Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller for personal data collected through DFA Code Intelligence ("the Service") is:
Rue des déportés 123
7050 Masnuy-Saint-Jean (Jurbise), Belgium
Website: www.it-xpert.be
Data protection contact: support@dfaanalyzer.com
2. Data We Collect
- Account data: Name, email address, phone number (used for SMS verification), company name
- Payment data: Payment card information and billing details, collected and processed by our payment processor Stripe. We do not store your full card number on our servers.
- Usage data: Analysis history, feature usage, session logs
- Source code: DFA files uploaded for analysis (transmitted to AI providers for processing)
- Generated outputs: Documentation files produced by the Service
3. How We Use Your Data
- To provide the analysis Service, including transmitting your source code to AI providers for processing
- To process payments and manage your credit balance
- To communicate about your account, analyses, and service updates
- To verify your identity via SMS during account registration
- To ensure platform security and prevent abuse
4. Legal Basis for Processing (Art. 6 GDPR)
We process your personal data on the following legal bases:
| Data | Legal Basis |
|---|---|
| Account data (name, email, company) | Performance of contract |
| Source code uploaded for analysis | Performance of contract |
| Payment data (via Stripe) | Performance of contract & legal obligation |
| Phone number (SMS verification) | Legitimate interest (account security) |
| Usage data & session logs | Legitimate interest (service improvement & security) |
| Email notifications (service updates) | Legitimate interest (operational communication) |
5. Data Sharing & Sub-Processors
We do not sell, rent, or share your personal data for marketing or advertising purposes. However, to deliver the Service, your data — including source code — is transmitted to the following categories of sub-processors:
AI Processing Providers
Your source code is transmitted to third-party AI providers solely for the purpose of generating documentation. The provider used depends on the model you select. All proprietary providers listed below operate under Zero Data Retention (ZDR) agreements, meaning your code is processed in real time and is not stored or used for model training.
| Provider | Type | Location | Data Retention |
|---|---|---|---|
| OpenAI | Proprietary AI | United States | Zero Data Retention (ZDR) |
| Anthropic | Proprietary AI | United States | Zero Data Retention (ZDR) |
| Google (Gemini) | Proprietary AI | United States | Zero Data Retention (ZDR) |
| Mistral AI | Proprietary AI | European Union (France) | Zero Data Retention (ZDR) |
| Z.AI (GLM models) | Third-party hosted | Variable | Per provider agreement |
| Together AI (Qwen models) | Open-source model hosting | United States | Per provider agreement |
Open-source models (Qwen, GLM) are hosted by independent infrastructure providers. While these models do not inherently retain data, the hosting provider's policies apply. An on-premise deployment option is available where no data leaves your infrastructure.
Infrastructure & Services
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting (S3, Lambda), email (SES), notifications (SNS, SQS) | EU (eu-west-1) |
| Stripe | Payment processing | United States (with EU data processing) |
6. Data Storage & Security
All application data is hosted in EU-based data centers (AWS eu-west-1). Source code is encrypted in transit (TLS 1.3) and at rest (AES-256). Each analysis runs in an isolated environment.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Source code (uploaded files) | Deleted after processing completes, unless retention is explicitly requested |
| Analysis results & generated documentation | 30 days, then automatically deleted |
| Analysis credits | Valid for 12 months from purchase date |
| Account data | Until account deletion is requested |
| Payment records | As required by applicable tax and accounting laws |
8. International Data Transfers
Your application data is stored within the EU (AWS eu-west-1). However, when your source code is processed by AI providers located outside the European Economic Area (EEA) — including OpenAI, Anthropic, Google, Together AI, and Stripe — your data is transferred internationally.
These transfers are protected by:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into our agreements with sub-processors
- Zero Data Retention (ZDR) agreements with AI providers, ensuring your code is not stored after processing
- EU-US Data Privacy Framework certification, where applicable
You may choose to use only EU-based providers (Mistral AI) or on-premise deployment to avoid international transfers entirely.
9. Your Rights Under the GDPR
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right of access (Art. 15) — Obtain a copy of your personal data
- Right to rectification (Art. 16) — Correct inaccurate personal data
- Right to erasure (Art. 17) — Request deletion of your personal data
- Right to restrict processing (Art. 18) — Limit how we use your data
- Right to data portability (Art. 20) — Receive your data in a structured format
- Right to object (Art. 21) — Object to processing based on legitimate interest
To exercise any of these rights, contact us at support@dfaanalyzer.com. We will respond to your request within one month, as required by the GDPR. If the request is complex, this period may be extended by two additional months, in which case we will inform you.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your national data protection authority. For Belgium, this is the Autorité de protection des données (APD) — www.autoriteprotectiondonnees.be.
10. Account Deletion
You may request deletion of your account at any time through the application settings or by contacting us at support@dfaanalyzer.com. The deletion process works as follows:
- You submit a deletion request via the application or email
- We verify your identity and process the request
- Your account data, analysis history, and stored files are permanently deleted
- You receive a confirmation email once deletion is complete
Account deletion is processed within 30 days of receiving your verified request. Unused credits are forfeited upon account deletion and are non-refundable. Payment records may be retained as required by applicable tax and accounting laws.
11. Automated Processing & AI
The Service uses artificial intelligence to analyze your source code and generate documentation. This processing is fully automated but does not produce decisions that have legal or similarly significant effects on you (Art. 22 GDPR). The AI output is informational only and should be reviewed by the user before use.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
- Document the breach, its effects, and the remedial actions taken
13. Cookies
The marketing website (www.dfaanalyzer.com) uses no tracking cookies. The application portal (app.dfaanalyzer.com) uses session cookies strictly necessary for authentication. These cookies expire when your browser session ends or after inactivity.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
15. Contact
For privacy-related inquiries, you may reach us at support@dfaanalyzer.com or use the contact form.