Cedulor is a service operated by Firat Ilim, an entrepreneur individuel (micro-entreprise) trading as Llull Lab / Studio Llull.
When you use Cedulor to prepare a grant proposal, you (or your institution) remain the controller of the proposal content, and Cedulor acts as your data processor for that content. A Data Processing Agreement (DPA) governs this relationship and is available on request (see Section 9).
| Category | Examples | Role |
|---|---|---|
| Account data | Name, email address, institution, invite code | Controller |
| Proposal content | Project descriptions, budgets, consortium details, CVs, personnel information you enter | Processor (you are the controller) |
| Payment data | Billing details, transaction records (processed by our payment provider; we do not store full card numbers) | Controller (jointly with the payment provider, which acts as an independent controller for fraud prevention and legal compliance) |
| Usage data | Log records, feature usage, session metadata | Controller |
We do not sell your data. We do not use your proposal content to train AI models (see Section 6).
Your account data is stored on EU-based infrastructure, and the AI processing that generates your document runs within the EU. Your proposal content is processed within the EU and is not retained after your document is produced. We do not transfer your proposal content outside the EU. Two of our providers are incorporated outside the EU: our transactional email provider (which receives your email address and message text) and our managed database provider (which stores your account data within the EU). Both relationships are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46; your proposal content is not involved in either. See Section 5.
We use a small set of sub-processors to deliver the service. In this notice we describe them by category; the current named list is provided in our Data Processing Agreement and on request at contact@llulllab.com.
| Category | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Cloud hosting provider | Application services and encrypted backups | EU (Germany) | N/A (EU) |
| Managed database provider | Storage of account and session data | EU (Netherlands) | Data in EU; SCCs (2021/914) for the non-EU provider entity |
| AI processing (hosted model inference) | Draft generation and review of proposal text | EU | N/A (EU); not retained, not used for training, not shared with the model provider |
| Retrieval service | Locating relevant passages in public EU programme documents | EU | N/A (EU); not used for training |
| Email delivery provider | Transactional email (email address and message text) | USA | SCCs (2021/914) |
The payment provider is not a sub-processor: it acts as an independent controller for payment processing, fraud prevention, and legal compliance, under its own privacy terms.
Proposal text you enter is processed solely to generate your document, using AI model inference that runs on EU-based infrastructure. Your input is not used to train any model and is not shared with the model provider. Any automated abuse detection by the AI provider is performed without human review, and any retention associated with it stays within the EU. Cedulor does not keep a durable copy of your proposal content: it is processed to produce your document and is not retained on our servers afterward. Your content and the resulting document are yours.
You have the right to access, rectification, erasure, restriction, data portability, and objection, and to withdraw consent where processing is based on consent. To exercise any right, email contact@llulllab.com. We respond within one month. You may also lodge a complaint with the French supervisory authority (CNIL, cnil.fr).
Institutional customers who need a signed DPA (GDPR Art. 28) can request one at contact@llulllab.com. It includes the named sub-processor list, security measures, breach-notification terms (72 hours), audit rights, and end-of-contract data deletion or return.
Data is encrypted in transit (TLS 1.3). Account and billing data are held in a managed EU database that encrypts data at rest, and our backups are encrypted (AES-256). Proposal content is not retained after processing (see Section 6). Access is authenticated and role-restricted.
We will post material changes to this page and update the date above.