Back to Sign Up

Privacy Policy

Juice Factory AI Inference Platform

Last updated: January 21, 2026

1. Introduction

Juice Factory AB ("Juice Factory", "we", "us", "our") respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our AI inference platform ("Service"), including our developer portal and API.

2. Our roles: Controller vs Processor

Depending on the context, Juice Factory may act as:

A) Data Controller (Personuppgiftsansvarig) for:

  • Account administration (email, user profile, organization settings)
  • Billing, payment, and invoicing
  • Security monitoring and fraud prevention for our Service
  • Product analytics for the portal (where applicable)

B) Data Processor (Personuppgiftsbiträde) for:

Customer-provided API Content (prompts, inputs, files, completions, outputs) processed on behalf of our customers, where the customer determines the purposes and means of processing.

Where we act as a processor, our processing is governed by a Data Processing Agreement (DPA) and our customers are responsible for ensuring they have a lawful basis for processing personal data they submit to the Service.

3. Information we collect

We collect the following categories of personal data:

3.1 Account & organization information (Controller)

  • Email address
  • Name (optional)
  • Organization details (e.g., company name, VAT/Org. no., address if provided)
  • Account settings and administrative metadata
  • Support communications (if you contact us)

3.2 Billing & payment information (Controller)

  • Billing contact details
  • Invoices, payment status, transaction IDs

Payment processing is handled by our payment processor (e.g., Stripe). We do not store full payment card details.

3.3 Usage & security data (Controller)

  • API request metadata (e.g., timestamps, token counts, model used, latency, error codes)
  • IP addresses, user agent/device information (as necessary for security and abuse prevention)
  • Portal authentication/session events (login, MFA events if applicable)
  • Audit logs related to API keys and administrative actions

3.4 API Content (Processor, default behavior)

Default: We do not persistently store API request/response content (prompts, files, completions) beyond what is necessary for immediate processing in memory and transient system buffers.

Limited exceptions (only when applicable): We may temporarily process and/or retain limited API Content if:

  • You explicitly enable debugging/logging features that capture content;
  • You submit content to us in a support ticket;
  • It is required to investigate abuse, security incidents, service disruptions, or suspected policy violations; or
  • Transient retries/queueing is needed to deliver the request reliably.

Where such retention occurs, it is limited in scope, access-restricted, and retained only as long as needed for the specific purpose described in Section 7 (Data Retention).

No training: API Content is not used to train or improve foundation models.

3.5 Portal Chat (Controller)

Important: The Portal Chat feature (available in the developer portal) stores conversation history differently from API requests:

  • Chat conversations and messages are stored persistently to enable conversation history and continuity
  • This includes your prompts, AI responses, and any uploaded images
  • Data is stored encrypted at rest and associated with your user account
  • You can delete individual conversations or all your chat history at any time via the portal
  • Archived conversations are automatically deleted after 365 days

Your control: You can export or permanently delete your chat conversations at any time through the portal settings. Deletion is immediate and irreversible.

4. Purposes and legal bases (GDPR)

When Juice Factory acts as controller, we process personal data under the following legal bases:

  • Contract (Art. 6(1)(b)): Provide and maintain the Service, manage accounts, authenticate users, deliver API responses, provide support.
  • Legal obligation (Art. 6(1)(c)): Accounting, tax, compliance with applicable laws.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, abuse prevention, service reliability, performance analytics, product improvement (based on aggregated/technical data).
  • Consent (Art. 6(1)(a)): Only where required (e.g., optional non-essential cookies or certain marketing communications, if we offer them). You can withdraw consent at any time.

When Juice Factory acts as processor, our legal basis is determined by our customer (controller). We process API Content only under the customer's documented instructions (typically via DPA), except where required by law.

5. Sharing of personal data

We do not sell personal data. We may share personal data with:

  • Payment processors (e.g., Stripe) for billing and payments
  • Infrastructure and hosting providers to operate the Service (compute, storage, networking)
  • Security, monitoring, and logging providers (as necessary to ensure reliability and security)
  • Customer support tooling (if used) to manage support requests
  • Legal authorities where required by law or to protect our rights, users, and the Service

We require appropriate contractual safeguards (e.g., DPAs) with vendors where we are the controller.

6. International data transfers & sub-processors

We primarily aim to process and store controller-data within the EU/EEA where feasible. Some vendors/sub-processors may be located outside the EU/EEA or may involve access from outside the EU/EEA.

Where personal data is transferred internationally, we use appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs), and where necessary additional safeguards; and/or
  • Other lawful transfer mechanisms recognized under GDPR.

Sub-processor transparency: We maintain an up-to-date list of sub-processors and their locations/categories, and we notify customers of material changes as required under applicable agreements (e.g., DPA).

7. Data retention

We retain personal data only as long as necessary for the purposes described above:

  • Account data (Controller): Retained while your account is active and as needed to provide the Service.
  • Usage & security logs (Controller): Retained for 90 days, then automatically deleted. Longer retention may apply for security investigations or legal obligations.
  • Portal Chat conversations (Controller): Active conversations retained while your account is active. Archived conversations automatically deleted after 365 days. You may delete conversations manually at any time.
  • Session data: Automatically deleted upon session expiration or logout.
  • Billing and invoices (Controller): Retained for the period required by applicable accounting and tax laws (typically 7 years in Sweden).
  • Support records: Retained as needed to resolve the issue and maintain service history, then deleted or anonymized where feasible.
  • Backups: Data may persist in encrypted backups for a limited period until backups cycle out. Access is restricted and backups are used only for disaster recovery.

When we act as processor for API Content, retention is governed by the DPA and our default "no persistent storage" approach, subject to Section 3.4 exceptions.

8. Security measures

We implement appropriate technical and organizational measures, including:

  • Encryption in transit (TLS) and at rest where applicable
  • Strong access controls (least privilege), logging, and monitoring
  • Secure API key management and secret handling
  • Vulnerability management and regular security testing/audits (as applicable)
  • Tenant isolation controls appropriate for a multi-tenant inference platform

9. Personal data breaches

If we become aware of a personal data breach affecting personal data for which we are controller, we will assess and, where required, notify the relevant supervisory authority and affected individuals.

Where we act as processor, we will notify the customer without undue delay in accordance with the DPA.

10. Your rights (GDPR/EEA)

If you are in the EU/EEA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase data (subject to legal retention obligations)
  • Restrict or object to processing (where applicable)
  • Data portability (where applicable)
  • Withdraw consent (where processing is based on consent)

How to exercise your rights: Contact us at privacy@juicefactory.ai. We may request identity verification to protect your data. We aim to respond within one month, subject to lawful extensions.

Complaints: You have the right to lodge a complaint with your local supervisory authority. In Sweden, this is IMY (Integritetsskyddsmyndigheten).

11. Cookies and similar technologies

We use essential cookies and similar technologies required for authentication, session management, and security. We do not use advertising cookies.

If we use any non-essential analytics cookies in the future, we will provide notice and obtain consent where required.

12. Children

The Service is not intended for use by children. Customers are responsible for ensuring that any personal data they submit to the Service is processed lawfully and appropriately.

13. Changes to this policy

We may update this Privacy Policy periodically. If changes are material, we will notify you via email and/or portal notification.

14. Contact information

Privacy contact: privacy@juicefactory.ai

Juice Factory AB
Stockholm, Sweden

Juice Factory - Portal