Privacy Policy
Last updated: 30 March 2026
EuroComply is an automated AI assessment tool operated by Code Tide Unipessoal LDA. It does not provide legal advice. All compliance outputs are AI-generated without human legal review and must not be relied upon as legal opinions. See our Terms of Service for the full disclaimer and limitation of liability.
1. Data Controller
EuroComply is operated by Code Tide Unipessoal LDA, a company incorporated under Portuguese law and registered with the Conservatória do Registo Comercial (registration details available in our Imprint). Code Tide Unipessoal LDA is the data controller within the meaning of Article 4(7) GDPR.
Data protection contact: [email protected]
2. What data we collect and why
We process personal data only to the extent necessary. The categories, purposes, and legal bases are:
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email, name | Account creation, authentication, transactional emails | Art. 6(1)(b) — contract |
| Company name, sector, size, country | Onboarding personalisation, compliance recommendations | Art. 6(1)(b) — contract |
| AI system descriptions, classifications | AI Act risk classification, obligation tracking, document drafts | Art. 6(1)(b) — contract |
| Tech stack audit data | Sovereignty scoring, EU alternative recommendations | Art. 6(1)(b) — contract |
| Chat messages | Compliance Q&A, context continuity | Art. 6(1)(b) — contract |
| Paddle customer ID, transaction IDs | Subscription management; tax/accounting records | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation |
| Newsletter email | Regulatory intelligence newsletter | Art. 6(1)(a) — consent (freely given, withdrawable at any time) |
| Anonymised usage statistics | Service improvement, performance monitoring | Art. 6(1)(f) — legitimate interest (documented balancing test) |
We do not process special categories of data (Art. 9 GDPR). We do not engage in automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR). All AI outputs are advisory and subject to human review.
3. Sub-processors and data transfers
We seek to keep all personal data within the EEA or in countries with an EU adequacy decision. Where sub-processors are incorporated in third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, supplemented by transfer impact assessments in accordance with the requirements of C-311/18 (Schrems II).
| Sub-processor | Purpose | Incorporated | Data location |
|---|---|---|---|
| Supabase Inc. | Database, authentication | USA — SCCs in place | Frankfurt, DE (AWS eu-central-1) |
| Mistral AI SAS | AI inference (analysis, chat) | France — within EEA | Paris, France |
| Vercel Inc. | Application hosting, CDN | USA — SCCs in place | EU edge region (Frankfurt) |
| Paddle.com Market Ltd | Payment processing, invoicing, VAT | UK — adequacy decision | United Kingdom |
Data Processing Agreements incorporating the current EU SCCs are in place with Supabase and Vercel. The UK adequacy decision is monitored; if revoked, we will implement alternative safeguards before any further transfers. We will notify users of material changes to sub-processors. A current sub-processor list is available on request at [email protected].
4. AI processing — important disclosure (Mistral AI)
All AI inference runs through Mistral AI SAS (Paris, France). No data is sent to US-based AI providers. Specific points:
- Risk classifications use rule-based decision trees combined with Mistral large language models.
- Chat uses retrieval-augmented generation (RAG) against EU regulation text stored in our EU-hosted database.
- All AI outputs carry the disclaimer: "For informational purposes only. Consult qualified legal counsel."
Mistral AI — current plan and model training
We currently use Mistral AI's Experiment (API) plan. Under this plan, API requests — including prompts and responses — may be used by Mistral AI to improve their models. The content of your compliance queries, AI system descriptions, and classification inputs may be included in model training data.
What is not sent in prompts: We do not include your name, email address, or other direct identifiers in prompts. However, business-context content (descriptions of AI systems you operate, ROPA entries, regulatory questions) may be included.
If this is a concern: Contact [email protected] to discuss enterprise options that include a Mistral DPA with training exclusion. We are actively evaluating upgrading to such a plan and will update this section when the change is made.
5. Data retention
| Data category | Retention period |
|---|---|
| Account data (name, email) | Duration of account + 30 days after deletion |
| AI system data, classifications, documents | Duration of account |
| Chat messages | 12 months, then automatically deleted |
| Billing transaction records | 10 years from transaction date (Portuguese commercial accounting law: Código Comercial Art. 44, CIVA Art. 78) |
| Newsletter subscription | Until withdrawal of consent |
| Anonymised analytics | 24 months |
On account deletion, personal data is erased within 30 days except where retention is required by law. Database backups containing personal data are purged within 90 days.
6. Your rights
Under the GDPR you have the right to:
- Access (Art. 15) — obtain confirmation of processing and a copy of your data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion. Available in Settings → Data.
- Restriction (Art. 18) — limit processing in certain circumstances.
- Data portability (Art. 20) — receive your data in a machine-readable format (JSON). Available in Settings → Data.
- Objection (Art. 21) — object to processing based on legitimate interest (including analytics). We will cease unless we demonstrate compelling legitimate grounds.
- Withdraw consent (Art. 7(3)) — for consent-based processing (newsletter) only, withdrawable at any time, without affecting prior lawful processing.
Submit requests to [email protected]. We respond within 30 days (Art. 12(3) GDPR), extendable by two months for complex cases with notice. Under Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement — regardless of which EU country you are in. The lead supervisory authority for Code Tide Unipessoal LDA is the Portuguese CNPD (Comissão Nacional de Proteção de Dados, www.cnpd.pt). A list of all EU national data protection authorities is available at edpb.europa.eu.
7. Cookies and tracking
We use only strictly necessary session cookies for authentication (Supabase Auth). These are technically essential and exempt from consent requirements under Art. 5(3) ePrivacy Directive (2002/58/EC).
For analytics we use Plausible Analytics: cookie-free, no personal data collected, no fingerprinting, EU-hosted, and compliant with GDPR without consent banners. Plausible processes anonymised aggregate metrics only. IP addresses are not stored. This processing is based on legitimate interest (Art. 6(1)(f)); you may object by contacting us.
8. Security
We implement technical and organisational measures under Art. 32 GDPR including: TLS 1.3 in transit, AES-256 at rest, least-privilege access controls, regular security reviews, and documented incident response procedures. In the event of a personal data breach we will notify the CNPD within 72 hours (Art. 33 GDPR) and affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms (Art. 34 GDPR).
9. Data Processing Agreement (DPA)
EuroComply is a B2B service. Where you submit personal data of your employees, customers, or other individuals (e.g. in ROPA entries, DPIA records, incident logs), you are the data controller and Code Tide Unipessoal LDA is the data processor. In that capacity, we process such data only on your documented instructions, in accordance with Art. 28 GDPR.
A DPA incorporating the standard EU SCCs (controller-to-processor) is available on request at [email protected] at no cost for all paid-tier customers.
10. Minimum age
The Service is B2B only and not directed at individuals under 18. We do not knowingly collect data from minors. If we discover we have done so, we will delete it immediately.
11. Changes to this policy
For changes affecting processing based on contract performance (Art. 6(1)(b)): we will notify registered users by email at least 14 days before the change takes effect. Continued use after the effective date constitutes acknowledgement of the updated policy.
For changes affecting processing based on consent (Art. 6(1)(a)): we will seek fresh, affirmative consent before applying the new terms to consent-based processing. Continued use alone is not valid consent under GDPR.
Prior versions are available on request. The "last updated" date at the top of this page reflects the most recent revision.
This policy is governed by the GDPR and Portuguese data protection law. Questions: [email protected]. EuroComply is operated by Code Tide Unipessoal LDA.