← moltarch.com

Privacy Policy

Effective: April 8, 2026 · Last updated: April 8, 2026

This Privacy Policy explains how Choy Innovation Oy ("MoltArch," "we," "us"), a company incorporated in Finland, collects, uses, and protects information when you use the MoltArch API and related services ("Service").

1. Data Controller

Choy Innovation Oy is the data controller for account and usage data. For any personal data contained in your API queries (Input Data), you are the data controller and MoltArch acts as a data processor on your behalf.

Contact: support@moltarch.com

2. What We Collect

2.1 Account Data

When you register for an API key, we collect:

• Organization name
• Contact email address
• API key identifier (we store a hash of the key, not the key itself)

2.2 Usage Data

When you use the Service, we automatically collect:

• Query metadata: session ID, timestamp, data confidence score, billing status
• API key usage: request counts, last used timestamp
• Technical data: IP address (for rate limiting only, not stored long-term)

2.3 Query Data (Input and Output)

Your query inputs and generated outputs are processed in real-time and stored temporarily in an encrypted session (Redis) with a maximum lifetime of 2 hours. After the session expires, Input Data and Output content are automatically deleted.

We do not store your queries or outputs beyond the session duration.

2.4 Website Data

On moltarch.com we use analytics tools to collect anonymized website usage statistics.

3. How We Use Your Data

Data Type	Purpose	Legal Basis (GDPR)
Account data	Service delivery, authentication	Contract performance (Art. 6(1)(b))
Usage metadata	Billing, analytics, service improvement	Contract performance, legitimate interest (Art. 6(1)(b), 6(1)(f))
Query data	Generating your requested output	Contract performance (Art. 6(1)(b))
Website analytics	Understanding website usage	Legitimate interest (Art. 6(1)(f))

4. What We Do NOT Do

• We do not use your Input Data or Outputs to train, fine-tune, or improve AI models
• We do not sell your data to third parties
• We do not store your queries or outputs beyond the 2-hour session window
• We do not share your Input Data with other customers
• We do not use personal data for advertising or profiling

5. Data Processing and Transfers

The Service processes data using third-party providers. Data is processed as follows:

• AI processing: Your query context is sent to AI model providers for processing. Providers with EU data residency are used where available.
• Embedding generation: Only anonymized text (company names and identifiers stripped) is sent to embedding providers for semantic search.
• Web enrichment: Generic search queries may be sent to search providers for market context. No personal or customer data is included.
• Infrastructure: Application servers and databases are hosted in the EU region.

Where data is processed outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses, EU-US Data Privacy Framework, or equivalent). A current list of sub-processors is available upon request.

6. Anonymization of Campaign Data

The Service's marketing intelligence vault contains data contributed by marketing agency partners. This data undergoes a triple anonymization process:

1. On upload: Company names, brand names, URLs, email addresses, phone numbers, and other identifiers are stripped from all data before it enters the vault
2. On retrieval: Retrieved data is anonymized again before being included in AI synthesis prompts
3. On output: Final outputs are scanned to catch any identifiers that may have been generated by the AI model

Agents and end users never see raw records or identifiable company information. They receive synthesized patterns and benchmarks only.

7. Data Retention

Data Type	Retention Period
Query content (inputs/outputs)	2 hours (session TTL), then auto-deleted
Query metadata (billing, scores)	Duration of account + 12 months after termination
Account data	Duration of account + 30 days after deletion request
API key hashes	Duration of account, deleted on account closure
Website analytics	Per analytics provider retention settings

8. Your Rights

Under GDPR, you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing. Contact support@moltarch.com to exercise any of these rights. You may also lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

• API key authentication with SHA-256 hashing (raw keys are never stored)
• TLS encryption for all data in transit
• Database hosted in EU region with access controls
• Session data encrypted and automatically expired
• Multi-layer anonymization for campaign vault data

10. Changes to This Policy

We may update this Privacy Policy at any time. The current version is always available at moltarch.com/privacy. The "Last updated" date at the top reflects the current version. Continued use of the Service constitutes acceptance of the updated policy.

Contact

Choy Innovation Oy
Helsinki, Finland
support@moltarch.com

Finnish Data Protection Ombudsman: tietosuoja.fi