Privacy Policy
Last updated: 28 March 2025
1. Controller
EuroComply ("we", "us", "our") is the controller of your personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").
Contact: privacy@eurocomply.app
2. What data we collect and why
We process personal data only to the extent necessary to provide and improve our services. The specific categories, purposes, and legal bases are as follows:
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address, name | Account creation, authentication, transactional communications | Art. 6(1)(b) — performance of contract |
| Company name, size, country | Onboarding personalisation, compliance recommendations | Art. 6(1)(b) — performance of contract |
| AI system descriptions, classifications | AI Act risk classification, obligation tracking, document generation | Art. 6(1)(b) — performance of contract |
| Tech stack audit data | Sovereignty scoring, EU alternative recommendations | Art. 6(1)(b) — performance of contract |
| Chat messages | Compliance question answering, context continuity | Art. 6(1)(b) — performance of contract |
| Payment identifiers (Paddle customer ID) | Subscription management, billing | Art. 6(1)(b) — performance of contract |
| Newsletter email address | Regulatory intelligence newsletter delivery | Art. 6(1)(a) — consent |
| Usage analytics (anonymised) | Service improvement, performance monitoring | Art. 6(1)(f) — legitimate interest |
We do not process special categories of personal data (Article 9 GDPR). We do not engage in automated decision-making or profiling that produces legal effects concerning you (Article 22 GDPR). AI-generated compliance outputs are advisory and always subject to human review.
3. Sub-processors and data location
All personal data is processed within the European Union or the United Kingdom (which holds an adequacy decision under Article 45 GDPR). We do not transfer personal data to third countries without adequate safeguards.
| Sub-processor | Purpose | HQ | Data location |
|---|---|---|---|
| Supabase Inc. | Database, authentication | USA | Frankfurt, Germany (AWS eu-central-1) |
| Mistral AI | AI model inference (compliance analysis, chat) | France | Paris, France |
| Vercel Inc. | Application hosting, CDN | USA | EU region (Frankfurt) |
| Paddle.com Market Ltd | Payment processing, invoicing, VAT | United Kingdom | United Kingdom (adequacy decision) |
Regarding Supabase and Vercel: both are US-incorporated companies. All EuroComply user data in Supabase is processed and stored exclusively in the Frankfurt (eu-central-1) region. Vercel serves the application from EU edge nodes. We have entered into Data Processing Agreements (DPAs) with both providers that include Standard Contractual Clauses (SCCs) as supplementary safeguards pursuant to Article 46(2)(c) GDPR, in line with the requirements set out in Schrems II (C-311/18). We continuously monitor the legal landscape regarding EU-US data transfers and will migrate to fully EU-incorporated providers should the risk profile change materially.
4. AI processing transparency
EuroComply uses artificial intelligence to provide compliance analysis, risk classification, and regulatory guidance. Specifically:
- AI risk classifications are generated by a combination of rule-based decision trees and large language models (Mistral AI, hosted in Paris).
- Chat responses use retrieval-augmented generation (RAG) against the full text of EU regulations stored in our EU-hosted database.
- All AI-generated outputs are clearly labelled and include the disclaimer: "For informational purposes only. Consult qualified legal counsel."
- All AI processing uses Mistral AI API (Paris, France). No data is sent to US-based AI providers.
- Important: EuroComply currently uses Mistral AI's Experiment plan. Under this plan, API requests (including prompts and responses) may be used by Mistral AI to improve their models. This means that the text of your compliance questions, AI system descriptions, and classification answers may be processed by Mistral AI for model training purposes. We do not send personally identifiable information (names, emails) in prompts — only the regulatory content of your queries. If this is a concern for your organisation, please contact us to discuss enterprise options with data processing agreements that exclude training use.
5. Data retention
| Data | Retention period |
|---|---|
| Account data | Duration of the account + 30 days after deletion request |
| AI system data, classifications, documents | Duration of the account |
| Chat messages | 12 months, then automatically deleted |
| Payment records | 7 years (tax and accounting obligations under applicable law) |
| Newsletter subscription | Until unsubscribe |
| Analytics (anonymised) | 24 months |
Upon account deletion, we erase all personal data within 30 days except where retention is required by law (e.g. tax records). Backups containing personal data are purged within 90 days.
6. Your rights
Under the GDPR, you have the following rights with respect to your personal data:
- Access (Article 15) — obtain confirmation of whether we process your data and request a copy.
- Rectification (Article 16) — correct inaccurate or incomplete data.
- Erasure (Article 17) — request deletion of your data ("right to be forgotten"). Available in your dashboard under Settings → Data.
- Restriction (Article 18) — request that we limit processing in certain circumstances.
- Data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format (JSON). Available in your dashboard under Settings → Data.
- Objection (Article 21) — object to processing based on legitimate interest.
- Withdraw consent (Article 7(3)) — where processing is based on consent (e.g. newsletter), you may withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@eurocomply.app. We will respond within 30 days as required by Article 12(3) GDPR. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
7. Cookies and tracking
EuroComply uses only strictly necessary cookies for authentication session management. These cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive (2002/58/EC) as they are essential for the service you have requested.
We do not use advertising cookies, tracking pixels, or fingerprinting. Our analytics solution (Plausible Analytics) is cookie-free, does not collect personal data, and is hosted in the EU.
8. Security
We implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including: encryption in transit (TLS 1.3), encryption at rest (AES-256 for database storage), access controls and principle of least privilege, regular security reviews, and incident response procedures. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours as required by Article 33 GDPR and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).
9. Children
EuroComply is a business-to-business service not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.
10. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the revised policy.
This privacy policy is governed by the laws of the European Union. For questions or concerns, contact privacy@eurocomply.app.