google data unless (a) we have your specific consent, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data (including derivatives) is aggregated and used for internal operations in accordance with applicable privacy and other laws.
5. Who we share data with
We share personal data only with the following recipients, each of whom acts as a processor on our behalf under a Data Processing Agreement compliant with Art. 28 GDPR:
| Recipient | Purpose | Location |
|---|---|---|
| Anthropic, PBC | LLM inference for the agent's reasoning | USA (SCCs) |
| OpenAI, LLC | Embeddings, auxiliary LLM calls | USA (SCCs) |
| Google LLC | Workspace APIs when you connect Gmail/Drive/Calendar | USA / EU regional (SCCs) |
| Supabase Inc. | Database, authentication, file storage | EU (eu-west-1) by default |
| Vercel Inc. | Frontend hosting and edge functions | Global edge, SCCs |
| E2B Inc. | Sandbox virtual machines for code execution | USA (SCCs) |
| Stripe Payments Europe Ltd | Billing (only if you subscribe) | Ireland (EU) |
| Sentry / observability provider | Error tracking, never includes message content | EU region |
An up-to-date list of sub-processors is maintained at /legal/subprocessors. We notify you of material changes at least 14 days in advance so you can object before they take effect.
We do not sell personal data, and we do not share it with third parties for advertising purposes.
6. International transfers
Some recipients are located outside the European Economic Area. Where this is the case we rely on appropriate safeguards under Art. 46 GDPR, in particular the European Commission's Standard Contractual Clauses (Decision 2021/914). You can request a copy of the safeguards in place by writing to hey@esan.ai.
7. How long we keep your data
- Account and Profile data: while your account exists, plus 30 days after deletion to allow account recovery, plus the period required by tax and accounting law (typically 6 years in Spain).
- Conversation data: until you delete it from the chat history or delete your account. Backups containing it are retained for up to 30 days.
- OAuth tokens: until you disconnect the connector or delete your account; deleted immediately on disconnect from our primary database, with backup purge within 30 days.
- Logs (technical / security): 90 days, then aggregated or deleted.
- Billing records: 6 years (Spanish tax retention).
8. Your rights
Under GDPR you have the following rights:
- Access (Art. 15) — request a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion of your data ("right to be forgotten").
- Restriction of processing (Art. 18).
- Data portability (Art. 20) — receive your data in a machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) at any time for processing based on consent.
- Not be subject to a decision based solely on automated processing (Art. 22), including profiling, which produces legal effects concerning you. Esan does not take such decisions.
To exercise any of these rights, write to hey@esan.ai. We will respond within one month (extendable by two further months for complex requests, Art. 12(3) GDPR).
You also have the right to lodge a complaint with the Spanish supervisory authority (Agencia Española de Protección de Datos, C/ Jorge Juan, 6, 28001 Madrid) or your local supervisory authority within the EU.
9. Security
We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR), including:
- Encryption in transit (TLS 1.2+) for all communications
- Encryption at rest for OAuth tokens and credentials (AES-256 via pgcrypto)
- Row-level security on the database, isolating each user's data
- Audit logging of access to personal data
- Least-privilege access controls; access to production systems limited to named individuals on a need-to-know basis
- Regular security reviews and dependency updates
- Sub-processors are required to maintain SOC 2 Type II, ISO 27001, or equivalent certifications
No system is impenetrable. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where the risk is high, notify you without undue delay (Arts. 33–34 GDPR).
10. Cookies
We use only strictly necessary cookies: session token, CSRF token and theme preference. These are exempt from consent under Art. 22 of the Spanish LSSI-CE because they are technically required for the Service to function. We do not use analytics cookies, advertising cookies or any third-party tracking.
11. Children
The Service is not directed to children under 14 (the digital consent age in Spain under LOPDGDD Art. 7). We do not knowingly collect personal data from children under 14. If you believe a child has provided us data, contact us and we will delete it.
12. AI-generated content and accuracy
Esan uses large language models that generate outputs probabilistically. Outputs may be inaccurate, incomplete or out of date. You should not rely on Esan outputs for medical, legal, financial or other professional decisions without independent verification. We provide a transparency notice consistent with Art. 50 of the EU AI Act: when you interact with Esan you are interacting with an AI system.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated via email and a banner on the Service at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent version. Past versions are archived and available on request.
14. Contact
Questions, requests or complaints about this Policy:
Email: hey@esan.ai
Postal: Esan Neural Computing (Eneco), Donostia – San Sebastián, Spain