1. Introduction
This Privacy Statement explains how Infercom SCS ("Infercom," "we," "us," or "our"), a company incorporated as a Société en Commandite Simple (SCS) under the laws of the Grand Duchy of Luxembourg, collects, uses, and protects your personal data.
This Privacy Statement applies to all websites, platforms, and services operated by or on behalf of Infercom, including but not limited to:
- infercom.ai — our corporate website
- cloud.infercom.ai — our cloud platform portal
- api.infercom.ai — our AI inference API
- docs.infercom.ai — our documentation
- support.infercom.ai — our support portal
- status.infercom.ai — our service status page
(collectively, the "Services").
This Privacy Statement also covers any additional websites, subdomains, or services that Infercom may introduce in the future, provided they link to or reference this Privacy Statement.
We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Luxembourg Law of 1 August 2018 implementing the GDPR (loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données), and other applicable data protection legislation.
2. Data Controller
The data controller for your personal data is:
Infercom SCS
29 Boulevard Grande-Duchesse Charlotte
1331 Luxembourg
Grand Duchy of Luxembourg
Business Registration No: B298727
VAT No: LU36889579
Email: info@infercom.ai
3. Data Protection Officer
We have appointed an external Data Protection Officer (DPO) through DEUDAT, a specialized data protection consultancy.
You can contact our DPO for any questions regarding this Privacy Statement or our data protection practices:
DEUDAT GmbH
Email: dpo@infercom.ai
Under GDPR Article 38, our DPO acts independently and reports directly to the highest management level. You have the right to contact the DPO directly and confidentially on any data protection matter.
4. What Personal Data We Collect
We collect different categories of personal data depending on how you interact with our Services.
4.1 Data You Provide to Us
When you register for an account, contact us, or use our Services, you may provide:
- Identification Data: First name, last name
- Contact Data: Email address, phone number, postal address
- Account Data: Username, password, authentication credentials
- Payment Data: Payment method details, billing address (processed securely by our payment processor Stripe; we do not store full payment card details)
- Corporate Data: Company name, job title, position
- Communication Data: Content of messages you send to us via email, contact forms, or support tickets
4.2 Data We Collect Automatically
When you use our Services, we automatically collect:
- Technical Data: IP address, browser type and version, operating system, device type, time zone setting, language preferences
- Usage Data: Pages visited, features used, time spent on our platform, click patterns, referral source
- API Usage Data: API request metadata including timestamps, model identifiers, token counts, response times, error codes, and API key identifiers. This data is used for billing, operational monitoring, and service quality purposes.
4.3 Inference Data (Prompts and Outputs)
Infercom does not store, log, or retain the content of your prompts or model outputs. Inference data (the queries you submit to our AI models and the responses generated) is processed transiently — it is passed to the inference engine, a response is generated, and the content is discarded. We do not use inference data for model training, fine-tuning, or service improvement.
This applies to both EU-Hosted Models and models accessed through the Global Model Catalog.
API request metadata (as described in Section 4.2) is logged separately and does not include the content of prompts or outputs.
4.4 Data We Receive from Third Parties
We may receive personal data from:
- Authentication Provider: Auth0 (part of Okta) provides authentication data when you log in (email, login timestamps, IP address)
- Business Partners: Contact information shared by our business partners in connection with referrals or joint activities
- Publicly Available Sources: Professional information from publicly available sources such as LinkedIn, for business development purposes
5. How and Why We Use Your Data
We process your personal data only when we have a lawful basis to do so under GDPR Article 6.
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account registration and management | Identification, Contact, Account | Performance of contract (Art. 6(1)(b)) |
| Providing AI inference services | Account, API Usage, Technical | Performance of contract (Art. 6(1)(b)) |
| Billing and payment processing | Identification, Contact, Payment, API Usage | Performance of contract (Art. 6(1)(b)) |
| Customer support | Identification, Contact, Communication, Technical | Performance of contract (Art. 6(1)(b)) |
| Platform security and abuse prevention | Technical, API Usage | Legitimate interest (Art. 6(1)(f)) |
| Service monitoring and improvement | Technical, Usage, API Usage (metadata only) | Legitimate interest (Art. 6(1)(f)) |
| Website analytics | Technical, Usage | Consent (Art. 6(1)(a)) |
| Marketing communications | Identification, Contact | Consent (Art. 6(1)(a)) |
| Legal compliance | As required | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting our DPO.
