Privacy Policy
Version 1.0 · Last updated: 14 May 2026
This policy describes how EU AI Comply processes personal data of users of the euaicomply.eu platform, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Romanian legislation.
1. Identity of the data controller
The data controller for personal data collected through the Platform is EU AI Comply, a registered entity in Romania. For any matter relating to the processing of your data, you may contact us at:
- Email: [email protected]
- Website: euaicomply.eu
2. Categories of personal data collected
a) Data you provide directly:
- Identification data: first name, last name, professional email address
- Organisational data: company name, sector, country, VAT number (optional)
- Contact data: phone number (optional), contact person
- Generated content: messages sent through the contact form
- Documents uploaded to the Document Vault (technical manuals, FRIA reports, DPIAs etc.) — these may contain personal data if the user chooses to include them
b) Automatically collected data:
- Technical data: IP address, browser type, operating system, screen resolution
- Navigation data: pages accessed, session duration, actions taken in the Platform
- Functional and session cookies (details in the Cookie Policy)
- Access logs for security and diagnostic purposes
EU AI Comply does not collect or process special categories of personal data within the meaning of Art. 9 GDPR (health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, etc.).
3. Purposes of processing and legal basis
| Purpose | Description | Legal basis |
|---|---|---|
| Service delivery | Account creation and management, authentication, access to Platform features. | Performance of contract (Art. 6(1)(b) GDPR) |
| Billing and subscription management | Transmitting necessary data to payment processor Paddle (Merchant of Record) for subscription activation and renewal. | Performance of contract (Art. 6(1)(b) GDPR) |
| Security and fraud prevention | Detecting unauthorised access, monitoring suspicious activity, protecting Client data. | Legitimate interest of the controller (Art. 6(1)(f) GDPR) |
| Technical support | Responding to support requests, diagnosing technical issues. | Performance of contract / Legitimate interest (Art. 6(1)(b)(f) GDPR) |
| Product communications | Notifications about legislative updates, new features, compliance deadlines. | Legitimate interest (Art. 6(1)(f) GDPR) — with right to object |
| Platform improvement | Anonymised analysis of usage behaviour for developing new features. | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance | Meeting applicable legal obligations (tax, archiving, responding to authority requests). | Legal obligation (Art. 6(1)(c) GDPR) |
| Marketing (optional) | Sending newsletters or commercial communications, exclusively with your explicit consent. | Consent (Art. 6(1)(a) GDPR) — withdrawable at any time |
4. Recipients and data transfers
EU AI Comply does not sell personal data to third parties. Data may be shared exclusively in the following situations:
| Recipient | Role | Location | Safeguards |
|---|---|---|---|
| Paddle.com Inc. / Paddle Payments Ltd. | Payment processor and Merchant of Record. Receives billing data necessary for subscription activation. Paddle acts as an independent controller for payment data. | USA / EU | Standard Contractual Clauses (SCCs), DPF compliance |
| Cloud infrastructure providers (Hetzner) | EU server hosting — PostgreSQL database, MinIO file storage, Redis. | Germany (EU) | Art. 28 GDPR — data processing agreement |
| Monitoring services (Sentry) | Capturing technical errors for diagnostics. Data is pseudonymised before transmission. | EU | Art. 28 GDPR — data processing agreement |
| Public authorities | Where required by an express legal obligation or court order. | Romania / EU | Art. 6(1)(c) GDPR — legal obligation |
Data transfers outside the European Economic Area (EEA) are carried out exclusively with appropriate safeguards under Chapter V GDPR (Standard Contractual Clauses adopted by the European Commission or the EU-US Data Privacy Framework).
