Prefixbox AI Services — Privacy Policy

Customer Content (processor): Inputs (prompts, files, context) and Outputs (model replies).

Conversation/runtime metadata (processor): request IDs, timestamps, model identifier/version, token counts, latency, error codes; not model weights.

Integration data (processor): identifiers and content retrieved from systems you connect (e.g., CRM/helpdesk) per your configuration.

Admin/account data for the Services (controller): admin user name, role, work email, authentication identifiers, billing/admin records necessary to operate the Services.

Sensitive Personal Information: the Services are not intended to process special-category data (e.g., health, biometrics, political opinions) or full payment card data. Do not submit such data unless a written addendum expressly permits it and appropriate safeguards are in place.

As processor (on Customer’s instructions): deliver AI chat/agent functionality; maintain and secure the Services (logging, rate limiting, abuse detection, debugging); optional improvement only if Customer opt-in is enabled (see §5).

As controller (limited to service administration): provide/administer Customer accounts and billing (contract), security and fraud/abuse prevention (legitimate interests/legal obligations).

Training use (default OFF): We do not use Customer Content to train or improve foundation models/LLMs used for other customers by default. With Customer’s explicit opt-in (via the Admin Console or a signed addendum), we may use de-identified samples to improve features; opt-in can be withdrawn at any time (no retroactive effect). Opt-in does not permit contribution to third-party foundation models unless expressly agreed in writing.

End-user transparency & safeguards: Customers must inform end users when they are interacting with AI, clearly label AI-generated content, and avoid representing it as human-authored. Customers must flow down acceptable-use restrictions and implement reasonable technical and organisational measures (e.g., input warnings/filters, gating, rate limits, moderation) to prevent prohibited submissions, including Sensitive Personal Information, unless expressly permitted by addendum.

Children: The Services are not intended for children.

Sub-processors that help us provide the Services (hosting, security, logging/telemetry, email, AI processing). We require data-processing terms, security, and transfer safeguards. A live list is available upon request.

Professional advisers (legal, accounting) under confidentiality.

Authorities where required by law or to protect rights, safety, or systems.

We do not sell personal data.

Personal data may be processed in jurisdictions where we or our sub-processors operate, including the UK and other countries outside the EEA. If transferred to such countries, appropriate safeguards are applied — including the European Commission’s Standard Contractual Clauses — to protect your rights and provide effective remedies.

We implement appropriate technical and organisational measures, including encryption in transit/at rest, access controls, environment segregation, centralised logging/monitoring, vulnerability management, and incident response.

Our Admin Console and the embedded AI widget use cookies and local storage to operate and improve the Service. Data storage mechanisms: cookies and localStorage. Purposes: core functionality (authentication/session, consent storage, security/bot mitigation), analytics/usage statistics, and—if enabled—referrals/affiliates. Tools: Prefixbox may rely on the AI Provider and its vendors, including Cloudflare (tag management/monitoring/security), Google Analytics and PostHog (analytics), and Rewardful (referrals, if enabled). For the up-to-date list of exact cookie/localStorage names, modules, purposes, and expiries, see: https://docs.molin.ai/legal/cookie-list

For data we process as processor, please contact your service provider (the Customer). We support the Customer's handling of access/erasure/portability and other requests.

For admin/account data we process as controller for the Services, contact us at support@prefixbox.com. You may have rights to access, rectify, erase, restrict, object, port, and withdraw consent where applicable.

You also have the right to lodge a complaint with your supervisory authority. In Hungary: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), H-1055 Budapest, Falk Miksa utca 9-11; naih.hu.

Processing of personal data on behalf of Customer is further governed by the Contract. In case of conflict, the Contract controls for processing of personal data.

We may update this Policy from time to time. For material changes that affect you materially, we will provide advance notice (e.g., 30 days) via the Admin Console or email, unless immediate changes are required for legal or security reasons. Continued use after the effective date indicates acceptance of the updated Policy.

Questions or requests about this Policy: support@prefixbox.com | Prefixbox Zrt., 1132 Budapest, Visegrádi utca 31., Hungary.

For convenience, we provide a template end-user privacy notice for the AI Assistant in Annex B. The template is provided “as is” and does not constitute legal advice. Customer must adapt it to reflect its actual processing, notices, and local law (including cookie/consent practices) and remains responsible for compliance and accuracy. Use of the template creates no privity or obligations between Prefixbox (or the AI Provider) and People.

Molin AI Ltd. (Underlying AI Provider) — AI model inference and related services; processing locations may include the UK and other regions used by Molin/its model vendors; transfers safeguarded per §7.

The current list of sub-processors used to provide the Services is available at Subprocessors - Molin AI and may be updated from time to time:

Disclaimer (Template). This annex is a sample end-user privacy notice provided “as is.”It must be adapted by [Customer Name] to reflect actual practices and local law. [Customer Name] is responsible for compliance.

The current list of sub-processors used to provide the Services is available at Subprocessors - Molin AI and may be updated from time to time:

Who we are.

This AI assistant (the “Assistant”) is operated by [Customer Name] on [Customer Site/App]. When you use the Assistant, [Customer Name] is the controller of your personal data. Prefixbox Zrt. provides the Assistant as a service and acts as ourprocessor. An underlying AI provider engaged by Prefixbox acts as a sub-processor to generate answers.

What we collect through the Assistant.

• Chat content you submit (prompts, messages, attachments) and the Assistant's replies.
• Technical dataabout the session (timestamps, request IDs, model identifier, basic device/usage events).
• Contact details (e.g., email/phone) only if you choose to provide them for a specific request (e.g., a callback or follow-up).
• Please do not share Sensitive Personal Information (e.g., full payment card numbers; government IDs; health, biometric or other special-category data). The Assistant is not designed to receive such data.

Why we process your data.

• To provide the Assistant's answers and features you request.
• To keep the service secure, prevent abuse, and diagnose issues.
• If you ask us to follow up (e.g., by email/phone), to respond to your request.We do not use your chat content to train foundation AI models for other customers by default. Any model-improvement use would happen only if [Customer Name] opts in and would rely on de-identified samples.

Legal bases.

We process data to perform the service you request (contract/legitimate interests), to maintain security (legitimate interests/legal obligations), and, where required, with your consent (e.g., for optional analytics cookies).

Who might see your data.

• Our service providers: Prefixbox (processor) and its AI provider (sub-processor), hosting/security and support vendors—each under contract and confidentiality.
• Authorities or parties where required by law or to protect rights and safety.We do not sell your personal data.

International transfers.

Data may be processed in countries outside your own. Where required, we use appropriate safeguards to protect your rights.

Retention. How long we keep your data

• Chat transcripts and activity metadata: kept in our live systems for up to 24 months to operate and troubleshoot the Assistant.
• Internal security logs: kept for 30 days.
• Email/support records about your Assistant interactions: kept for 24 months.
• Archives: read-only archives of Customer Data and support records may be retained for 10 years or more to meet legal, compliance, security, and disaster-recovery needs. Archives are timestamped, versioned, non-modifiable, stored in read-only, access-controlled environments, and restored only via approved workflows.
• Backup security: backups are encrypted in transit (TLS 1.2+) and at rest (AES-256), stored in isolated locations with RBAC and audit logging, and protected by redundant snapshots and deletion safeguards; access is limited andreviewed regularly.

We may retain data longer where required by law or to establish, exercise, or defend legal claims.

Your choices & rights.

• You can choose not to share personal data in the chat. If we really need contact details for your request, we'll ask via a short notice and a secure form.
• Depending on your location, you may have rights to access, correct, delete, restrict, object, and port your data, and to withdraw consent where applicable.
• To exercise rights about Assistant data, contact [privacy/contact email]. If your request concerns data we process via Prefixbox as our processor, we will coordinate with them to respond.

Cookies and similar technologies.

The Assistant and Admin tools may use cookies/local storage for core functionality and (if enabled) analytics. For the current list of items used by the Assistant stack, see [Customer Cookie Policy link] (and, where relevant to the Assistant components, the AI provider's cookie list https://docs.molin.ai/legal/cookie-list).

Children.

The Assistant is not intended for children. If you believe a child has provided personal data, contact us to request deletion.

Questions or requests: [Customer Name], [postal address], [privacy/contact email].