schema theory

privacy

privacy policy

last updated 6 june 2026

This notice explains what personal data Schema Theory processes, why, on what legal basis, who we share it with, how long we keep it, and your rights. It is consistent with our terms of service and, for business customers, our data processing addendum.

controller

The data controller is Mikhail Galustov, entrepreneur individuel trading as Schema Theory, 173 rue de Courcelles, 75017 Paris, France — SIREN 994620201. Contact: [email protected]. A statutory DPO is not mandatory; this address is the single contact point for privacy requests.

For personal data we process on behalf of a business customer — data inside the properties and accounts they connect — that customer is the controller and we act as processor under the data processing addendum.

who we collect from

data we collect

why we use it

provide the service, audits, briefs, fixes, support
contract; pre-contract steps for prospects.
run and secure the site
legitimate interests: availability, security, fraud prevention, debugging.
reply to requests; B2B outreach after a free audit
pre-contract steps; legitimate interests (relevant professional offer, with opt-out).
improve, benchmark and train our rubrics, the Corpus, and AI models
legitimate interests; once data is irreversibly anonymised, outside the GDPR.
send requested updates / marketing to individuals
consent, with unsubscribe at any time.
billing, accounting, legal records
legal obligation; legitimate interests.

Where we rely on legitimate interests we have carried out a balancing test, available on request. You may object at any time.

model development and the corpus

We use data processed through the service to improve and train our rubrics, scoring engines, embeddings, the Corpus, and AI models. By default we anonymise or aggregate before this use. We do not train models on identifiable personal data inside a customer's connected properties except on that customer's instruction or after anonymisation, and we carry out a data protection impact assessment where required. Models and aggregated or anonymised data derived from this work are our property and may be retained and used indefinitely, including after an account closes, because they no longer identify anyone.

processors and recipients

We do not sell personal data. We share it only where needed with vetted providers acting on our instructions — hosting and security (Cloudflare), email (Resend, Google Workspace), scheduling (Cal.com), CRM (Attio), AI and embedding providers, performance and search data sources, and payments (Stripe). A current list is on our sub-processors page. We may also disclose data to advisers, to authorities where legally required, and to an acquirer in a corporate transaction.

international transfers

We host and process personal data in the EU/EEA where feasible. Where a transfer outside the EEA occurs, we rely on an adequacy decision or on the European Commission's Standard Contractual Clauses with supplementary measures. Details are on the sub-processors page.

retention

site and security logs
normally up to 90 days, longer only for an active investigation.
signup emails
until unsubscribe, deletion, or list retirement.
inquiries and prospects
up to 24 months after the last meaningful contact.
client and billing records
contract term plus legal retention (generally 10 years for accounting).
service data, derived, aggregated and anonymised data, models
retained on the basis set out in the terms and DPA; anonymised and aggregated data indefinitely.

your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing and direct marketing, and withdrawal of consent. Email [email protected]; we respond within one month and may verify your identity. You may complain to the French supervisory authority, the CNIL (cnil.fr). Irreversibly anonymised and aggregated data is no longer personal data and is outside the scope of these rights.

cookies

We use strictly necessary storage and, only with your consent, optional analytics, media, or marketing storage. Manage your choice any time on the cookie page. We do not use advertising or remarketing cookies, session replay, or fingerprinting on the public site.

business customers

If we process personal data on your behalf, our data processing addendum applies, including sub-processor terms, security measures, breach notification, and Standard Contractual Clauses for transfers.

security

We use HTTPS, access controls, least-privilege credentials for connected accounts, provider-side controls, EU residency where feasible, and logging appropriate to the risk. No service is perfectly secure; if you think something is wrong, contact us quickly.

changes

We may update this notice and will post the new date here, giving notice of material changes where appropriate.