Privacy Notice

IPZilla is operated by ICRAFT, a French société par actions simplifiée (SAS), registered with the Paris Trade and Companies Registry (RCS Paris) under number 992 314 237, with its registered office at 58 rue de Monceau, 75008 Paris, France.

Privacy contact: every privacy request goes through the contact form at ipzilla.app/contact with subject "Privacy · data deletion". Replies within five business days; substantive responses within thirty days.

DPO: a Data Protection Officer is not formally appointed at the current scale. The privacy contact above is the single accountable owner for all privacy requests. A DPO will be designated and disclosed here once the platform crosses the GDPR Article 37 thresholds (large-scale systematic monitoring or large-scale processing of special-category data).

Before the full privacy detail below, we want to be unambiguous on the points that matter most to patent filers:

• Your inventive content stays yours. IPZilla assigns all AI-generated output IP rights back to you and makes no inventorship claim on any content the platform produces.
• We do not sell, share, or license your data to third parties for their AI training or any commercial purpose whatsoever.
• Our AI infrastructure (Vertex AI Gemini 2.5) operates under Google Cloud terms that explicitly prohibit Google from using your prompts or completions to train their foundation models. This is confirmed in writing in the Google Cloud Customer Agreement and Data Processing Addendum.
• By default, we retain pseudonymised transcripts — identified only by a one-way SHA-256 hash of your account UID plus a private salt, never by your email, name, or IP address — for platform improvement. You can opt out at any time via the contact form. Per-session Ephemeral Mode provides zero-persistence chat with no training-corpus capture.
• Production infrastructure runs on us-central1 (Iowa, USA). Transfers from the EEA/UK are governed by EU Standard Contractual Clauses and the EU-US Data Privacy Framework. EU-region hosting is available for Enterprise customers.

We collect three categories of data:

• Account identity: email and display name from your Firebase Auth provider (Google OAuth or email/password). Photo URL only when you authenticate via Google.
• Inventive content: invention disclosures you submit (chat transcripts, uploaded PDFs, image and audio attachments), the structured InventionDisclosure that emerges, the rule-engine evaluations of that disclosure, and the patent-research jobs you run (briefs, drug names, technical descriptions).
• Operational telemetry: timestamps, IP-address-derived approximate region (logged for ≤30 days at the platform level by Google Cloud Run), Gemini token-count and cost rows in our internal billing ledger (no payload content), error and request IDs.

Pharma and biotech disclosures may incidentally reference data classified as special-category under GDPR Article 9: clinical-trial results, individual patient measurements, genetic sequences linked to identifiable individuals, racial-or-ethnic-origin descriptors in cohort breakdowns.

We ask you NOT to submit identifiable patient data, identified clinical-trial subjects, or any other Article 9 special-category data through the platform. Disclosures should describe research outcomes in aggregated, anonymised, or hypothetical terms.

If special-category data is nonetheless submitted, we process it under Article 9(2)(g) (substantial public interest in the patent-system functioning) supported by appropriate safeguards (encryption at rest, access controls, retention limits). On request we will purge any identified special-category content from your session within seven days.

Under GDPR Article 6 we rely on:

• Performance of contract (Art. 6(1)(b)): processing inventive content to produce the patent-intelligence and drafting outputs you requested.
• Legitimate interest (Art. 6(1)(f)): operational telemetry, fraud and abuse prevention, security logging, anonymised model improvement (see §6).
• Consent (Art. 6(1)(a)): voice and image attachments are uploaded only when you actively choose to attach them. Multi-modal data may be revoked from your session before sign-off.
• Compliance with legal obligation (Art. 6(1)(c)): lawful retention of billing records.

IPZilla maintains an internal labeled training corpus that links inventor disclosures (the input) to claim wordings, rule-engine outcomes, and — when available later in prosecution — grant or rejection outcomes. This corpus is critical to platform improvement and is what differentiates IPZilla from generic patent search tools.

Records in the training corpus are pseudonymised: a one-way SHA-256 hash of your account UID plus a private salt is the only identifier retained. We do NOT retain your email address, name, IP address, or organization in the training corpus. We DO retain the verbatim chat transcripts, the structured InventionDisclosure, and the rule-engine evaluations.

We do NOT sell your training data. We do NOT share it with third parties for their training. We use it solely to improve IPZilla's models, prompts, and rule engine.

You may opt your account out of training-corpus capture at any time via the contact form (subject: Privacy · data deletion, message: 'opt out training corpus'). On request we will delete every training-corpus record linked to your contributor hash within 30 days.

Per session, you may also enable Ephemeral Mode at the start of a chat — when on, no Firestore persistence happens at all and no training-corpus record is generated.

A Data Protection Impact Assessment (DPIA) for the labeled-corpus pipeline has been documented internally and will be made available to Enterprise customers under NDA on request. The DPIA confirms (a) pseudonymisation effectiveness, (b) opt-out mechanism, (c) retention and access controls, (d) sub-processor exposure, and (e) residual risk classification (low).

IPZilla uses AI to produce outputs you act on: claim wordings, FTO verdicts, rule-engine evaluations, prior-art relevance scores, doctrine-critic recommendations.

These outputs are NOT solely automated decisions in the GDPR Article 22 sense. Every output IS designed to be reviewed and either accepted, revised or rejected by you (and, in patent matters, by your patent counsel). The platform requires explicit human acceptance at the disclosure step before any drafted output is treated as final, and the user interface surfaces per-field confidence scores so you can target your review at the lowest-confidence values.

You retain the right at any time to: (i) request a human review of any AI output before relying on it; (ii) contest the AI's output and request that the platform regenerate it with different parameters; (iii) bypass the AI entirely and use the escape-hatch text-paste flow.

Where Article 22 nonetheless applies (because an output indirectly produces legal effects), we rely on Article 22(2)(a): the processing is necessary for the performance of the contract you entered into.

IPZilla performs limited profiling: on submission of a disclosure, the platform infers (a) the technical field from the disclosure text (e.g. pharma, biotech, electronics), (b) the closest prior-art set, and (c) confidence scores per extracted disclosure field.

These inferences serve the contract (Article 6(1)(b)) and are explained on the user interface so you can correct them. They do not produce legal effects, do not feed advertising or third-party profiling, and are not shared outside IPZilla.

We do NOT perform demographic profiling, ad-targeting profiling, behavioural profiling for commercial inference, or any cross-customer inference. The labeled training corpus is built from individual contributor records, not from cross-customer behavioural patterns.

We rely on the following sub-processors. All are bound by data-processing agreements with appropriate confidentiality and security commitments. Cross-border transfers from the EEA / UK are governed by Standard Contractual Clauses where applicable.

• Google Cloud (Firestore, Cloud Run, Cloud Storage, BigQuery, Vertex AI Gemini, Cloud Logging) — primary infrastructure. Region: us-central1. EU customers may request EU-region hosting on Enterprise plans.
• Vertex AI Gemini 2.5 (Pro and Flash) — invocations are made under the Google Cloud customer contract; Google has confirmed that Vertex AI prompts and completions are NOT used to train Google's foundation models.
• Firebase Authentication (Google) — identity provider for sign-in.
• Stripe — payment processing for the Founder, Scale and Enterprise plans (only when you subscribe).
• Resend (or equivalent transactional-email provider) — outbound emails (welcome, draft acceptance, billing receipts, contact-form acknowledgements).

We will give Enterprise customers, and users on request, at least 30 days' written notice (by email to the address of record) before adding or replacing a sub-processor that processes substantive content (i.e. inventive content rather than transactional metadata).

If you have a reasonable, good-faith objection (typically: substantive concern about the new sub-processor's security posture, jurisdiction, or onward-transfer practices), you may object in writing within the notice period. We will work with you for up to 60 days to find a resolution; failing that, you may terminate the affected service component without penalty.

Replacements of incumbent sub-processors with materially similar successors (same jurisdiction, same security posture, same data categories) may be effected without 30-day notice but with prompt written disclosure.

Production infrastructure is currently located in the us-central1 region (Council Bluffs, Iowa, USA). Data transfer from the EEA / UK to the United States relies on the EU-US Data Privacy Framework (where the sub-processor is certified) or on Standard Contractual Clauses approved by the European Commission.

