Privacy Policy

4 More Labs Limited is the data controller responsible for your personal data. We are registered with the Information Commissioner's Office (ICO) under registration number ZC105791. If you have any questions about how we handle your data, please contact us at privacy@ellon.ai.

We collect the following categories of information:

• Account Information: Name, email address, and authentication details
• Usage Data: Translation history, page counts, and feature usage
• Payment Information: Processed securely through Stripe; we do not store card details
• Document Content: Temporarily processed for translation

• To provide and improve translation services
• To process payments and manage subscriptions
• To send service notifications and updates
• To monitor and prevent abuse
• To comply with legal obligations

Documents are processed in real-time for translation. Temporary caching may occur during processing. We do not permanently store the content of your documents after translation is complete. Translation metadata (filename, languages, page count) is retained for your history.

• Anthropic (Claude): AI translation engine - SOC 2 Type II certified, ISO 27001, ISO 42001, Zero Data Retention enabled
• Google Cloud (Gemini): AI translation engine - ISO 27701 certified, GDPR-compliant DPA with EU data processing
• Stripe: Payment processing
• Google OAuth: Authentication - we receive your name, email address, and profile picture to create or link your account
• LinkedIn (OpenID Connect): Authentication - we receive your name, email address, and profile picture via LinkedIn's Sign In with LinkedIn. LinkedIn is operated by LinkedIn Corporation (a Microsoft subsidiary). Data processing is governed by LinkedIn's DPA with SCCs.
• Microsoft (Entra ID / OAuth 2.0): Authentication - we receive your name and email address via Microsoft's identity platform. Data processing is governed by Microsoft's Data Protection Addendum (DPA) with EU SCCs and UK IDTA.

We protect your data using industry-standard measures including HTTPS/TLS encryption, JWT-based authentication tokens, and regular security audits. Access to user data is restricted to authorized personnel only.

Our AI providers hold independently audited certifications including SOC 2 Type II, ISO 27001, ISO 42001, and ISO 27701. Annual penetration testing reports are available upon request.

Under UK GDPR, you have the following rights regarding your personal data:

• Access your personal data and receive a copy of the information we hold about you
• Correct inaccurate or incomplete personal information
• Request deletion of your account and all associated personal data (right to erasure)
• Export your data in a structured, commonly used, machine-readable format (data portability)
• Opt out of non-essential communications
• Request restriction of processing in certain circumstances, such as where you contest the accuracy of the data
• Object to processing based on legitimate interests - we will cease processing unless we demonstrate compelling legitimate grounds
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or by telephone on 0303 123 1113

To exercise any of these rights, contact us at contact@ellon.ai. We will respond within one calendar month. We do not charge a fee for handling rights requests unless they are manifestly unfounded or excessive.

When you upload a document, it is transmitted over encrypted HTTPS to our servers hosted on Azure (EU region). Our backend extracts the document text, splits it into translation segments, and sends each segment to the selected AI provider (Anthropic Claude or Google Gemini) via their API. The AI provider returns the translated text, which our backend reassembles into the final document. Your document content passes through our servers during processing.

We apply the following retention policies to your data:

• Standard Mode: Your 10 most recent completed translations are kept available for download. Older translations are automatically purged (files deleted, metadata soft-deleted).
• Zero Data Retention Mode: When enabled, your document is deleted from our servers immediately upon download. If not downloaded within 24 hours, it is automatically purged by our scheduled cleanup. No document content is retained.
• Account Data: Account information (name, email, preferences) is retained for the lifetime of your account. Upon account deletion, all personal data is permanently removed within 30 days.
• Translation Metadata: Filenames, language pairs, page counts, and timestamps are retained for billing and history purposes even after document content is deleted.
• Free Trial Abuse Prevention: When you delete your account, a salted cryptographic hash of your normalized email address (and, where available, your original signup IP) is retained in a separate blocklist for 12 months. We do not keep your raw email or IP, only a one-way hash, which is used solely to prevent the same identity from claiming a second free trial. Entries are automatically deleted after 12 months.

