Privacy-first appeal infrastructure, operated from Romania.

AppealLayer is an Enstellis SRL product. Enstellis SRL is established in Romania, European Union. For privacy questions, contact privacy@appeallayer.com.

For tenant/company account administration, website visits, pilots, security operations, and direct communications with Enstellis SRL, Enstellis SRL normally acts as controller.

For appeal case data processed on behalf of a customer, the customer is normally the controller and Enstellis SRL acts as processor. The customer remains responsible for the original automated decision, the appeal policy, the review outcome, and its own legal basis for processing the case.

• tenant account data, such as business contact details, admin/reviewer emails, roles, settings, and authentication metadata
• decision data provided by a customer, such as decision type, reason code, title, description, deadline, external user reference, and customer metadata
• appeal data submitted by an appellant, such as statement, status, timestamps, optional evidence metadata, public response, and appeal receipts
• World ID verification data needed for the appeal flow, such as action, signal hash, verification status, and HMAC-derived nullifier digest
• operational and security data, such as audit logs, API key prefixes, webhook delivery logs, IP/user-agent hashes where configured, rate-limit signals, and error diagnostics
• contact and pilot data submitted through forms or email, such as name, email, company, role, and message content

• passport, national ID, selfie, phone number, or legal name in the default appeal flow
• biometric data from World ID
• raw World ID nullifier values in normal application tables
• private appeal statements, evidence files, reviewer notes, or external user IDs on-chain
• raw API keys after they are shown once to a tenant administrator

• to create and manage tenant accounts, decision types, API keys, webhooks, and reviewer access
• to create appealable decisions and public appeal pages
• to verify proof of human, bind it to a specific decision, and prevent duplicate verified-human appeals
• to receive appellant statements and optional evidence for human review by the customer
• to send status updates, webhook events, audit logs, and receipt hashes
• to secure the service, prevent abuse, debug errors, enforce rate limits, and investigate incidents
• to answer contact, pilot, legal, privacy, and security requests

• contract or steps before contract for customer accounts, pilots, API access, and service delivery
• legitimate interests for security, fraud prevention, abuse prevention, product reliability, auditability, and B2B communications
• legal obligation where Enstellis SRL must keep records, respond to lawful requests, or comply with tax/accounting/security duties
• consent where required, including non-essential cookies, marketing emails, or optional analytics in the EU
• customer instructions where AppealLayer processes appeal case data as a processor for a tenant/customer controller

AppealLayer uses World ID so an appellant can prove unique humanness without sharing personal identity documents with AppealLayer. AppealLayer receives verification results needed for the appeal workflow, not biometric data.

AppealLayer stores an HMAC-derived digest of the World ID nullifier for duplicate prevention. The raw nullifier should not be logged or stored in normal application tables.

Retention will be configurable for production customers. Until a customer contract says otherwise, the intended baseline is to keep appeal case data for the contract term, then delete or return it within a defined offboarding period unless legal, security, billing, or dispute-preservation reasons require longer retention.

Suggested production defaults are: security logs up to 12 months, audit logs up to 24 months, contact/pilot records up to 24 months after last meaningful interaction, and backups on a rolling deletion schedule. These defaults must be finalized before production launch.

AppealLayer should prefer EU/EEA hosting and vendors where practical. If personal data is transferred outside the EEA, Enstellis SRL will use an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism where required by GDPR Chapter V.

The public subprocessor list is available at /subprocessors.

• access your personal data
• rectify inaccurate or incomplete data
• erase data where the GDPR gives you that right
• restrict processing
• object to processing based on legitimate interests
• receive portable data where the right applies
• withdraw consent where processing is based on consent
• not be subject to solely automated decisions in the circumstances covered by GDPR Article 22
• lodge a complaint with ANSPDCP or another competent EU supervisory authority

You can contact us at privacy@appeallayer.com. We may need information to verify and route your request, especially if your request relates to a customer-controlled appeal case.

You may lodge a complaint with ANSPDCP, the Romanian National Supervisory Authority for Personal Data Processing, or another competent EU supervisory authority.