Last updated · 2026-07-06
This Privacy Policy is maintained by Gerbee Systems and describes how personal and corporate data is collected, processed and protected when an organisation accesses the Gerbee platform. It is intended to satisfy the disclosure expectations of GDPR, comparable local data-protection regimes, and the confidentiality expectations of enterprise procurement teams.
1. Controller & Processor Roles. The Customer is the data controller for any personal data contained in uploaded documents. Gerbee Systems acts as data processor for such data and as controller for account, billing and operational telemetry strictly necessary to deliver the Service.
2. Categories of Data Collected. (a) Account data — email, full name, organisation name, role and timezone. (b) Content — documents you submit (contracts, invoices, acts, tax filings) and any structured fields extracted from them. (c) Operational telemetry — request timestamps, IP, browser fingerprint hash, error traces, audit trail. (d) Support data — tickets and correspondence with support@gerbee.com.
3. Lawful Bases. Processing is grounded in (i) performance of the contract you entered into via the Public Offer, (ii) the operator's legitimate interest in securing and improving the Service, (iii) compliance with mandatory legal obligations, and (iv) explicit consent provided during sign-up for the categories that require it.
4. Advanced Data Isolation Protocols. Processed text from uploaded PDF, DOCX and image documents is held only in isolated, ephemeral memory states bound to the active analysis transaction. Such text is strictly never cached, persisted to long-term storage outside the Customer's tenant, mirrored to analytics warehouses, or leaked across tenants. Inter-tenant access is precluded at the database layer through row-level security policies and at the network layer through tenant-scoped credentials.
5. AI & LLM Processing — Zero Retention. Where large-language-model components are invoked, the operator selects providers that enforce a contractual zero-retention posture: requests are processed in-memory, no Customer Content is logged for human review, and no Content is used to train any base or downstream model. Gerbee Systems does not operate its own training pipeline on Customer Content under any circumstance.
6. Encryption Standards. All data is encrypted in transit (TLS 1.3 with modern cipher suites) and at rest (AES-256 with key management performed by the underlying cloud KMS). Database backups inherit the same encryption posture. Field-level encryption is applied to selected sensitive fields.
7. Access Control. Access to production data is restricted to a least-privilege set of operations personnel, gated by hardware-key MFA, time-bound just-in-time elevation, and full audit logging. No vendor, contractor or partner is granted standing access to Customer Content.
8. Sub-processors. Gerbee Systems uses a curated set of sub-processors strictly necessary to deliver the Service (cloud hosting, transactional email, LLM inference). Each sub-processor is bound by written confidentiality and data-processing terms aligned with this policy. The current list is available on written request.
9. International Transfers. Where data must cross a border, the operator applies appropriate contractual safeguards (e.g. Standard Contractual Clauses) and, where required by local law, performs a transfer impact assessment.
10. Retention & Deletion. Active Content is retained for the lifetime of the account. Upon written deletion request or account termination, all Content is removed from production systems within thirty (30) days and from encrypted backups within ninety (90) days, subject only to retention strictly required by law.
11. Data Subject Rights. Individuals whose personal data is processed may request access, rectification, erasure, restriction, portability and objection by writing to support@gerbee.com. Requests are acknowledged within five (5) business days and fulfilled within one (1) calendar month.
12. Incident Response. In the event of a confirmed personal-data breach affecting the Customer, the operator shall notify the Customer without undue delay and in any event within seventy-two (72) hours, providing the nature of the incident, the categories of data affected, the likely consequences and the mitigation measures taken or proposed.
13. No Sale of Data. Gerbee Systems does not sell, rent or trade personal or corporate data. Data is never shared for behavioural advertising or external profiling.
14. Customer Warranties. The Customer warrants that all submitted Content has been lawfully obtained, that necessary notices and consents have been issued where required, and that the Content does not contain categories of data prohibited from cloud processing under applicable law.
15. Mutual Non-Disclosure. A mutual NDA may be downloaded from the platform homepage and counter-signed before any production Content is uploaded. Such NDA shall coexist with this policy and the Public Offer as a single integrated agreement.
16. Changes. Material changes to this policy will be announced in-app at least fourteen (14) days before they take effect, with the prior version archived on request.