Legal

Privacy Policy

1. Who we are

Einy is operated by Dalbin LLC, a limited liability company organized under the laws of the State of Delaware, with its principal place of business at:

(“Einy”, “we”, “us”, “our”)

For any privacy-related question, contact us at privacy@einy.app.

We are the data controller (under GDPR) and business(under CCPA/CPRA) for the personal data we process through einy.app and related services (the “Service”).

EU/EEA users — note on representation: Einy is a small, recently launched service. We are in the process of appointing a representative in the European Union pursuant to Article 27 of the GDPR. Until that appointment is completed, EEA users may contact us directly at privacy@einy.app for any data protection matter, and we will respond within the deadlines set by the GDPR.

2. Scope

This Policy explains how we collect, use, share, and protect personal data when you visit einy.app, create an account, use Einy Studio, generate or post-process creative content, or order physical products through our integrated print partners.

It applies to users worldwide, with specific sections addressing rights of users in the European Economic Area (EEA), United Kingdom, and California.

3. What data we collect

Account data: name, email address, password (hashed), language, country, billing details.

Content data:images, prompts, design briefs, project files, brand assets, and other content you upload or generate using the Service (“User Content”).

Usage data: pages visited, features used, generation history, session duration, device and browser information, IP address, approximate location derived from IP.

Payment data: processed directly by our payment provider (Stripe). We do not store full card numbers on our servers.

Order data: when you place a print order, we collect shipping address and order details, which are transmitted to our print fulfillment partner (Gelato).

Communications: support tickets, emails, and any feedback you send us.

4. Why we process your data and on what legal basis (EEA/UK users)

You can object to processing based on legitimate interest at any time (see Section 10).

5. AI processing — important transparency

Einy uses artificial intelligence to generate and post-process visual content. You should know:

• Your prompts and uploaded content are sent to third-party AI model providers (listed in Section 7) to produce the requested output. They process this data on our behalf as service providers under contract.
• We do NOT use your User Content to train our AI models or any third-party foundation model. Where we use external providers, we select offerings whose terms exclude training on customer inputs.
• AI output is probabilistic. Generated content may contain errors, artifacts, or unexpected elements. You are responsible for reviewing output before commercial or public use.
• No automated decision-making with legal effect: Einy’s AI features are creative tools. We do not use AI to make decisions that produce legal effects concerning you or that significantly affect you within the meaning of GDPR Art. 22.
• Logging: We retain prompts and outputs for a limited period to enable your access to your generation history, debug issues, and prevent misuse (see Section 9).

6. Cookies and similar technologies

We use cookies and similar technologies to operate the Service and understand how it is used.

Strictly necessary cookies — used for authentication, session management, security, and load balancing. These cookies are essential for the Service to function and do not require your consent.

Analytics cookies — Google Analytics 4 — we use Google Analytics, a service provided by Google LLC, to understand how visitors use einy.app and improve the Service. Google Analytics is configured with the following privacy safeguards:

• IP addresses are anonymized before storage;
• Data sharing with Google for advertising or other Google products is disabled;
• Data retention is set to 14 months, after which user-level data is automatically deleted;
• We do not use Google Signals or cross-device tracking.

For users in the EEA, UK, and Switzerland, Google Analytics is only loaded after you give consent through our cookie banner. No analytics cookies are set, and no data is sent to Google, before you click “Accept” on analytics. You can decline analytics entirely without losing access to any feature of the Service.

Data collected by Google Analytics is transferred to the United States. Google LLC is certified under the EU–US Data Privacy Framework, which provides an adequate level of protection for these transfers.

Marketing cookies — we do not currently use marketing or advertising cookies. If we introduce them in the future, we will update this Policy and request your consent before activation.

Managing your choices — you can change your cookie preferences at any time by clicking the “Cookie preferences” link in the footer of einy.app. You can also block or delete cookies through your browser settings, though this may affect how some parts of the Service work.

7. Who we share data with

We share data only with vetted service providers bound by data processing agreements:

We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

We may disclose data when legally required (subpoena, court order, valid legal request) or to protect our rights, users, or third parties.

The current and complete list of sub-processors is published at Sub-processors.

8. International transfers

Einy is operated from the United States. If you are located in the EEA, UK, or Switzerland, your personal data is transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.

For these transfers, we rely on:

• the EU–US Data Privacy Framework and the UK Extension where the recipient is certified;
• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, supplemented by technical measures (encryption in transit and at rest);
• Where applicable, your explicit consent under GDPR Art. 49.

