Privacy Policy

The data controller is VANDOULAS IOANNIS SINGLE MEMBER P.C., trading under the distinctive title MECHAPIENS, registered with the Greek General Commercial Registry (GEMI) under number 193339258000.

Registered seat: Nippos Apokoronou 0, 73007 Vrysses, Chania, Crete, Greece.

Mechapiens provides AI governance and forensic inspection services, including AIGovXRay website scans and deep scan report generation.

Mechapiens has not appointed a Data Protection Officer. Privacy questions and data protection requests can be sent to contact@mechapiens.com.

When you request a website scan, we process the email address and website URL you submit.

When you request a deep scan, we may process your name, email address, company or organization, website URL, optional notes, and the uploaded ZIP evidence pack.

Evidence packs may contain system documentation, configuration excerpts, governance records, logs, screenshots, or other files selected by the submitting user. You should not include unnecessary personal data, secrets, credentials, private keys, regulated data, or material you are not authorized to submit.

Website scan requests: email address and website URL are processed to respond to your request and provide the requested scan workflow. Legal basis: steps taken at your request before entering into a contract or service relationship, GDPR Article 6(1)(b).

Deep scan requests: name, email address, company or organization, website URL, optional notes, and evidence packs are processed to evaluate the request, generate a report, and communicate with the requester. Legal basis: steps taken at your request before entering into a contract or service relationship, GDPR Article 6(1)(b), and consent where the upload form explicitly asks for it, GDPR Article 6(1)(a).

Service security and abuse prevention: request metadata, logs, and operational records may be processed to secure the service, prevent unauthorized submissions, investigate failures, and protect Mechapiens and its users. Legal basis: our legitimate interest in securing and operating the service, GDPR Article 6(1)(f).

Business communication and record keeping: correspondence and scan request history may be processed to respond to inquiries, maintain service quality, and handle disputes. Legal basis: legitimate interests in customer communication and dispute handling, GDPR Article 6(1)(f), and legal obligations where applicable, GDPR Article 6(1)(c).

Advertising measurement: we may use the Google Ads tag to understand whether advertising campaigns lead to website visits or scan requests. Legal basis: consent where required by applicable law, GDPR Article 6(1)(a), and our legitimate interest in measuring the effectiveness of business advertising where consent is not required, GDPR Article 6(1)(f).

We do not sell submitted evidence packs or use them to train public AI models.

Website scan request emails are retained for up to 12 months for service quality, follow-up, and dispute handling, unless a longer period is required by law or by a separate written agreement.

Deep scan evidence packs are deleted within 14 days after report delivery. If no report is delivered, evidence packs are deleted within 30 days after submission, unless retention is required for security, dispute handling, legal obligations, or a separate written agreement.

Generated reports and continuity capsules are delivered to the requester. The requester is responsible for storing their own report history. Mechapiens may retain report correspondence for up to 12 months unless otherwise agreed.

Security and operational logs are normally retained for up to 30 days, unless longer retention is necessary to investigate abuse, service failures, or security incidents.

Email systems and hosting providers may retain message metadata or backups for limited operational periods outside the website application.

We use Vercel to host the website and serverless functions, Papaki / team.blue for domain and email hosting, and Google services where email forwarding, mailbox access, or Google Ads campaign measurement is configured by Mechapiens.

These providers process data only as needed to host the website, route submissions, deliver email, maintain security, and operate their services.

We may update our processor list as the service evolves. Material changes will be reflected in this policy or a dedicated subprocessors page.

Some infrastructure, email, security, or support providers may process data outside the European Economic Area.

Where international transfers occur, we rely on appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, provider data processing terms, or other safeguards recognized under applicable data protection law.

Mechapiens uses the Google Ads tag for advertising campaign diagnostics and conversion measurement. The tag is configured with Google Consent Mode defaults that deny advertising and analytics storage unless a lawful basis or consent mechanism applies.

We do not currently use Google Analytics as a separate analytics product.

Hosting and security providers may process technical request logs that are necessary to deliver and protect the website.

We use reasonable technical and organizational safeguards appropriate for an early-stage scan request workflow, including encrypted transport, restricted mailbox access, and deletion-after-processing practices for deep scan evidence.

No online upload or email transmission can be guaranteed to be risk-free. Do not submit passwords, keys, credentials, or unnecessary personal data.

AIGovXRay reports may involve automated or semi-automated technical analysis of submitted materials, but Mechapiens does not use the service to make solely automated decisions with legal or similarly significant effects on individuals.

The service is intended for business and organizational use and is not directed to individuals under 16 years of age.

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data concerning you.

Where processing is based on consent, you may withdraw consent at any time without affecting processing carried out before withdrawal.

To exercise privacy rights, contact contact@mechapiens.com. We may need to verify your identity and authority before acting on a request.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority at www.dpa.gr.

We may update this Privacy Policy as the service evolves. The latest version will be posted on this page with an updated effective date. Material changes may also be communicated through the website or by email where appropriate.