← Cedulor

Privacy Policy

Last updated: 9 July 2026

1. Who we are

Cedulor is a service operated by Firat Ilim, an entrepreneur individuel (micro-entreprise) trading as Llull Lab / Studio Llull.

When you use Cedulor to prepare a grant proposal, you (or your institution) remain the controller of the proposal content, and Cedulor acts as your data processor for that content. A Data Processing Agreement (DPA) governs this relationship and is available on request (see Section 9).

2. What data we process

CategoryExamplesRole
Account dataName, email address, institution, invite codeController
Proposal contentProject descriptions, budgets, consortium details, CVs, personnel information you enterProcessor (you are the controller)
Payment dataBilling details, transaction records (processed by our payment provider; we do not store full card numbers)Controller (jointly with the payment provider, which acts as an independent controller for fraud prevention and legal compliance)
Usage dataLog records, feature usage, session metadataController

3. Why we process it and on what legal basis

We do not sell your data. We do not use your proposal content to train AI models (see Section 6).

4. Where your data is stored and processed

Your account data is stored on EU-based infrastructure, and the AI processing that generates your document runs within the EU. Your proposal content is processed within the EU and is not retained after your document is produced. We do not transfer your proposal content outside the EU. Two of our providers are incorporated outside the EU: our transactional email provider (which receives your email address and message text) and our managed database provider (which stores your account data within the EU). Both relationships are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46; your proposal content is not involved in either. See Section 5.

5. Sub-processors

We use a small set of sub-processors to deliver the service. In this notice we describe them by category; the current named list is provided in our Data Processing Agreement and on request at contact@llulllab.com.

CategoryPurposeLocationTransfer safeguard
Cloud hosting providerApplication services and encrypted backupsEU (Germany)N/A (EU)
Managed database providerStorage of account and session dataEU (Netherlands)Data in EU; SCCs (2021/914) for the non-EU provider entity
AI processing (hosted model inference)Draft generation and review of proposal textEUN/A (EU); not retained, not used for training, not shared with the model provider
Retrieval serviceLocating relevant passages in public EU programme documentsEUN/A (EU); not used for training
Email delivery providerTransactional email (email address and message text)USASCCs (2021/914)

The payment provider is not a sub-processor: it acts as an independent controller for payment processing, fraud prevention, and legal compliance, under its own privacy terms.

6. AI processing

Proposal text you enter is processed solely to generate your document, using AI model inference that runs on EU-based infrastructure. Your input is not used to train any model and is not shared with the model provider. Any automated abuse detection by the AI provider is performed without human review, and any retention associated with it stays within the EU. Cedulor does not keep a durable copy of your proposal content: it is processed to produce your document and is not retained on our servers afterward. Your content and the resulting document are yours.

7. How long we keep it

8. Your rights (GDPR)

You have the right to access, rectification, erasure, restriction, data portability, and objection, and to withdraw consent where processing is based on consent. To exercise any right, email contact@llulllab.com. We respond within one month. You may also lodge a complaint with the French supervisory authority (CNIL, cnil.fr).

9. Data Processing Agreement

Institutional customers who need a signed DPA (GDPR Art. 28) can request one at contact@llulllab.com. It includes the named sub-processor list, security measures, breach-notification terms (72 hours), audit rights, and end-of-contract data deletion or return.

10. Security

Data is encrypted in transit (TLS 1.3). Account and billing data are held in a managed EU database that encrypts data at rest, and our backups are encrypted (AES-256). Proposal content is not retained after processing (see Section 6). Access is authenticated and role-restricted.

11. Changes

We will post material changes to this page and update the date above.