You can request a copy of the safeguards in place by writing to privacy@einy.app.

9. How long we keep data

After these periods, data is deleted or anonymized.

10. Your rights — EEA, UK and Switzerland

Under the GDPR / UK GDPR, you can:

• Access the personal data we hold about you (Art. 15);
• Rectify inaccurate data (Art. 16);
• Erase your data (“right to be forgotten”) (Art. 17);
• Restrict processing (Art. 18);
• Receive your data in a portable format (Art. 20);
• Object to processing based on legitimate interest, including direct marketing (Art. 21);
• Withdraw consent at any time, without affecting prior lawful processing;
• Define directives regarding the fate of your data after death (where applicable under your national law).

To exercise these rights, write to privacy@einy.app. We will respond within one month.

If you believe we have not handled your data properly, you can lodge a complaint with the data protection authority of your country of residence.

11. Your rights — California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and the categories of sources and recipients;
• Access a copy of your personal information;
• Delete your personal information, subject to legal exceptions;
• Correct inaccurate personal information;
• Opt out of the sale or sharing of personal information — note: we do not sell or share personal information as defined by the CCPA;
• Limit the use of sensitive personal information — we do not use sensitive personal information for purposes requiring this right;
• Non-discrimination for exercising any of these rights.

To exercise these rights, write to privacy@einy.app. We will verify your identity using information already associated with your account before responding.

12. Your rights — other US states

If you reside in a US state with a comprehensive privacy law (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, and others), you may have rights similar to those described above. Contact privacy@einy.app to exercise them.

13. Security

We implement technical and organizational measures appropriate to the risk:

• TLS 1.2+ for data in transit;
• Encryption at rest for databases and storage;
• Role-based access controls and audit logs;
• Regular backups and incident response procedures;
• Vendor security assessments before onboarding service providers.

In the event of a personal data breach, we will notify affected users and competent authorities as required by applicable law.

14. Children

The Service is not directed to children under 16 (under 13 for US users). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@einy.app and we will delete it.

15. Intellectual property and your User Content

Your User Content remains yours. You grant Einy a limited, non-exclusive, worldwide license to host, process, and transmit it solely to operate the Service. This license ends when you delete the content or your account, except for backup copies retained for the periods set out in Section 9.

Generated outputs: subject to our Terms of Service, you own the rights you can lawfully claim in the outputs you generate. Be aware that under current law, the copyright status of purely AI-generated content varies by jurisdiction and may be limited.

16. Changes to this Policy

We may update this Policy. Material changes will be communicated by email or through a prominent notice on the Service at least 30 days before they take effect.

17. Contact

Email: privacy@einy.app

Terms of Service

1. Agreement

These Terms of Service (“Terms”) form a binding agreement between you and Dalbin LLC, a Delaware limited liability company located at PO Box 3219, Santa Barbara, CA 93130, USA (“Einy”, “we”, “us”), governing your access to and use of einy.app, Einy Studio, our APIs, and any related services (together, the “Service”).

By creating an account, accessing, or using the Service, you accept these Terms. If you do not accept them, do not use the Service.

If you use the Service on behalf of a company or organization, you represent that you have authority to bind that entity, and “you” refers to that entity.

2. Eligibility

You must be at least 16 years old (13 in the United States, with a parent’s consent where required) to use the Service. By using the Service, you represent that you meet this requirement and that you are not barred from using the Service under the laws of your jurisdiction or any applicable sanctions regime.

3. Account

You are responsible for maintaining the confidentiality of your login credentials and for all activity that occurs under your account. Notify us immediately at support@einy.app if you suspect unauthorized access.

We may suspend or terminate accounts that violate these Terms, that pose a security or legal risk, or that are inactive for an extended period.

4. The Service

Einy is an AI-powered creative tool that allows you to generate, edit, and post-process visual content, and to order physical products through integrated print partners.

We provide the Service on a subscription, credit, or one-time payment basis as displayed at checkout. Pricing, features, and availability may change; we will give you reasonable notice of material changes affecting paid plans.

We are continuously developing the Service. Features may be added, modified, or removed. Beta features are provided “as is” and may be unstable.

5. Subscriptions, credits, and payment

Billing. Paid plans are billed in advance on a recurring basis (monthly or annually) until you cancel. Credits are non-refundable once issued, except where required by law.

Auto-renewal. Subscriptions renew automatically at the end of each billing period at the then-current price unless you cancel before renewal.

Taxes. Prices are shown excluding VAT, sales tax, and similar taxes, which will be added where applicable.

Failed payments. If a payment fails, we may suspend the Service until payment is received.

Refunds — EU and UK consumers. If you are a consumer in the EEA or UK, you have a 14-day right of withdrawal under EU Directive 2011/83/EU. By starting to generate content or downloading outputs during this period, you expressly request immediate performance and waive the right of withdrawal for the portion of the Service already consumed.

Refunds — other users. All sales are final unless otherwise stated. We may at our discretion offer credits or refunds for service failures.

Print orders. Orders for physical products fulfilled through Gelato or other partners are subject to those partners’ production and shipping terms. Once an order is sent to production, it cannot be cancelled.

6. Your content and your rights

You keep your rights. You retain all rights you have in the content you upload to the Service (“Inputs”) and in the content you generate using the Service (“Outputs”). Together, Inputs and Outputs are your “User Content.”

License to us. You grant Einy a limited, worldwide, non-exclusive, royalty-free license to host, store, copy, transmit, display, and process your User Content solely as needed to operate, maintain, and improve the Service for you. This license ends when you delete the content or your account, except for backup copies retained for the periods set out in our Privacy Policy.

No training on your content. We do not use your User Content to train AI models, and we contract with our AI providers on terms that prohibit them from doing so.

Your responsibilities. You represent and warrant that:

• You own or have all necessary rights to your Inputs;
• Your Inputs do not infringe any third party’s intellectual property, privacy, or publicity rights;
• Your Inputs do not contain personal data of others without a lawful basis;
• Your use of Outputs in commerce or publication complies with applicable law.

You are solely responsible for how you use Outputs, including in advertising, on social media, on physical products, or in any commercial context.

7. AI Outputs — important notices

Probabilistic nature. Outputs are generated by machine learning models. They may contain inaccuracies, artifacts, unintended elements, or resemblances to existing works. You are responsible for reviewing every Output before using it.

Similar Outputs to other users. Because of how generative models work, other users may receive Outputs that are similar to yours from similar prompts. We do not guarantee uniqueness.

Copyright status. The legal status of AI-generated content varies by jurisdiction. In the United States, the U.S. Copyright Office currently requires meaningful human authorship for copyright protection, and purely AI-generated content is generally not protectable. In the European Union, the position is unsettled. We make no representation that any Output is or is not protected by copyright. You should not assume Outputs are protectable as your original work without legal advice for your jurisdiction and use case.

Third-party rights. Outputs may incidentally resemble copyrighted works, trademarks, or real persons. You are responsible for clearing any third-party rights before commercial use.

No warranty of non-infringement. We do not warrant that Outputs will be free of third-party rights claims. To the maximum extent permitted by law, we disclaim liability for such claims.

8. Acceptable use

You agree not to use the Service to generate child sexual abuse material, non-consensual intimate imagery, content depicting real persons in a sexual or defamatory manner without consent, content intended to deceive about its AI origin, or content that promotes violence or unlawful discrimination. The full list of prohibited uses is set out in our Acceptable Use Policy.

We may remove content, suspend accounts, and report illegal content to authorities where required by law.

9. Our intellectual property

The Service, including the einy.app platform, our software, models we have trained, brand, logos, and documentation, is owned by Dalbin LLC and protected by intellectual property laws. We grant you a limited, non-transferable, revocable license to use the Service in accordance with these Terms.

10. Third-party services

The Service integrates with third-party providers (listed in our Privacy Policy and at Sub-processors), including Google Cloud Platform, Stripe, and Gelato. Your use of those services is subject to their own terms.

11. Suspension and termination

By you. You can terminate your account at any time from your account settings or by writing to support@einy.app. Termination ends your subscription at the end of the current billing period.

By us. We may suspend or terminate your account immediately if you breach these Terms, if your use poses a legal or security risk, or for non-payment. We may also terminate the Service as a whole with at least 30 days’ notice.

Effect of termination. Upon termination, your right to use the Service ends. Your User Content is handled in accordance with our Privacy Policy. Sections that by their nature should survive termination will survive.

12. Disclaimers

To the maximum extent permitted by law, the Service is provided “as is” and “as available,” without warranty of any kind, whether express, implied, or statutory, including warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, or uninterrupted operation.

Consumers in the EEA and UK retain their statutory warranty rights, which are not excluded by this section.

13. Limitation of liability

To the maximum extent permitted by law:

• Einy will not be liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, or goodwill;
• Einy’s total aggregate liability for any claim arising out of or relating to the Service will not exceed the greater of (a) the amount you paid to Einy in the 12 months preceding the event giving rise to the claim, or (b) USD 100.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any liability that cannot be excluded under applicable law.

14. Indemnity

You agree to indemnify and hold harmless Dalbin LLC, its officers, employees, and agents from any claim, damages, liability, and reasonable legal fees arising out of (a) your User Content, (b) your use of the Service in breach of these Terms, or (c) your violation of any law or third-party right.

15. Dispute resolution

Informal resolution first. Before filing any formal claim, you agree to contact us at legal@einy.app and give us 60 days to resolve the dispute informally.

Governing law. These Terms are governed by the laws of the State of Delaware, USA, without regard to conflict-of-laws principles.

Arbitration — users outside the EEA, UK, and Switzerland. Any dispute that is not resolved informally will be settled by binding individual arbitration administered by the American Arbitration Association under its Consumer Arbitration Rules, seated in Wilmington, Delaware. You waive the right to a jury trial and to participate in a class action.

Courts — users in the EEA, UK, and Switzerland. If you are a consumer in the EEA, UK, or Switzerland, mandatory consumer protection law in your country of residence applies, and you may bring proceedings either in the courts of Delaware or in the courts of your country of residence.

16. DMCA and copyright complaints

If you believe content on the Service infringes your copyright, send a notice that meets the requirements of 17 U.S.C. § 512(c) to dmca@einy.app.

17. Changes to the Terms

We may update these Terms. Material changes will be communicated by email or through a prominent notice on the Service at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

18. Miscellaneous

Entire agreement. These Terms, together with the Privacy Policy and any policies referenced in them, are the entire agreement between you and Einy regarding the Service.

Severability. If any provision is held unenforceable, the remaining provisions remain in effect.

No waiver. Our failure to enforce any right is not a waiver of that right.

Assignment. You may not assign these Terms without our written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.

Force majeure. We are not liable for delays or failures caused by events beyond our reasonable control.

19. Contact

General support: support@einy.app

Legal and notices: legal@einy.app

DMCA: dmca@einy.app

Privacy: privacy@einy.app

Acceptable Use Policy

This Acceptable Use Policy (“AUP”) describes prohibited uses of einy.app and related services (the “Service”) operated by Dalbin LLC (“Einy”). It supplements our Terms of Service. By using the Service, you agree to comply with this AUP.

We may update this AUP at any time to address new abuse patterns or legal requirements. Continued use after changes constitutes acceptance.

1. Zero-tolerance prohibitions

You must not use the Service to generate, upload, store, or distribute:

Child safety violations

• Child sexual abuse material (CSAM), in any form, photorealistic or stylized;
• Content that sexualizes, eroticizes, or endangers minors;
• Content depicting minors in violent, exploitative, or distressing contexts.

We are required by US federal law (18 U.S.C. § 2258A) to report CSAM to the National Center for Missing & Exploited Children (NCMEC), and we will preserve and disclose evidence to law enforcement.

Non-consensual intimate imagery

• Sexualized depictions of real, identifiable persons without their explicit consent;
• “Deepfake” pornography or revenge imagery of any individual;
• Content depicting nudity or sexual acts of any person who has not consented to being depicted.

Targeted harm

• Content created to harass, threaten, or intimidate a specific person;
• Doxing material (publishing private identifying information);
• Content promoting self-harm, suicide, or eating disorders;
• Content that incites violence against any person or group.

Violations of this section will result in immediate account termination, content removal, preservation of evidence, and reporting to authorities where required by law. Refunds will not be issued.

2. Prohibited content

You must not use the Service to generate or distribute:

Illegal content

• Content that violates any applicable law in the United States, the European Union, or your jurisdiction;
• Content that infringes intellectual property rights (copyright, trademark, design rights);
• Content that violates privacy or publicity rights;
• Defamatory content;
• Material subject to sanctions or export controls.

Deception and fraud

• Content designed to impersonate another person or entity;
• Phishing pages, fake login screens, or material designed to defraud;
• Counterfeit documents, IDs, currency, signatures, or official seals;
• Fake reviews, testimonials, or endorsements.