5.1 Obligation to Provide Data
Where the provision of personal data is necessary to enter into or perform a contract with us (e.g., account registration, payment processing), you are required to provide the relevant data. If you do not provide this data, we will not be able to create your account or provide our Services to you.
Where processing is based on consent (e.g., marketing communications, analytics cookies), the provision of data is voluntary. You may decline or withdraw consent without any impact on your use of our core Services.
6. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Statement, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Inference data (prompts/outputs) | Not retained — processed transiently | No purpose beyond real-time processing |
| API request metadata | 90 days | Operational monitoring, billing, debugging |
| Authentication logs | 12 months | Security, fraud detection |
| Account data | Duration of account + 30 days | Contract performance, orderly closure |
| Payment and billing records | 10 years after transaction | Luxembourg tax and commercial law |
| Support ticket data | 3 years after resolution | Service quality, dispute resolution |
| Website analytics data | 26 months | Analytics purposes |
| Marketing consent records | Duration of consent + 3 years | Demonstrating valid consent |
After the applicable retention period, personal data is securely deleted or anonymized.
7. Data Sharing and Sub-Processors
We share your personal data only where necessary to provide our Services, and only with the following categories of recipients:
7.1 Sub-Processors
We use the following sub-processors to deliver our Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| SambaNova Systems, Inc. | Platform operation, AI inference processing, usage metering | US; EU infra at Equinix Munich 4 |
| Auth0 (Okta, Inc.) | Authentication and identity management | EU (AWS Frankfurt) |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) |
| Metronome, Inc. | Usage tracking and billing metering | US |
| TECLIB SAS (GLPI Network Cloud) | Support ticket management | France (EU) |
Note on the SambaManaged platform: The cloud portal (cloud.infercom.ai) and API (api.infercom.ai) are operated by SambaNova as an integrated managed service ("SambaManaged"). Infercom maintains contractual control as data controller, and all EU-hosted inference processing takes place on Infercom-owned hardware at Equinix Munich 4, Germany.
We maintain a current list of sub-processors and will notify registered customers of any changes, providing an opportunity to object in accordance with our Data Processing Agreement.
7.2 Other Recipients
- Professional advisors: Lawyers, auditors, and consultants, bound by professional confidentiality obligations
- Regulatory and law enforcement authorities: Where required by applicable law, court order, or binding regulatory request. We will notify you of such requests to the extent legally permitted.
We do not sell your personal data to third parties. We do not share personal data for advertising purposes.
8. International Data Transfers
Infercom's primary AI inference infrastructure is located at Equinix Munich 4, Germany, within the European Economic Area (EEA). For EU-Hosted Models, your inference data does not leave the EEA.
However, some of our sub-processors are based outside the EEA (see Section 7.1). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission (Decision 2021/914) as the primary transfer mechanism for personal data transferred to US-based sub-processors.
- EU-US Data Privacy Framework (DPF): Where our US-based sub-processors are certified under the DPF, this serves as an additional basis for transfer.
- Supplementary measures: We implement technical and organizational measures to supplement the safeguards provided by SCCs, including encryption, access controls, and contractual restrictions on data disclosure.
8.1 Global Model Catalog
When you use models from Infercom's Global Model Catalog that are not hosted on EU infrastructure, your API requests (including prompt content) are routed to SambaNova's global infrastructure outside the EEA, primarily in the United States.
- EU-Hosted Models are clearly identified in the API (via the /v1/models endpoint) and in the cloud platform interface.
- You can restrict your usage to EU-Hosted Models only by selecting models tagged as "EU" in the platform.
- Appropriate transfer mechanisms (SCCs) are in place for data processed through the Global Model Catalog.
For further details on international transfer safeguards, including Transfer Impact Assessments, contact our DPO.
