EzyPzy is operated by Inflection. BV, registered at Rue Saint-George 68, 1050 Ixelles, with VAT number —. For any privacy questions or to exercise your rights under GDPR, contact us at privacy-ezypzy@inflectionpoint.be.

• Account information you provide: email address, name, and authentication credentials (hashed by Supabase Auth — we never see plaintext passwords).
• Workspace content you create: projects, elements, decisions, tags, dependencies, and any documents you upload.
• Integration data you authorise us to fetch: Notion pages and Google Drive documents, only within the scope you grant at OAuth time.
• Usage data: page views and basic performance metrics collected via Vercel Web Analytics (cookieless — see below).
• Support correspondence: any messages you send us via privacy-ezypzy@inflectionpoint.be.

• To provide the EzyPzy service — storing your workspace, authenticating you, and serving your requests.
• To process documents with AI when you explicitly invoke AI features (Pro tier).
• To send transactional emails (account verification, password resets, notification digests you opted into).
• To improve the product via aggregated, anonymised usage statistics — never selling or sharing personal data with third parties for marketing.
• To comply with legal obligations (tax records, court orders, GDPR compliance itself).

EzyPzy does not set any tracking cookies. We use Vercel Web Analytics which is cookieless. A single session cookie (`sb-access-token`) is set by Supabase Auth once you sign in; it is required for the app to function and expires when you sign out.

• Supabase (Supabase Inc.) — database, authentication, storage. EU data residency — eu-west-1 region.
• Vercel (Vercel Inc.) — hosting and cookieless web analytics.
• Anthropic (Anthropic PBC) — AI document processing. Engaged only when a Pro-tier user actively uses AI features.
• Notion / Google Drive — third-party document sources. Engaged only when the user enables the corresponding integration; data is fetched solely within the scope the user authorises.

We post new subprocessors at least 30 days before they handle user data. Updates appear on this page; the "Effective" date in the header changes accordingly.

All primary application data (your workspace, projects, elements) is stored in Supabase's eu-west-1 region (Ireland). Uploaded documents processed by AI are sent to Anthropic for the duration of the request only — Anthropic does not retain customer inputs for model training under their commercial API terms. Static assets are served from Vercel's global edge network; edge caches do not contain authenticated user content.

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate data.
• Right to erasure: ask us to delete your account and associated data. We provide a self-serve account deletion in app settings; exercising this right via email is also supported.
• Right to restriction of processing: ask us to pause processing while a dispute is resolved.
• Right to data portability: request an export of your workspace in a machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to lodge a complaint: you may contact the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at any time.

Email privacy-ezypzy@inflectionpoint.be with the request you want to make. We respond to data subject access requests within 30 days. If we need additional verification (e.g. to confirm you are the account owner), we will contact you via the email address on the account.

• Active account data is retained for the life of your account.
• Deleted workspaces are purged from the active database within 30 days and from backups within 90 days.
• Account-level deletion requests are honoured within 30 days, subject to any overriding legal retention obligation (e.g. tax records on paid invoices).
• Anonymised usage statistics may be retained indefinitely.

EzyPzy is not intended for users under 16. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, contact privacy-ezypzy@inflectionpoint.be and we will delete it.

If we materially change how we process your data, we will update the "Effective" date at the top of this page and notify active users at least 30 days before the change takes effect. Continued use of EzyPzy after the effective date constitutes acceptance of the updated policy.