PRIVACY
POLICY.

404200.ai is an AI deployment agency registered and based in Cyprus, European Union. We build websites, custom AI systems, AI agents, and digital infrastructure for small and medium-sized businesses and individuals across Cyprus and the EU.

We are the data controller for all personal data collected through this website and through our services.

We collect only what we need to deliver our services and respond to your enquiries.

• Contact information — name, email address, phone number (when provided voluntarily via contact forms, the diagnostic terminal, or direct email)
• Business information — business type, team size, tools in use, and operational details shared during our diagnostic or consulting process
• Diagnostic terminal inputs — messages entered into the AI diagnostic terminal on our website. These are processed in real-time and are not stored by us beyond the session
• Technical data — IP address, browser type, device type, and pages visited (collected via standard server logs for security purposes only)
• Cookie data — a single preference cookie for your display mode setting (dark/light). No tracking cookies are set without your consent

We do not collect payment card data directly. Any payment processing is handled by third-party processors under their own privacy obligations.

• To respond to your enquiries and deliver requested services
• To send your AI diagnostic analysis or project report to the email address you provide
• To communicate project updates, invoices, and service-related information
• To maintain security logs and detect/prevent abuse of our systems
• To improve our services based on anonymised, aggregated usage patterns

The diagnostic terminal and chat assistant on this website are powered by the Anthropic API (Claude). Messages you send to the terminal are transmitted to Anthropic's servers for processing. This transmission is subject to Anthropic's own privacy policy and data handling practices.

We do not store your terminal conversation history beyond the current browser session. We do not log or retain individual message content on our servers.

For AI systems we deploy locally for clients (on-premise or private VPS), your data never leaves your infrastructure. The model is static and does not communicate with external servers during normal operation.

Data we hold about you is stored on EU-based servers only. We apply the following security measures as standard:

• Encrypted data at rest and in transit (TLS 1.3)
• Access-controlled environments — only authorised team members can access client data
• Daily encrypted backups
• Zero-trust access architecture for internal systems
• Security event logging and anomaly detection

In the event of a data breach that affects your rights or freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required under GDPR Article 33.

As a data subject under GDPR, you have the following rights. We will respond to all requests within 30 days.

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to restrict processing — request that we limit how we use your data
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any right, contact us at [email protected]. You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection or any EU supervisory authority.

We retain your data only for as long as necessary:

• Active client data — retained for the duration of the engagement plus 12 months, unless you request earlier deletion
• Enquiry data (non-clients) — retained for up to 6 months after last contact
• Security logs — retained for 90 days
• Invoice and financial records — retained for 7 years as required by Cyprus tax law

After the retention period, data is securely deleted or anonymised.

Notice period: Monthly retainer services require 30 days' written notice to cancel. Notice must be sent via email to [email protected]. Cancellations requested mid-billing-cycle are processed at the end of the notice period — not the current billing date.

One-time project engagements do not have a recurring cancellation obligation. However, project scopes agreed in writing are binding. Changes to agreed scope may incur additional charges or revised timelines.

Upon service termination, we will provide you with all deliverables, source code, and credentials that belong to you. We will delete your data from our active systems within 30 days of the end of the retention period, unless legal obligations require otherwise.

This website uses one functional cookie: a display preference cookie (dark/light mode) stored locally in your browser. This cookie contains no personal data and is not used for tracking.

We do not use advertising cookies, third-party tracking pixels, or analytics platforms that profile individual users. We do not use Google Analytics or similar services.

If we add any non-essential cookies in future, we will request your consent in advance and update this policy with 14 days' notice.

The only third party that processes data entered on this website is:

• Anthropic PBC — processes messages submitted to the AI terminal and chat widget. Subject to their Privacy Policy at anthropic.com/privacy. Anthropic is a US-based company; data is transmitted internationally under standard contractual clauses.

For client projects, any third-party services we integrate on your behalf (e.g. payment processors, email platforms) are disclosed in your project agreement and operate under their own privacy policies. We select third parties that meet or exceed GDPR standards wherever possible.

We may update this policy to reflect changes in our services, technology, or legal obligations. If we make material changes, we will notify active clients by email with 14 days' notice before the changes take effect.

The current version of this policy is always available at this URL. The effective date at the top of this page indicates when the current version was last updated.

For any privacy-related request, question, or complaint: