Privacy Policy — Celatum

                Key principle: Celatum is a desktop application. Documents you process never leave your device. We do not receive, access, or store any document content. The only personal data we hold relates to your license and billing — described in detail below.
            

1. Controller

The data controller for the data processed in connection with the Celatum service is:

Salvioni Digital Solutions SAGL
UID: CHE-290.921.033
Switzerland
Website: salvionisolutions.ch
Contact: info@celatum.ch

2. What Celatum does and what it does not

Celatum detects and anonymizes personally identifiable information (personal identifiers) in documents you provide. All document processing — text extraction, Personal identifier detection via a local AI model, anonymization, and pseudonymization — runs entirely on your device. No document content, extracted text, detected personal identifiers, or anonymized output is transmitted to us or to any third party.

Because we never see your documents, we are not the controller for the personal data they contain. You remain the controller for that data, and you are responsible for your own compliance obligations under FADP, GDPR, or any other law that applies to the documents you process.

3. Data We Process

3.1 Data that never leaves your device

Data	Purpose	Storage
Documents you open	Personal identifier detection and anonymization	In memory only; released after processing or on session wipe
Detected personal identifiers entities	Displayed for review before anonymization	In memory; zeroed via secure wipe on reset, tab switch, file close, or app shutdown
Pseudonymized templates (.piia)	Saved by you for later re-population	On your disk, in the directory you choose
User glossary	Custom translation terms	`~/.celatum/glossary.csv`
Application preferences	Theme, language, settings	Browser localStorage within the app
Audit log	Append-only local activity log for support diagnostics (no personal identifiers content)	`~/.celatum/audit.log`
Error log	Debugging information (no personal identifiers content)	`~/.celatum/errors.log`
Temporary files	Intermediate processing during template operations	OS temp directory; cleaned up immediately and on next app startup

3.2 Data transmitted to our server

Data	Purpose	Legal basis
License key	Activate and validate your license	Performance of contract (GDPR Art. 6(1)(b) / FADP Art. 31(2)(a))
Hashed device identifier	Bind the license to your device (SHA-256 hash of MAC address, hostname, and OS — the raw values are never transmitted)	Performance of contract
Device name	Display in your license management dashboard	Performance of contract
Version check request	Check if a newer version is available (no personal data in the payload)	Legitimate interest (GDPR Art. 6(1)(f) / FADP Art. 31(1))

All network communication uses TLS 1.2 or higher. Connections are restricted to an allow-list of hosts (celatum.ch). No other outbound connections are permitted.

3.3 Data we do NOT collect

Document content, text, or detected personal identifiers — never transmitted
Usage analytics or telemetry — all third-party telemetry (HuggingFace Hub, MLflow, Weights & Biases, Comet) is disabled at startup
Crash reports — not sent automatically; error logs remain on your device
IP addresses — not logged by the license server beyond standard web-server access logs (retained for 30 days for abuse prevention)

4. Machine-Learning Model

The AI detection model runs locally via the ONNX Runtime library. After the initial download, the model operates fully offline. No input data, tokens, or inference results are sent externally. The application disables all upstream telemetry at startup.

5. Memory Security

The application implements defense-in-depth measures to minimize the time personal identifiers resides in memory:

Extracted text and detected entities are zeroed via secure memory wiping whenever the session is reset, a tab is switched, a file is closed, or the app shuts down.
A forced garbage collection cycle runs after each wipe to accelerate memory reclamation.
The most recent detection results are cached only to enable secure wiping; they are overwritten on each new detection.

Known limitation: Go strings are immutable values managed by a garbage collector. While the application zeroes the backing memory of heap-allocated strings, the Go runtime may retain copies during garbage collection compaction cycles. This is a language-level constraint and is documented as such. The measures taken satisfy the “reasonable technical measures” standard under both GDPR Art. 32 and FADP Art. 8.

6. Data Retention

Documents: Never stored by the application. Exist in memory only during active processing.
License data: Stored locally in an AES-256-GCM encrypted envelope bound to your device. Deleted when you remove ~/.celatum/.
Audit and error logs: Stored locally. You may delete them at any time by removing the files in ~/.celatum/.
Server-side license records: Retained for the duration of your license plus 90 days, then deleted.

7. Your Rights

Under the GDPR (EU/EEA residents)

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You may also withdraw consent at any time and lodge a complaint with your supervisory authority.

Under the FADP (Switzerland)

You have the right to information (Art. 25), rectification (Art. 32(1)), erasure or destruction (Art. 32(2)(c)), and data portability (Art. 28). You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

To exercise any of these rights, contact info@celatum.ch. We will respond within 30 days.

For data stored locally on your device, you are in full control: delete ~/.celatum/ to remove all application data, or use the “Reset to defaults” button in Settings to reset the glossary.

8. Sub-processors and data transfers

The license server is hosted in Switzerland on Infomaniak Network SA infrastructure. License activation and validation requests are transmitted exclusively to that Swiss-hosted server.

Payments are processed by Stripe Payments Europe Ltd. (Ireland) on our behalf. When you subscribe, you provide payment details directly to Stripe; we do not store card numbers or other sensitive payment data. Stripe acts as our processor for billing and may transfer billing data to its parent group in the United States under the EU-US Data Privacy Framework and the UK extension. Stripe’s privacy practices are described at stripe.com/privacy.

No other sub-processors are involved. Document content is never transmitted to anyone — including us — so there are no document-data transfers to consider.

9. Security Measures

All network traffic encrypted with TLS 1.2+
Network allow-list restricts outbound connections to the license server only
License data encrypted at rest with AES-256-GCM, key derived from device-specific material
All local files created with restrictive permissions (0600/0700)
Append-only local activity log (support diagnostics, no personal identifiers content)
Secure memory zeroing after each processing session
Stale temporary files purged on every app startup
Third-party telemetry disabled at process level

10. Children

This application is a professional tool not directed at children under 16. We do not knowingly process personal data of children.

11. Changes to This Policy

We may update this policy to reflect changes in the application or applicable law. The “Last updated” date at the top indicates the most recent revision. Material changes will be communicated via the application’s update notification.

12. Contact

Salvioni Digital Solutions SAGL
UID: CHE-290.921.033
Email: info@celatum.ch
Website: salvionisolutions.ch