E2ELegal
Privacy Policy
Last updated: April 2, 2026
This Privacy Policy describes how Kaizen Yutani Ltd. ("E2EPilot," "we," "us," or "our") collects, uses, and protects your personal information when you use our AI-powered end-to-end test automation platform, including our website, CLI tools, MCP servers, and related services (collectively, the "Service").
E2EPilot is operated by Kaizen Yutani Ltd., a company registered in Bulgaria, European Union, with its registered address at 3 Stratsin Street, Sofia 1407, Bulgaria. As a data controller established in the EU, we process your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Bulgarian data protection legislation.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address for authentication and communication purposes. We do not collect names, phone numbers, physical addresses, or other personal identifiers unless you voluntarily provide them.
1.2 Authentication Data
We use Amazon Web Services (AWS) Cognito for user authentication. When you log in, authentication occurs entirely in your browser via OAuth 2.0. You may sign in using your email and password or through a third-party identity provider (Google). Authentication tokens are managed locally in your browser by the AWS Amplify library. Passwords are never stored in plaintext.
1.3 Payment Information
If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. Your payment card details are transmitted directly to Stripe and are never stored on or processed by our servers. We receive only a limited set of billing information from Stripe (such as subscription status and transaction identifiers) to manage your account.
1.4 Usage Data
We do not use third-party analytics or tracking services. Standard server infrastructure (AWS) may automatically process limited technical data as part of normal operations, including:
- IP address (processed at infrastructure level for security and request routing)
- Server-side error logs (for diagnosing and resolving technical issues)
1.5 AI Interaction Data
When you use our AI-powered features (test generation, code suggestions, error analysis), your prompts and the context you provide are transmitted to AI model providers for processing. We do not persistently store your prompts, code, or AI-generated outputs on our servers. Data is processed transiently to deliver the Service and is not retained after the response is returned.
2. How We Use Your Information
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing and maintaining the Service (account management, authentication, billing) | Performance of a contract — Art. 6(1)(b) |
| Processing AI requests and delivering generated test code | Performance of a contract — Art. 6(1)(b) |
| Communicating with you about your account and service updates | Performance of a contract — Art. 6(1)(b) |
| Ensuring security, preventing fraud and abuse | Legitimate interest — Art. 6(1)(f) |
| Improving the Service through aggregated analytics | Legitimate interest — Art. 6(1)(f) |
| Complying with legal and regulatory obligations (tax, accounting) | Legal obligation — Art. 6(1)(c) |
| Sending marketing communications (only with your prior consent) | Consent — Art. 6(1)(a) |
We do not use your personal data, prompts, code, or AI-generated outputs to train, fine-tune, or improve any artificial intelligence or machine learning models.
3. AI-Powered Features and Third-Party AI Providers
3.1 How AI Processing Works
E2EPilot uses artificial intelligence models to generate test automation code, analyze errors, and provide code suggestions. When you use these features, your prompts and relevant context are sent to third-party AI model providers for processing.
3.2 Third-Party AI Model Providers
We use Amazon Web Services (AWS) to access AI foundation models. Under AWS's terms:
- Your data is not used to train or improve AI models. AWS Bedrock explicitly guarantees that inputs and outputs are not used to train the base foundation models or any third-party models.
- Your data is not shared with model providers. Third-party model providers do not receive or retain your data.
- Processing is transient. Prompts and responses are not stored by the Bedrock service beyond the API request lifecycle, unless you explicitly enable logging in your own AWS account.
3.3 AI Output Disclaimer
AI-generated content is provided "as is" without any warranty of accuracy, completeness, correctness, security, or fitness for a particular purpose. Test code, suggestions, and other outputs produced by the Service are machine-generated and may contain errors, bugs, security vulnerabilities, or inappropriate patterns.
You are solely responsible for reviewing, validating, and testing all AI-generated code before incorporating it into your projects or deploying it in any environment. E2EPilot does not guarantee that AI-generated outputs will function correctly, be free of defects, or meet your specific requirements.
To the fullest extent permitted by applicable law, we disclaim all liability for any damages, losses, or costs arising from the use of or reliance on AI-generated content, including but not limited to: data loss, system failures, security breaches, test failures, or business interruption.
4. Data Sharing and Third-Party Processors
We share your personal data only with the following categories of processors, under appropriate Data Processing Agreements (DPAs) as required by GDPR Article 28:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, authentication (Cognito), AI processing (Bedrock), database (DynamoDB), serverless compute (Lambda) | Email, hashed password, usage data, AI prompts (transient) | EU (primary), with US as fallback under EU-US Data Privacy Framework |
| Stripe, Inc. | Payment processing and subscription management | Email, billing details, payment card data (direct to Stripe) | EU (Stripe Payments Europe, Ltd., Ireland) and US under EU-US Data Privacy Framework |
We do not sell, rent, or trade your personal data to any third party. We do not share your data for cross-contextual behavioral advertising.