9. Cookies and Tracking Technologies
Our website (infercom.ai) uses cookies and similar tracking technologies. Cookie consent is managed through a consent banner on our website. We categorize these as follows:
9.1 Strictly Necessary (Essential)
These are required for the operation of our website and do not require your consent.
| Component | Provider | Purpose |
|---|---|---|
| Cloudflare | Cloudflare, Inc. | CDN, DDoS protection, DNS |
| Cookie Consent Banner | Infercom | Cookie consent management (stores your consent preference) |
9.2 Functional
These components provide additional functionality on our website.
| Component | Provider | Purpose |
|---|---|---|
| Pipedrive Web Forms | Pipedrive OÜ | Contact and partner inquiry forms |
| Google Fonts | Google LLC | Web font delivery (Roboto, Roboto Mono) |
9.3 Analytics
We use analytics tools to understand how visitors use our website and to improve our Services. These are only activated with your consent.
| Component | Provider | Purpose |
|---|---|---|
| Google Analytics 4 (via Google Tag Manager) | Google LLC | Website usage statistics, page views, user interactions |
9.4 Marketing and Advertising
We use marketing technologies to measure the effectiveness of our advertising campaigns. These are only activated with your consent.
| Component | Provider | Purpose |
|---|---|---|
| Google Tag Manager | Google LLC | Tag management for marketing and analytics scripts |
| Google Tag Services (Google Ads) | Google LLC | Conversion tracking for Google Ads campaigns |
9.5 Managing Your Preferences
You can manage your cookie preferences at any time through the "Cookie Settings" link in the website footer. You can also adjust your browser settings to block or delete cookies.
Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18) | Request restriction of processing of your personal data |
| Data portability (Art. 20) | Receive your personal data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent |
| Automated decision-making (Art. 22) | Not be subject to decisions based solely on automated processing |
How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: dpo@infercom.ai
Mail: Infercom SCS, 29 Boulevard Grande-Duchesse Charlotte, 1331 Luxembourg
We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
If you are not satisfied with our response, you have the right to lodge a complaint with the Commission nationale pour la protection des données (CNPD), which is Infercom's lead supervisory authority:
11. AI-Specific Information
11.1 How We Use AI
Infercom provides AI inference services — we process your API requests using open-source AI models running on our infrastructure. We are an infrastructure provider, not an AI model developer.
11.2 No Model Training
We do not use your data to train, fine-tune, or improve AI models. Your prompts and outputs are processed transiently and are not retained, stored, or fed back into any model training pipeline.
11.3 Automated Decision-Making
Infercom's Services generate computational outputs based on your inputs. We do not make automated decisions about individuals. If you use our Services to make decisions that affect individuals, you are responsible for ensuring compliance with GDPR Article 22 and any applicable requirements under the EU AI Act (Regulation (EU) 2024/1689).
11.4 EU AI Act
Infercom operates as an AI infrastructure provider. Under the EU AI Act, customers using our Services to deploy AI applications are responsible for their own obligations as "deployers." We provide transparency about the models available on our platform through our documentation at docs.infercom.ai.
12. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest
- Access controls: Role-based access, least privilege principle, multi-factor authentication for administrative access
- Infrastructure security: Physical security at Equinix Munich 4; network segmentation; DDoS protection
- Certification: ISO/IEC 27001:2022 certified Information Security Management System (ISMS)
- Monitoring: Intrusion detection, log monitoring, vulnerability management
- Personnel: Confidentiality obligations for all staff and contractors with access to personal data
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the CNPD within 72 hours and notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
13. Third-Party Links
Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.
14. Children's Data
Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data.
15. Changes to This Privacy Statement
We may update this Privacy Statement from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users by email where changes materially affect how we process their personal data
- Post the updated Privacy Statement on our website
We encourage you to review this Privacy Statement periodically. Your continued use of our Services after changes are published constitutes acceptance of the updated Privacy Statement.
16. Contact Us
For any questions about this Privacy Statement or our data protection practices:
General inquiries: info@infercom.ai
Data protection inquiries: dpo@infercom.ai
Postal address:
Infercom SCS
29 Boulevard Grande-Duchesse Charlotte
1331 Luxembourg
Grand Duchy of Luxembourg
This Privacy Statement is governed by the laws of the Grand Duchy of Luxembourg and the GDPR.