Privacy Policy
Last updated: 24 June 2026 · Version: 1.0
1. Who we are (the controller)
MicrostructureDB (“the Platform”) is operated by:
ePotentia VOF Frans van Dijckstraat 59, 2100 Deurne (Antwerpen), Belgium Company number (KBO/BCE): 0725.714.903 VAT: BE 0725.714.903 Legal entities register: RPR Antwerpen, afdeling Antwerpen Email: support@epotentia.com
ePotentia VOF is the data controller for the personal data described below.
Data protection contact: Rina Jaeken — support@epotentia.com. (We are not legally required to appoint a Data Protection Officer; Rina is your point of contact for any privacy matter.)
2. What data we process and why
| Data category | Examples | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | First name, last name, email, hashed password (via Firebase), phone (optional), country, language, invite code, organization, access level | Create and manage your account; authenticate you | Contract (Art. 6(1)(b)) |
| Content you upload | Microstructure images, EBSD datasets, metadata, analysis results | Provide the Platform’s core functionality | Contract (Art. 6(1)(b)) |
| AI assistant interactions | Messages you send to the in-app assistant (“Hephaestus”) and its responses | Operate the assistant feature | Contract (Art. 6(1)(b)) |
| Usage / technical data | IP address, browser type, pages visited, timestamps, error logs | Security, debugging, service integrity | Legitimate interest (Art. 6(1)(f)) |
| Analytics data | Aggregated usage statistics via Google Analytics | Understand and improve the Platform | Consent (Art. 6(1)(a)) |
| Communications | Support emails, correspondence | Respond to and support you | Legitimate interest (Art. 6(1)(f)) |
We do not knowingly process special-category data (Art. 9). Please do not upload personal data of third parties unless you have a lawful basis to do so.
3. Where your data is processed
Personal data is processed within the European Economic Area, at:
- Google Cloud, region
europe-west4(Netherlands) for the application and Vertex AI service, with the Cloud SQL (PostgreSQL) database hosted in the EU (multi-regioneu); and - ePotentia’s own server located in Deurne, Belgium — for certain processing, model work, and internal tasks.
Both locations are within the EEA. Some sub-processors (see §5) may involve limited transfers outside the EEA, governed as described there.
4. The AI assistant (Hephaestus) and model training
When you use the assistant, your messages and the context you make available to it (e.g. analysis-basket items, viewer state) are sent to our AI sub-processor solely to generate a response. We use Anthropic’s Claude models served through Google Cloud Vertex AI in the EU region. Under Google Cloud’s Vertex AI terms, your inputs and outputs are not used to train the underlying models.
Assistant messages are processed transiently and are not retained on our servers; any chat history you see is stored locally in your own browser.
Model training — important distinction:
- Data in open / public datasets on the Platform may be used by ePotentia to train and improve materials-science models.
- Private and industry data is never used to train models. It is processed only to provide the Platform to you.
- On-premise deployments are available on request — contact support@epotentia.com.
5. Sub-processors
| Sub-processor | Role | Location / safeguard |
|---|---|---|
| Google Cloud (Google Cloud EMEA Ltd / Google Ireland) | Hosting, Cloud SQL database, Vertex AI | EU (europe-west4 + EU multi-region) |
| Google Firebase | Authentication and transactional email | EU / Google adequacy & SCCs |
| Sentry | Error monitoring (configured to minimise/scrub personal data) | US — EU-US Data Privacy Framework |
| Google Analytics | Aggregated usage analytics (only after consent) | US — EU-US Data Privacy Framework |
| ePotentia (own server, Deurne) | Internal processing, model work | Belgium (EEA) |
When we introduce paid subscriptions, we will add our payment processor (e.g. Stripe) and invoicing provider (Exact Online) to this list before they begin processing data. If we change our hosting or database providers, we will update this list accordingly; any new provider that processes personal data will be EEA-based or covered by an appropriate transfer mechanism.
6. International transfers
Core processing is within the EEA. Where a US sub-processor (Sentry, Google Analytics) accesses data, transfers rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
7. How long we keep data
- Account data: until account closure, then deleted or anonymized within 30 days. On closure we will ask how you want any datasets handled (see below).
- Private uploaded content (images/EBSD/metadata): deleted within 30 days of deletion or account closure.
- Open / published datasets: may be retained in anonymized form after account closure, consistent with the open-data license under which they were contributed.
- Database backups (Cloud SQL): automated backups retained 7 days, with point-in-time recovery enabled; stored in the EU.
- Application / security logs: retained for 30 days (Google Cloud Logging default retention).
8. Sharing with research partners
We may collaborate with universities and academic partners as experimental study partners. Where this involves research/materials data, it is shared in anonymized or aggregated form under appropriate agreements. Sharing any personal data with a partner would require a separate lawful basis and, where relevant, your consent; we will not do so otherwise.
9. Your rights
You may: access, rectify, or erase your data; restrict or object to processing; obtain portability; and withdraw consent at any time (where processing relies on consent). Email support@epotentia.com; we respond within one month.
You may lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsautoriteit / Autorité de protection des données (GBA/APD) Drukpersstraat 35 / Rue de la Presse 35, 1000 Brussels contact@apd-gba.be · www.gegevensbeschermingsautoriteit.be
10. Security
We apply appropriate technical and organizational measures including encryption in transit, access controls, hashed credentials (Firebase), and least-privilege roles. Error monitoring is configured to scrub personal data. We will notify you and the supervisory authority of qualifying breaches as required by Art. 33–34.
11. Cookies
See our separate Cookie Policy.
12. Changes
We may update this policy. Material changes will be communicated in-app, and the version number above will change.