5. International Data Transfers
Your personal data is primarily processed within the European Union (AWS EU regions). In cases where data is transferred outside the EEA, we rely on the following safeguards:
- EU-US Data Privacy Framework (DPF): AWS and Stripe are certified under the EU-US Data Privacy Framework, which provides an adequate level of protection as determined by the European Commission.
- Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use EU Commission-approved Standard Contractual Clauses to ensure an adequate level of data protection.
We conduct Transfer Impact Assessments where required to verify that the legal framework in the recipient country provides adequate protection for your data.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information (email) | Duration of your account plus 30 days after deletion request |
| Authentication data | Duration of your account (managed by AWS Cognito) |
| Payment and billing records | As required by applicable tax and accounting laws (up to 10 years under Bulgarian legislation) |
| Usage and analytics data | Up to 12 months, then aggregated or deleted |
| AI interaction data (prompts and outputs) | Not retained — processed transiently and discarded |
| Error logs | Up to 90 days |
When you request account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
- Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format (JSON).
- Right to object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Article 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right regarding automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. E2EPilot does not make automated decisions with such effects.
To exercise any of these rights, contact us at privacy@e2epilot.com. We will respond within 30 days of receiving your request, as required by GDPR.
You also have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) of Bulgaria:
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg
Email: kzld@cpdp.bg
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Secure password hashing (via AWS Cognito SRP protocol)
- AWS infrastructure security (SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018 certified)
- Principle of least privilege for data access
- Regular security assessments
While we strive to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
9. Cookies and Tracking
The Service does not use cookies. We do not use any advertising, analytics, or tracking cookies.
10. Children's Privacy
The Service is not directed to individuals under the age of 14 (the applicable age of consent for information society services under Bulgarian law, per Article 25b of the Bulgarian Personal Data Protection Act). We do not knowingly collect personal data from children under 14. If we become aware that we have collected data from a child under this age, we will promptly delete it.
11. EU AI Act Transparency Disclosure
In accordance with Article 50 of the EU Artificial Intelligence Act (Regulation 2024/1689), we disclose that:
- The Service uses artificial intelligence systems to generate test automation code and related outputs.
- AI-generated content is produced by foundation models accessed through Amazon Web Services (AWS).
- All outputs from the Service should be treated as machine-generated suggestions, not as verified or validated solutions.
- Users are informed within the Service interface when content is AI-generated.
E2EPilot is classified as a deployer of general-purpose AI models under the EU AI Act. The AI systems used in our Service are not classified as high-risk under Annex III of the Regulation.
12. Limitation of Liability for AI-Generated Content
To the maximum extent permitted by applicable law:
(a) We make no representations or warranties regarding the accuracy, reliability, completeness, or suitability of any AI-generated content, including test code, error analyses, and suggestions.
(b) You assume full responsibility for evaluating and using AI-generated outputs. This includes reviewing code for correctness, security vulnerabilities, compatibility, and compliance with your requirements before any use.
(c) We shall not be liable for any direct, indirect, incidental, consequential, or special damages arising from the use of or reliance on AI-generated content, including but not limited to: defective test code, false test results, security incidents, data loss, or business interruption.
(d) Nothing in this section excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or through a prominent notice on our website
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Controller:
Kaizen Yutani Ltd.
3 Stratsin Street, Sofia 1407, Bulgaria
Email: privacy@e2epilot.com
Supervisory Authority:
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
www.cpdp.bg
15. Additional Provisions for Non-EU Users
15.1 United States
We do not "sell" or "share" your personal information as defined under the California Consumer Privacy Act (CCPA) or other US state privacy laws. We do not process personal data for targeted or cross-contextual behavioral advertising.
If you are a resident of California, Colorado, Connecticut, Virginia, or other states with applicable privacy legislation, you have the right to:
- Request access to and deletion of your personal data
- Opt out of the sale or sharing of personal data (not applicable — we do not sell or share data)
- Non-discrimination for exercising your rights
15.2 United Kingdom
For users in the United Kingdom, references to GDPR in this Privacy Policy include the UK GDPR (as retained under the Data Protection Act 2018). International data transfers from the UK are conducted under the UK International Data Transfer Agreement or UK Addendum to the EU SCCs.
15.3 Other Jurisdictions
We are committed to complying with applicable data protection laws in the jurisdictions where we operate. If you are located outside the EU, UK, or US, please be aware that your data may be processed in the EU and, where necessary, in the US under the safeguards described in Section 5.
This Privacy Policy is provided in English. In case of any discrepancy between translated versions and the English version, the English version shall prevail.