Skip to main content
EUAIActReady

Privacy Policy

Last Updated: February 16, 2026

1. Data Controller

The data controller responsible for the processing of your personal data is:

  • EUAIActReady, operated by Bohdan Trachevskyi
  • Email: [email protected]
  • Website: https://euaiactready.tech

2. Information We Collect

We collect the following categories of personal data when you use our service:

  • Account information: email address, name, and optionally company name — collected during registration
  • Assessment data: your answers to EU AI Act compliance questions, AI system descriptions, and risk classifications
  • Technical data: IP address, browser type, device information, and page URLs — collected automatically via server logs
  • CAPTCHA data: Cloudflare Turnstile collects interaction data (mouse movements, keystrokes timing) to distinguish humans from bots. No personal identification occurs.

3. Legal Bases for Processing

We process your personal data on the following legal bases under Article 6(1) GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide our compliance assessment service, manage your account, and deliver assessment results
  • Legitimate interest (Art. 6(1)(f)): Processing for service improvement, security monitoring, and fraud prevention
  • Consent (Art. 6(1)(a)): Optional analytics cookies are only activated with your explicit consent via our cookie banner
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, or other legal requirements

4. How We Use Your Information

We use collected information for the following purposes:

  • Providing and operating our EU AI Act compliance assessment platform
  • Processing your AI system risk assessments and generating compliance reports
  • Managing your account, subscription, and payment processing
  • Communicating important service updates, security notices, and compliance deadline reminders
  • Improving service quality and user experience (only with analytics consent)

5. Data Storage and Security

Your data is stored securely in the European Union (Ireland) using Supabase, a PostgreSQL-based backend service. We implement the following security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row Level Security (RLS) ensuring users can only access their own data
  • Secure authentication via Supabase Auth with email verification
  • Regular security audits and automated vulnerability scanning
  • Service-role-only protection for sensitive fields (risk levels, subscription data)

6. Third-Party Service Providers

We use the following third-party services to operate our platform. Each provider processes data as described below:

Supabase (Database & Authentication)

Stores your account data and assessment results. Data is hosted in the EU (Ireland). Supabase acts as a data processor under our DPA.

Netlify (Hosting & CDN)

Hosts our web application and serves static content via a global CDN. Netlify may process IP addresses in server logs. Netlify, Inc. is based in the US and operates under Standard Contractual Clauses (SCCs) for EU data transfers.

Cloudflare Turnstile (CAPTCHA)

Protects our login and registration forms from automated abuse. Turnstile collects interaction telemetry (not personal data) and does not use cookies. Cloudflare, Inc. is certified under the EU-US Data Privacy Framework.

Stripe (Payment Processing)

Processes subscription payments when you upgrade to a paid plan. Stripe collects payment card details, billing address, and transaction data directly — we do not store your card information. Stripe, Inc. is certified under the EU-US Data Privacy Framework.

privacy.section6Sub5Name

privacy.section6Sub5Details

7. Cookies and Similar Technologies

We use a minimal number of cookies:

  • Essential cookies: Authentication session tokens (Supabase auth) and cookie consent preferences. These are strictly necessary and do not require consent.
  • Analytics cookies: Google Analytics and Plausible are supported and will only be loaded after your explicit consent via our cookie banner.

Cloudflare Turnstile does not set cookies. You can manage cookie preferences at any time through the cookie settings in the footer of our website.

8. Data Retention

We retain your data for the following periods:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
  • Assessment data: Retained for the duration of your account. You may delete individual assessments at any time.
  • Server logs (IP addresses, access logs): Automatically deleted after 30 days.
  • Payment records: Retained for 7 years as required by tax and accounting regulations.
  • Cookie consent records: Retained for 12 months, then consent is re-requested.
  • privacy.section8Item6

9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON)
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw your consent for analytics cookies at any time via the cookie settings

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

10. International Data Transfers

Your assessment data is stored exclusively in the EU (Ireland). However, some of our service providers (Netlify, Stripe, Cloudflare) are US-based companies. For these transfers, we rely on:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) as adopted by the European Commission

We do not transfer your data to countries outside the EU/EEA without appropriate safeguards in place.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and through a notice on our website. The "Last Updated" date at the top of this page indicates when the policy was last revised.

Automated Decision-Making and Profiling

Our platform uses a rule-based classification engine to assess AI systems against EU AI Act risk categories. This classification is deterministic (not based on machine learning) and produces informational results only. The output does not constitute a legal determination and has no binding effect. You have the right to request human review of any classification result by contacting us at [email protected].

Children's Data

Our Service is intended for business professionals and is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information.

12. Contact and Complaints

For privacy-related inquiries or to exercise your GDPR rights, please contact us:

Email: [email protected]

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.