We use a limited number of cookies and similar technologies:

• Essential Cookies: Authentication tokens (JWT) stored in localStorage, language preference, and theme preference. These are strictly necessary for the service to function.
• Analytics: We may use privacy-focused analytics to understand how the service is used. No personal data is shared with analytics providers. Details will be updated when analytics tools are configured.
• Cookie Consent: Cookie consent is managed via Cookiebot. You can manage your cookie preferences at any time through the cookie consent banner or by clicking the cookie icon in the bottom corner of any page.
• Third-Party Cookies: Stripe may set cookies when processing payments. Google, LinkedIn, and Microsoft OAuth may set cookies during authentication. These are governed by the respective providers' privacy policies.

Under UK GDPR and the Data Protection Act 2018, we process your personal data on the following lawful bases:

• Contract performance (Article 6(1)(b)): Processing your account information, documents, and translation history is necessary to deliver the Service you have contracted for. We cannot provide translation services without processing your uploaded content.
• Legitimate interests (Article 6(1)(f)): We process usage analytics, abuse prevention data, and security logs based on our legitimate interest in operating a safe, reliable service. We have assessed that these interests do not override your fundamental rights.
• Legal obligation (Article 6(1)(c)): We retain billing records, transaction logs, and VAT-related data as required by UK tax law (HMRC) and financial regulations.
• Consent (Article 6(1)(a)): Where we send non-essential marketing communications or deploy non-essential cookies, we rely on your explicit consent, which you may withdraw at any time.

We do not process special category data (Article 9 UK GDPR) intentionally. If your uploaded documents contain health, biometric, or other sensitive data, you are responsible for ensuring you have the appropriate rights to process and share that content with a cloud translation service.

When you use AI translation, segments of your uploaded documents (which may contain personal data) are transmitted to our AI providers:

• Anthropic (US-based): Transfers are covered by a Data Processing Agreement incorporating the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses (SCCs), as approved by the UK ICO. Anthropic operates under Zero Data Retention - no content is stored after the API response.
• Google Cloud (Gemini via Vertex AI): Data is processed in the EU (europe-west1, Belgium). Where any transfer to Google's US infrastructure occurs, it is covered by Google's Cloud Data Processing Addendum incorporating EU SCCs and the UK IDTA addendum.
• Stripe (US-based): Payment processing data (billing address, payment method details) is transferred under Stripe's standard DPA incorporating EU SCCs and the UK IDTA.
• LinkedIn Corporation (US-based): When you sign in with LinkedIn, your name, email address, and profile picture are transferred under LinkedIn's DPA incorporating EU SCCs and the UK IDTA.
• Microsoft Corporation (US-based): When you sign in with Microsoft, your name and email address are transferred under Microsoft's Data Protection Addendum incorporating EU SCCs and the UK IDTA.

You have the right to obtain a copy of the transfer safeguards we rely on by contacting us at contact@ellon.ai.

Ellon AI is not directed at children under the age of 18. We do not knowingly collect, solicit, or process personal data from children. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at contact@ellon.ai. We will take steps to delete such data promptly. This policy applies globally, including compliance with the Children's Online Privacy Protection Act (COPPA) for US-resident minors and the UK ICO's Age Appropriate Design Code.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, our business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out: We do not sell or share personal information for cross-context behavioural advertising. You may still submit an opt-out request to contact@ellon.ai.
• Non-Discrimination: We will not discriminate against you for exercising these rights.

To exercise your California rights, contact us at contact@ellon.ai. We will respond within 45 days as required by law. You may designate an authorised agent to make requests on your behalf.

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Notification will be made by email to your registered address.

Breach notifications will include: the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures we have taken or propose to take to address the breach.

We will also notify the ICO where required. A record of all breaches is maintained in our internal breach register regardless of whether notification to the ICO or individuals is required.

When you exercise your right of withdrawal, we process the following personal data:

• Full name and email address, to identify your contract and process the withdrawal
• IP address, to prevent abuse and for fraud detection
• Withdrawal date and subscription dates, to calculate the proportional refund
• Payment information, processed by Stripe to issue the refund to your original payment method

Withdrawal records are retained for 10 years as required by commercial law (§ 257 HGB). The legal basis for this processing is Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(c) GDPR (legal obligation).