Privacy Policy
Last updated: February 12, 2026
At AIComply, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, share, and protect information in connection with our EU AI Act compliance platform. We are fully committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data Controller
AIComply is the data controller responsible for your personal data processed through our Services. For the purposes of the GDPR and applicable data protection legislation:
AIComply by Relay Labs Ltd.
Data Protection Officer: info@ai-comply.app
Address: Dublin, Ireland
EU Representative: info@ai-comply.app
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account Information
- Name (first name, last name)
- Email address
- Password (stored in encrypted form)
- Organization name and role
- Job title
2.2 Billing and Payment Information
- Billing name and address
- Payment card details (processed securely through Stripe)
- Transaction history
- VAT identification numbers (where applicable)
2.3 AI System and Compliance Data
- AI system descriptions and classifications
- Risk assessment responses and results
- Compliance documentation (FRIA, DPIA, technical documentation)
- Task assignments and completion status
- Audit logs and activity records
2.4 Technical and Usage Data
- IP address
- Browser type and version
- Device information
- Operating system
- Access timestamps and session duration
- Pages visited and features used
3. How We Collect Personal Data
3.1 Directly From You
When you create an account, subscribe to our Services, fill out forms, submit AI system information, communicate with our support team, or otherwise interact with our platform.
3.2 Automatically
Through cookies, log files, and similar technologies when you access and use our Services. This includes technical data about your device, browsing actions, and usage patterns.
3.3 From Third Parties
We may receive information from payment processors (Stripe), authentication providers, and analytics services.
4. Purposes and Legal Bases for Processing
We process your personal data for the following purposes, based on the corresponding legal bases under GDPR:
| Purpose | Legal Basis |
|---|---|
| Providing and maintaining our Services | Contract performance (Art. 6(1)(b)) |
| Processing payments and billing | Contract performance (Art. 6(1)(b)) |
| User support and communication | Contract performance / Legitimate interests |
| AI-assisted risk classification | Contract performance (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance and regulatory reporting | Legal obligation (Art. 6(1)(c)) |
6. International Data Transfers
When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:
- Transfers to countries with an EU adequacy decision
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework for transfers to certified US organizations
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls: Role-based access controls and multi-factor authentication
- Infrastructure security: Secure cloud hosting with regular security audits
- Password protection: Passwords hashed using bcrypt
- Monitoring: Continuous security monitoring and intrusion detection
8. Data Retention
We retain your personal data only for as long as necessary:
- Account data: Retained for the duration of your account plus 30 days after deletion
- AI system and compliance data: Retained for the duration of your account
- Billing and payment data: Retained for 7 years for tax compliance
- Technical logs: Retained for up to 12 months
- Communication records: Retained for up to 3 years after resolution
9. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you
Right to Rectification
Request correction of inaccurate or incomplete data
Right to Erasure
Request deletion of your personal data in certain circumstances
Right to Restriction
Request that we restrict processing of your data
Right to Data Portability
Receive your data in a machine-readable format
Right to Object
Object to processing for direct marketing purposes
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint
Lodge a complaint with a supervisory authority
To exercise any of these rights, please contact our Data Protection Officer at info@ai-comply.app.
11. AI and Automated Processing
AIComply uses AI for risk classification suggestions and compliance document drafts. AI-generated outputs are always presented as suggestions for your review. Your data is not used to train our AI models. AI processing is performed on a per-request basis.
11.1 EU AI Act Specific Provisions
In accordance with the EU AI Act (Regulation (EU) 2024/1689), we provide the following transparency information about our AI-assisted features:
- Risk Classification Engine: Uses pattern matching and decision-tree logic to suggest risk tier classification based on your responses
- Document Generation: Leverages large language models to draft compliance documentation based on templates and your inputs
- No Automated Decision-Making: All AI outputs require human review and approval before use
- Transparency: All AI-generated content is clearly labelled as such within the platform
11.2 Data Quality (Article 10 Alignment)
We implement data quality measures consistent with Article 10 of the EU AI Act:
- Your AI system data is used solely for providing compliance analysis and documentation services
- We do not aggregate your data with other customers' data for AI training purposes
- Data is processed only within the scope necessary for the requested compliance outputs
- You maintain full control over your data and can request deletion at any time
11.3 Human Oversight (Article 14 Alignment)
Consistent with Article 14 requirements, our platform is designed to support human oversight of AI outputs. All risk classifications, compliance recommendations, and generated documents are presented as suggestions requiring your explicit review and approval before finalization.
12. Children's Privacy
Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on our platform at least 30 days before the changes take effect.
14. Contact Information
If you have any questions about this Privacy Policy:
AIComply - Data Protection
Data Protection Officer: info@ai-comply.app
Address: Dublin, Ireland
Supervisory Authority: Data Protection Commission (Ireland) - www.dataprotection.ie