Privacy Policy & GDPR

AceEngine — LudoProgramming SRL

🇷🇴 Română Terms & Conditions

Last updated: 07 March 2026

1. Who we are

LudoProgramming SRL operates the AceEngine platform. In relation to Clients (B2B), we act as Data Controller. In relation to End Users of the widget, we act as Data Processor on behalf of the Client.

2. Data we collect

2.1. Client (account) data

  • Email address (via Microsoft Entra ID / CIAM);
  • Azure Object Identifier (EntraObjectId) — a pseudonym, no direct personal data;
  • Authorised web domain in the licence;
  • Subscription plan and payment history;
  • Aggregated usage data: request count, tokens consumed, cache hit rate.

2.2. Technical data processed via the widget

  • Text of End User questions — processed in real time to generate responses, NOT stored;
  • Client website page content — indexed as vector embeddings, no plain-text storage;
  • Timestamp and technical metadata for rate limiting (maximum 1 hour).

2.3. Analytics data

  • Anonymised visit data (Google Analytics GA4) on ludoprogramming.com — partial IP truncation;
  • Technical error logs for debugging — no personal content.

3. Legal basis for processing (GDPR Art. 6)

  • Performance of a contract (Art. 6.1.b) — to provide the AceEngine service;
  • Legal obligation (Art. 6.1.c) — to retain accounting records;
  • Legitimate interest (Art. 6.1.f) — for security and fraud prevention;
  • Consent (Art. 6.1.a) — for optional marketing communications.

4. Your GDPR rights

Art. 15

Right of access

Obtain a copy of the data processed about you.

Art. 16

Right to rectification

Correct inaccurate or incomplete data.

Art. 17

Right to erasure

"Right to be forgotten" — request deletion of your data.

Art. 20

Data portability

Receive your data in a structured, machine-readable format.

Art. 21

Right to object

Object to processing based on legitimate interest.

Authority

Right to complain

Lodge a complaint with your national supervisory authority.

To exercise your rights: privacy@ludoprogramming.com. We respond within 30 days.

5. International data transfers

  • Microsoft Azure (EU/EEA) — cloud infrastructure, Cosmos DB storage;
  • OpenAI (USA) — language model processing. Covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46.

6. Retention periods

  • Account data: contract duration + 5 years (legal obligations);
  • Aggregated usage data: 24 months;
  • Indexed content (embeddings): until revocation, max 30 days after termination;
  • Technical logs: 30 days;
  • Billing data: 10 years (Romanian Tax Code).

7. Client responsibilities (DPA Art. 28)

The Client, as Data Controller for End Users, is responsible for:

  • Informing End Users about the AI widget on their website;
  • Obtaining necessary consent where applicable;
  • Notifying AceEngine immediately of any security incident.

A Data Processing Agreement (DPA) compliant with GDPR Art. 28 is available upon request.

8. Security

  • Microsoft Entra ID authentication with MFA support;
  • All communications over HTTPS/TLS 1.2+;
  • Data stored in Azure Cosmos DB with at-rest encryption;
  • M2M JWT authorisation for internal communication;
  • Per-licence rate limiting and anti-abuse protection.

9. Cookies

ludoprogramming.com uses essential cookies (authentication session) and analytics cookies (Google Analytics GA4, with IP anonymisation). The AceEngine widget embedded on the Client's website does not set its own cookies.

10. Policy changes

Significant changes are notified by email at least 14 days in advance.

11. Contact

LudoProgramming SRL
Privacy: privacy@ludoprogramming.com
Supervisory authority: ANSPDCP (Romania)