Election and civic integrity

• Synthetic media of political candidates or officials in deceptive contexts;
• Content designed to suppress voting or mislead about electoral processes;
• Disinformation about public health emergencies, where it could cause physical harm.

Hate and extremism

• Content promoting violence or hatred against people based on race, ethnicity, religion, gender, sexual orientation, disability, or other protected characteristics;
• Content glorifying terrorism, mass violence, or extremist organizations;
• Nazi imagery, terrorist propaganda, or recruitment material.

Dangerous content

• Instructions for creating weapons (firearms, explosives, biological, chemical, or nuclear weapons);
• Content facilitating attacks on critical infrastructure;
• Content designed to evade law enforcement.

3. Misuse of the Service

You must not:

• Reverse-engineer, decompile, or attempt to extract our models, prompts, system architecture, or proprietary technology;
• Scrape, crawl, or harvest data from the Service except as permitted by our public APIs;
• Use the Service to train, fine-tune, or build a competing AI model;
• Bypass or attempt to bypass content filters, rate limits, watermarks, or other technical controls;
• Use multiple accounts to evade restrictions or quotas;
• Resell, sublicense, or redistribute access to the Service without a written agreement with us;
• Use automated tools (bots, scripts) in ways that degrade Service performance for other users;
• Probe, scan, or test the security of the Service without our prior written permission;
• Misrepresent your identity, affiliation, or the source of content.

4. Use of real persons and brands

When generating content that depicts or references real persons:

• Public figures may be depicted in clearly satirical, journalistic, or factual contexts consistent with applicable law. You must not generate content that falsely portrays them as endorsing products, making statements, or engaging in conduct they have not engaged in.
• Private individuals must not be depicted without their consent, except in genuinely transformative or factual contexts permitted by law.
• Trademarks and brand assets may not be used in ways that confuse consumers, suggest false endorsement, or infringe trademark rights.

5. Disclosure of AI-generated content

In several jurisdictions, including under the EU AI Act (Article 50), users have legal obligations to disclose when content is AI-generated. You are responsible for complying with these obligations when you publish, distribute, or commercially use Outputs, including:

• Disclosing AI generation when required by law;
• Preserving any visible or invisible watermarks we apply to Outputs;
• Not removing metadata indicating AI origin without legal basis.

6. Reporting violations

If you encounter content or behavior on the Service that violates this AUP:

• General abuse: report@einy.app
• Copyright infringement: dmca@einy.app
• Privacy violations: privacy@einy.app

We investigate all reports. Reports made in good faith are confidential.

7. Enforcement

Violations of this AUP may result in:

• Removal or restriction of content;
• Warning;
• Suspension of features, credits, or your account;
• Termination of your account without refund;
• Reporting to law enforcement or other authorities;
• Civil action to recover damages and costs.

We exercise enforcement discretion. We may take action proportional to the violation, but we are not required to issue warnings before suspending or terminating accounts for serious violations.

8. Contact

Questions about this Policy: legal@einy.app

Data Processing Agreement

Between Dalbin LLC (“Processor”) and the Customer (“Controller”)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other agreement (the “Principal Agreement”) between Dalbin LLC, a Delaware limited liability company (“Einy”, “Processor”), and the customer identified in the Principal Agreement (“Customer”, “Controller”), governing the Processor’s processing of personal data on behalf of the Controller.

This DPA reflects the parties’ agreement on the processing of personal data in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), as applicable.

1. Definitions

Terms not defined here have the meaning given in the GDPR. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, and “Data Subject” have the meanings set out in GDPR Art. 4.

“Customer Personal Data” means personal data the Controller submits to or generates through the Service.

2. Scope and roles

For the purposes of this DPA, the Customer is the Controller and Einy is the Processor of Customer Personal Data.

For the purposes of the CCPA, the Customer is a Business and Einy is a Service Provider. Einy will not sell or share Customer Personal Data, will not retain or use Customer Personal Data outside the direct business relationship with the Customer, and will not combine Customer Personal Data with personal data from other sources, except as expressly permitted by the CCPA.

3. Subject matter and details of processing

4. Processor obligations

Einy will:

4.1 Process Customer Personal Data only on documented instructions from the Controller.

4.2 Notify the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4.3 Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.

4.4 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Annex II (Security Measures).

4.5 Not use Customer Personal Data to train AI models, except where the Customer has expressly opted in through a separate written agreement.