5. Data retention period
- Active account data For the duration of the active subscription + 30 days after termination (export window)
- Account data after termination Irreversibly deleted 30 days from the effective termination date, except data required for legal obligations
- Billing data 10 years from the date of the tax document, under Romanian Accounting Law no. 82/1991
- Security logs Maximum 12 months, after which they are anonymised or deleted
- Contact / support messages 3 years from the last interaction, for contractual relationship records
- Marketing consents For the duration of active consent + 3 years for compliance records
- Anonymised data (product analytics) Indefinite — no longer constitutes personal data
6. Your rights as a data subject
In accordance with the GDPR, you have the following rights in relation to your personal data:
-
Right of access (Art. 15)
You may request a copy of the personal data we hold about you, including information on how we process it. -
Right to rectification (Art. 16)
You may request correction of inaccurate data or completion of incomplete data. -
Right to erasure ("right to be forgotten") (Art. 17)
You may request deletion of your data if there is no longer a legal basis for processing it. This right does not apply to data we are legally required to retain. -
Right to restriction of processing (Art. 18)
You may request temporary suspension of the processing of your data in the situations provided for by the GDPR. -
Right to data portability (Art. 20)
You may receive the data you have provided in a structured, commonly used, machine-readable format (CSV, JSON), for transfer to another controller. -
Right to object (Art. 21)
You may object to processing based on the legitimate interest of the controller, including the use of data for direct marketing. -
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing. -
Right not to be subject to automated decision-making (Art. 22)
We do not use decisions based solely on automated processing with significant legal effects.
To exercise any right, send a written request to [email protected]. We respond within a maximum of 30 calendar days (this period may be extended by 60 days in complex cases, with prior notification to you). Exercise of rights is free of charge, except for manifestly unfounded or excessive requests.
7. Role as data processor for B2B clients
When Clients (legal entities) use the Platform and enter personal data of their own employees, collaborators or persons affected by the AI systems managed therein, EU AI Comply acts as a data processor within the meaning of Art. 28 GDPR, and the Client is the data controller.
In this capacity, EU AI Comply: (a) processes data solely in accordance with the Client's documented instructions; (b) implements appropriate technical and organisational security measures; (c) does not engage sub-processors without the Client's consent; (d) assists the Client in fulfilling obligations towards data subjects; (e) deletes or returns data upon completion of services.
A Data Processing Agreement (DPA) compliant with Art. 28 GDPR is available upon request ([email protected]) or is included in the Enterprise plan. Clients who process personal data through the Platform are required to execute a DPA with EU AI Comply.
8. Data security
EU AI Comply implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, accidental destruction or disclosure, including:
- Encryption in transit: TLS 1.3 for all connections to the Platform
- Encryption at rest: data stored on Hetzner servers in Germany (ISO 27001)
- Multi-tenant isolation: strict per-company data isolation, enforced at application level — no tenant can access another tenant's data
- Two-factor authentication (TOTP) available and recommended for all users
- Full logging of accesses and actions (immutable audit trail)
- Antivirus scanning for uploaded files (ClamAV)
- EU AI Comply staff privileged access: minimum necessary, on a need-to-know basis
- Periodic security testing and configuration review
In the event of a security incident affecting personal data, EU AI Comply notifies the National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware (Art. 33 GDPR) and informs affected data subjects where there are high risks (Art. 34 GDPR).
9. Cookies and similar technologies
The Platform uses cookies strictly necessary for operation (session, CSRF security, language preferences) and does not use tracking or advertising cookies. Full details are available in the Cookie Policy at euaicomply.eu/cookies.
10. Changes to this policy
EU AI Comply may update this policy to reflect changes in data processing practices, applicable legislation or the Platform. The updated version will be published on this page with the revision date. If the changes are significant, we will notify registered users by email at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.
11. Complaints and supervisory authority
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Romania, this is:
National Supervisory Authority for Personal Data Processing (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București
You may also contact the supervisory authority of the EU member state where you habitually reside.
We encourage you to contact us directly first at [email protected] — we commit to resolving any issue relating to the processing of your data within 30 days.
Data protection contact:
[email protected]
· We respond within 30 calendar days.