Privacy Policy

Last updated: February 20, 2026

Temujin Labs ("we", "us") operates Rosetta (rosetta.temujinlabs.com). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

1. Data Controller

The data controller for your personal data is:

Temujin Labs
Barcelona, Spain
Email: hello@temujinlabs.com

2. Data We Collect

Data Purpose Legal Basis
Email address Account creation, login, communication Contract performance
Password (hashed) Authentication Contract performance
Domain name Core service functionality (tracking citations) Contract performance
Search queries Monitoring AI citations for your domain Contract performance
IP address Rate limiting, security Legitimate interest
Payment info Subscription billing (processed by Stripe) Contract performance

3. How We Use Your Data

We use your data exclusively to:

  • Provide the Rosetta service (tracking AI citations for your domain)
  • Authenticate your account and maintain security
  • Process payments (via Stripe)
  • Send essential service notifications (account changes, billing)
  • Protect against abuse (rate limiting, fraud prevention)

We do not sell your data. We do not use your data for advertising. We do not profile you for marketing purposes.

4. Third-Party Processors

We share data with the following processors, all of which are GDPR-compliant:

Processor Purpose Data Shared
Google (Gemini API) AI citation tracking Search queries only (no personal data)
Stripe Payment processing Email, payment details
Hetzner Server hosting (EU) All service data (stored in EU)

5. Data Storage and Security

Your data is stored on servers located in the European Union (Hetzner, Germany). We implement the following security measures:

  • Passwords are hashed using bcrypt (never stored in plain text)
  • All connections are encrypted via TLS/HTTPS
  • API authentication uses JWT tokens with expiration
  • Rate limiting protects against brute force attacks
  • Security headers (HSTS, X-Content-Type-Options, X-Frame-Options) are enforced

6. Data Retention

  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • Citation history: retained according to your plan tier (7 days to unlimited), deleted upon account deletion
  • Server logs: retained for 30 days for security and debugging purposes
  • Waitlist emails: retained until launch, then deleted or migrated to accounts

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Request your data in a machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email hello@temujinlabs.com. We will respond within 30 days.

8. Cookies

Rosetta uses only essential cookies and local storage for authentication (JWT token storage). We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is required because we only use strictly necessary cookies.

9. AI Visibility Grader (Public Tool)

The free AI Visibility Grader does not require an account. For this tool, we process:

  • The domain you submit (not linked to any account)
  • Your IP address (for rate limiting only, not stored permanently)

No personal data is retained from grader usage beyond the session.

10. Children

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us for immediate deletion.

11. International Transfers

Your data is stored within the EU. When we use Google's Gemini API (US-based), only search queries are transmitted (no personal data). Google's API is used under their standard data processing terms with appropriate safeguards.

12. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with your local EU data protection authority.

13. Changes

We may update this Privacy Policy. Material changes will be communicated via email or in-app notification. The "last updated" date at the top reflects the most recent revision.

14. Contact

For any privacy-related questions or data requests:

Temujin Labs
Barcelona, Spain
Email: hello@temujinlabs.com