4.6 Provide assistance to the Controller in fulfilling obligations regarding data subject requests (GDPR Art. 12–22), security of processing (Art. 32), breach notifications (Art. 33–34), and data protection impact assessments (Art. 35–36).

4.7 At the Controller’s choice, delete or return all Customer Personal Data after the end of the provision of services. Default: deletion within 30 days of termination unless the Controller requests export beforehand.

4.8 Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits.

5. Sub-processors

5.1 The Controller authorizes Einy to engage the sub-processors listed in Annex III.

5.2 Einy will impose on each sub-processor written data protection obligations no less protective than those set out in this DPA.

5.3 Einy will inform the Controller of any intended addition or replacement of sub-processors at least 30 days in advance. The Controller may object on reasonable data protection grounds within 15 days of notification.

5.4 Einy remains fully liable to the Controller for the performance of each sub-processor’s obligations.

6. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country not benefiting from an adequacy decision, the parties agree to be bound by the EU SCCs (Module 2, Controller-to-Processor), the UK Addendum, and the Swiss adapted SCCs as applicable.

7. Data subject requests

If Einy receives a request from a data subject relating to Customer Personal Data, Einy will promptly forward the request to the Controller and not respond directly, unless legally required to do so.

8. Personal data breach

Einy will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer Personal Data.

9. Audits

Einy will make available to the Controller, on reasonable request, summaries of independent third-party audit reports. Where the Controller demonstrates these are insufficient, the Controller may conduct an audit subject to 30 days’ written notice, no more than once per 12-month period, during business hours, and at the Controller’s expense.

10. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except where such limitation is prohibited by applicable data protection law.

11. Term and termination

This DPA takes effect on the effective date of the Principal Agreement and continues until termination plus any period necessary for data deletion or return.

12. Governing law

This DPA is governed by the law and jurisdiction of the Principal Agreement, except that the SCCs are governed by the law of Ireland.

Annex II — Security measures

Einy implements the following technical and organizational measures:

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption at rest; encrypted backups with separate key management.
• Access control: Role-based access control with least privilege; multi-factor authentication for administrative access; access logging retained 12 months; quarterly access reviews.
• Infrastructure security: Google Cloud Platform hosting with EU region options; network segmentation and firewalls; intrusion detection; regular vulnerability scans and patching.
• Application security: Secure development lifecycle with code review; dependency vulnerability monitoring; periodic penetration testing.
• Operational security: Incident response procedures; business continuity and disaster recovery; regular backups with point-in-time recovery; personnel confidentiality obligations and security training.
• Vendor management: Due diligence and DPAs with all sub-processors; annual review of sub-processor security.

Annex III — Sub-processors

See the Sub-processors section below for the current list.

Sub-processors

Einy is operated by Dalbin LLC. To provide einy.app and related services (the “Service”), we work with a small number of carefully vetted third-party providers (“sub-processors”) who may process personal data on our behalf.

This page lists every sub-processor we currently use. We update it whenever we add, remove, or replace a provider.

Current sub-processors

How we vet sub-processors

Before engaging any sub-processor, we:

• Review their security posture, certifications, and audit reports;
• Sign a written Data Processing Agreement that imposes obligations no less protective than ours;
• Verify their data residency options and transfer safeguards;
• Confirm that they do not use our customers’ data to train AI models;
• Document the assessment and revisit it periodically.

Notification of changes

We notify our paid customers of any new or replacement sub-processor at least 30 days before the change takes effect, by email to the address on file and through this page.

If you have a Data Processing Agreement with us and you object to a new sub-processor on reasonable data protection grounds, you can raise that objection within 15 days, in which case we will work with you to find a resolution or allow you to terminate the affected services without penalty.

To receive advance notifications, subscribe at: subprocessor-updates@einy.app (send a blank email, no body required).

Out of scope

The following are not sub-processors because they do not process personal data on our behalf:

• Your own end users — when you grant access to your account to colleagues or clients, they remain under your control.
• Independent service providers you choose to integrate with — for example, if you connect your own Dropbox or Google Drive to Einy, that integration is governed by your direct relationship with that provider.
• Gelato shipping carriers — Gelato selects and contracts with shipping providers (DHL, FedEx, postal services) directly. They are sub-processors of Gelato, not of Einy.

Questions

For any question about this list or our sub-processor management practices, contact privacy@einy.app.