Feix Privacy Policy
Draft for founder review. To be published at feix.app/privacy.
Last updated: 2026-07-15. AI processing statements apply to processing from 15 July 2026 onward.
1. Who we are
Feix is a service operated by Firat Ilim, an entrepreneur individuel (micro-entreprise) trading as Llull Lab / Studio Llull.
- Data controller for account, project-record and billing data: Firat Ilim, entrepreneur individuel
- Legal form: Entrepreneur individuel, micro-entreprise regime
- SIREN / SIRET: 988 721 320 / 988 721 320 00014
- APE / NAF code: 7220Z (research and development in the humanities and social sciences)
- VAT: not applicable, franchise en base under Art. 293 B of the French Code général des impôts
- Address: 61 rue de Lyon, 75012 Paris, France
- Contact for privacy matters: contact@llulllab.com
Unless stated otherwise, this policy describes Feix-managed deployments (systems we build and host for you). For self-hosted deliveries, your system runs on your own infrastructure; Section 7 describes what we retain after delivery.
When your Feix-managed system processes personal data of your users (bookings, members, guests, clients), you are the controller of that data and Feix acts as your data processor. A Data Processing Agreement (DPA) governs this relationship and is available on request (see Section 9).
2. What data we process
| Category | Examples | Role |
| Account and access data | Email address, invite code, session records | Controller |
| Project brief and record | The brief you submit, your delivery email, the generated system files kept as your project record | Controller (the content remains yours) |
| Service credentials (BYO package only) | Credentials you provide so your system can run against your own service accounts | Processor (used only to operate your system) |
| Your system's operational data | Personal data your Feix-managed system processes about your own users | Processor (you are the controller) |
| Payment data | Billing details, transaction records (processed by our payment provider; we do not store full card numbers) | Controller (jointly with the payment provider, which acts as an independent controller) |
| Usage data | Log records, request metadata | Controller |
3. Why we process it and on what legal basis
- To build, deliver and host your system (generation, quality control, hosting, maintenance): GDPR Art. 6(1)(b), performance of a contract.
- To improve reliability and security, and to prevent abuse: GDPR Art. 6(1)(f), legitimate interest.
- To send transactional messages (access codes, delivery notices): Art. 6(1)(b).
We do not sell your data. We do not use your brief, your system or its data to train AI models (see Section 6 and the AI Model Use Statement).
4. Where your data is stored and processed
Your brief and the generation process are processed within the EU, and your Feix-managed system runs on EU-based infrastructure. Your project record is stored in the EU. Two of our providers are incorporated outside the EU: our transactional email provider (which receives your email address and a request identifier, not your content) and our managed database provider (which stores data within the EU). Both relationships are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46. Visits to feix.app itself transit a US-operated content delivery network, as with most websites.
5. Sub-processors
We describe sub-processors by category here; the current named list is provided in our DPA and on request at contact@llulllab.com.
| Category | Purpose | Location | Transfer safeguard |
| Cloud hosting provider | Application services, your Feix-managed system, encrypted backups | EU (Germany) | N/A (EU) |
| Managed database provider | Account, project-record and system data | EU (Netherlands) | Data in EU; SCCs (2021/914) for the non-EU provider entity |
| AI processing (hosted model inference) | Generation and quality review of your system | EU | N/A (EU); not used for training; the underlying model vendor does not receive your content |
| Design-reference retrieval | Locating relevant passages in our own internal design library (contains no customer data) | EU | N/A (EU) |
| Email delivery provider | Transactional email (email address and a request identifier) | USA | SCCs (2021/914) |
The payment provider is not a sub-processor: it acts as an independent controller under its own privacy terms.
6. AI processing
The brief you submit is processed solely to generate your system, using AI model inference that runs on EU-based infrastructure operated by our infrastructure sub-processor; the underlying model vendor does not receive your content, and your content is not used to train any model. Working copies created during generation are not retained: generation runs leave no stored execution content on our servers (this configuration is verified in production). What we keep is your project record (Section 7). Systems built for Feix-managed hosting use EU model processing; integrations with non-EU services are added only on your written instruction and are then listed in your DPA annex.
7. How long we keep it
- Project record (brief, delivery email, generated system files): for the life of the engagement, as the record of what was built for you. It is exportable at any time.
- If the pilot ends without adoption, or on your request: your system and project record are deleted from active systems immediately and expire from our encrypted backups within 2 days. Our managed database provider retains its own encrypted backups for a limited period under its terms.
- Self-hosted deliveries: after delivery we retain your project record (brief and delivered files) unless you ask us to delete it; your running system and its data are on your infrastructure.
- BYO service credentials: kept only while your system runs; deleted with the system.
- Account data: for the life of your account; deleted within 30 days of a closure/erasure request.
- Billing records: retained as required by French accounting/tax law.
8. Your rights (GDPR)
You have the right to access, rectification, erasure, restriction, data portability, and objection. Email contact@llulllab.com; we respond within one month. You may lodge a complaint with the French supervisory authority (CNIL, cnil.fr).
9. Data Processing Agreement
Customers whose Feix-managed system processes personal data of their own users can request a signed DPA (GDPR Art. 28) at contact@llulllab.com. It includes the named sub-processor list, security measures, breach-notification terms (72 hours), audit rights, and end-of-contract deletion/return.
10. Security
Data is encrypted in transit (TLS 1.3). Account, project-record and system data are held in a managed EU database that encrypts data at rest, and our backups are encrypted (AES-256). Access is authenticated and role-restricted. Service credentials you provide are stored in the managed EU database and used only to operate your system. See the Security FAQ for an honest statement of what we do and do not have.
11. Changes
We will post material changes to this page and update the date above.