Enterprise customers may contract for EU-region-only hosting and EU-residency Vertex AI invocations as part of their Enterprise data-processing agreement.

Each category of data has a defined retention period:

• Active intake_sessions (in-progress chat drafts): 30 days from creation, then automatic deletion.
• Image and audio attachments uploaded during a chat: 7 days, enforced by a Cloud Storage lifecycle rule.
• Accepted invention disclosures and the linked patent-research jobs: kept for the active life of your account, plus 12 months grace after account closure unless you request immediate deletion.
• Training corpus records: 7 years retention (matching the typical patent prosecution horizon), or until you exercise your right to erasure, whichever comes first.
• Operational logs (Cloud Run access logs): 30 days, per Google Cloud platform default.
• Gemini cost-telemetry rows (no payload content): 7 years for billing audit.
• Stripe billing records (invoices, subscription history): 10 years per French commercial-law requirements where applicable.
• Contact-form submissions: 18 months, then archived to a cold collection for an additional 12 months, then deleted.

You have the right of access, rectification, erasure, restriction, portability and objection. You may exercise any of these rights by sending a request via the contact form (subject: Privacy · data deletion).

• Access (Art. 15): we will return the full set of records linked to your account within 30 days, in a machine-readable JSON archive.
• Rectification (Art. 16): you may correct any extracted disclosure field directly in the dashboard, or request manual correction of training-corpus records via the contact form.
• Erasure / right to be forgotten (Art. 17): we will delete your account, your in-progress drafts, your accepted disclosures, your patent-research jobs, your contact submissions, your Stripe customer record (subject to the legal-retention exception for billing records), and your training-corpus records within 30 days.
• Restriction (Art. 18) and objection (Art. 21): you may pause processing while a request is being evaluated.
• Portability (Art. 20): the access archive is provided in JSON and is suitable for transfer to another service.
• Withdraw consent (Art. 7(3)): where processing relies on consent (voice / image attachments, training-corpus capture), you may withdraw at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint with a supervisory authority (Art. 77): in France, the CNIL (cnil.fr).

We rely on Google Cloud's infrastructure security (ISO 27001, SOC 2, ISO 27017, ISO 27018) and apply additional controls: per-document Firestore security rules locking each user's data to their own UID, role-based admin access with step-up Google reauthentication every 30 minutes, signed inline-data uploads, encrypted-at-rest Cloud Storage with auto-deletion lifecycle, and per-call Gemini telemetry without payload content.

Despite these controls, no internet-facing service can guarantee absolute security. We recommend you treat extremely sensitive disclosures as you would any other internet-transmitted document: file the formal patent application before discussing the invention publicly.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority (in France, the CNIL) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

When the breach is likely to result in a high risk to data subjects, we will also notify affected users directly and in clear language, in accordance with Article 34, with: (a) a description of the nature of the breach, (b) the name and contact of the privacy contact, (c) the likely consequences, and (d) the measures taken or proposed to address the breach.

We maintain an internal incident-response runbook and a breach register required under Article 33(5).

IPZilla is a B2B platform sold to professional patent counsel, R&D directors, and corporate IP departments. We do not knowingly process the personal data of users under 16. If we become aware that we have done so we will delete it.

Cookies and similar technologies on the IPZilla site are governed not only by GDPR but also by the EU e-Privacy Directive (2002/58/EC, as transposed in France via the loi Informatique et Libertés Article 82 and CNIL guidelines).

We use the minimum technical local-storage required for the service to function: Firebase Auth session token, theme preference (light / dark), language preference (en / fr). These are strictly necessary under e-Privacy and require no consent.

We do NOT use third-party advertising cookies. We do NOT use cross-site tracking. We do NOT use analytics cookies that profile individual users.

A consent banner conforming to CNIL guidelines is scheduled for deployment by 2026-06-30. Until that date, only the strictly-necessary technical local-storage entries listed above are set on visit.

We may update this notice. Material changes (new sub-processors, expanded data categories, retention changes) will be announced by email to active customers at least 30 days before the change takes effect. The version number and last-updated date at the top of this page reflect the current version.