Privacy policy

Artifakt is operated by ARTIFAKT, with registered office in the European Union. Contact for privacy matters: privacy@artifakt.cc.

For most of our processing, we act as a data processor on behalf of a customer who is the controller — that customer is a medical-device manufacturer using our service to draft their EU MDR technical documentation. Where we act as controller (account sign-up, billing, support correspondence) that is called out below.

The personal data we touch falls into three buckets:

• Account data — email address, hashed password, display name, role. Used to authenticate you and route audit-log entries to your account.
• Customer-controlled regulatory content — Instructions-for-Use (IFU) documents you upload, manufacturer and device-profile information you enter, draft text you generate, gap resolutions you write, attachment files you associate with gaps. Some of this content may contain personal data (signatory names, person of responsibility under MDR Article 15, manufacturer addresses, single-registration-number holders).
• Operational telemetry — timestamps, IP addresses recorded in rate-limit windows, AI-call inputs and outputs captured in the trace log, retention housekeeping records. Used to operate the service and provide an audit trail you can show to a Notified Body.

We do not use cookies for analytics, fingerprinting, or advertising. We have no third-party trackers. The only cookie set is a server-side session cookie required for you to stay logged in (see the cookies policy).

Every category of processing relies on Article 6(1)(b) GDPR — performance of a contract: you (or your employer) signed up to use Artifakt for MDR drafting and the processing is what we need to do to deliver that service.

We do not rely on consent for the core functionality (your account activity), and we do not perform profiling, automated decision-making with legal effect, or any direct marketing.

Every part of the pipeline that touches your regulatory content runs in the European Union:

• LLM inference (drafting, extraction, harmonisation) — Amazon Bedrock, AWS Europe (Frankfurt) region (eu-central-1), using Anthropic Claude Sonnet 4.6 and Haiku 4.5 via an EU-only cross-region inference profile. Data does not leave EU AWS regions for inference.
• Vector search (corpus retrieval) — TopK, hosted on AWS Europe (Frankfurt).
• OCR (PDF → text) — Mistral AI, France.
• Translation — DeepL SE, Germany.
• Application database + attachment files — hosted in the European Union on the operator’s infrastructure (Hetzner Cloud, Falkenstein, Germany during the pilot).

One data flow leaves the EU: PubMed literature search via NCBI (United States). When you search for clinical literature, only your typed search keywords are sent to NCBI — no IFU content, no device profile, no customer-identifying data. NCBI returns abstracts that are in the public domain. We rely on Article 49(1)(b) GDPR (transfer necessary for the performance of a contract concluded in your interest) for this transfer.

We rely on the following subprocessors:

When we add or change a subprocessor we will update this list and notify customers in advance, in line with the data-processing agreement.

Retention defaults are configurable per customer in the data- processing agreement. The default values applied to our pilot deployment are:

• Draft documents and attachments: 540 days (~18 months — designed to cover the typical MDR audit window).
• Trace events (AI call inputs / outputs): 180 days.
• Translation cache: 90 days.
• Idempotency keys: 7 days.
• Password-reset tokens: single-use, expire 60 minutes after issue.
• Session cookies: 14 days, sliding (a new login extends the window).

Encrypted Postgres backups are retained for 30 days in AWS S3 (EU region) and then permanently deleted.

You have the right to:

• Access your personal data — sign in and use Settings → Export my data. Returns a ZIP archive containing every row we hold for your account, including attachments and trace events. (GDPR Article 15 / 20.)
• Rectify inaccurate data — edit it in the app or write to privacy@artifakt.cc.
• Erase your account — sign in and use Settings → Delete my account. The deletion cascades through every table and removes attachment files from disk. Encrypted backups continue to hold a copy until their normal 30-day rotation expires, after which it is irretrievable. (GDPR Article 17.)
• Restrict or object to processing — write to privacy@artifakt.cc. Where we act as processor, your request is forwarded to your controller (your employer).
• Lodge a complaint with a supervisory authority — in Poland, the Prezes Urzędu Ochrony Danych Osobowych (UODO); in your member state, your national data-protection authority.

Current security controls:

• HTTPS / TLS 1.3 on every public endpoint, with HSTS enforced.
• Passwords stored as PBKDF2-SHA256 hashes (600k iterations, per-user salt).
• Session cookies marked HttpOnly + Secure + SameSite=Lax; not accessible to JavaScript.
• Application secrets isolated to the server’s environment; backups encrypted at rest in S3 (AES-256).
• Rate-limiting on authentication endpoints to mitigate credential-stuffing.
• Application-level row-level isolation: every database query scopes to the authenticated user.
• Audit log of AI-call inputs and outputs, retained per the retention policy above, so you can reconstruct exactly what the assistant produced.

We do not yet hold a SOC 2 or ISO 27001 certification — the pilot is the first revenue stage of the product, and those reviews follow once the customer base supports them. The current security posture is documented in full at docs/pilot/pilot-readiness.md in our source repository and we share it on request.

Artifakt uses large language models (currently Anthropic Claude Sonnet 4.6 and Haiku 4.5 via Amazon Bedrock in Frankfurt) to generate drafts of EU MDR technical-documentation sections.

The assistant is a drafting aid. Every section it produces is marked “AI DRAFT — verify before submission”. You — the manufacturer — remain the legally-responsible party for any submission to a Notified Body. The assistant cannot, and is not designed to, replace human regulatory review.

Under our agreement with AWS, your inputs and outputs are not used to train Anthropic or any other foundation model. They are processed transiently for the inference call and not retained by the model provider.

We will update this page whenever processing changes materially — a new subprocessor, a new data category, a change to retention, or a change to lawful basis. Material changes are also communicated to customers via email at least 30 days in advance.

For any question about how we handle your data, write to privacy@artifakt.cc. We commit to a substantive reply within 30 days, per GDPR Article 12.