Skip to main content

Privacy Policy

[Draft — final version pending legal review]

Last updated: April 2026

1. Data Controller

The data controller is Conflai SLU (CIF [B-XXXXXXXX]), with registered office at [Calle XXXX], Alicante, Spain. For data protection queries, contact our DPO at dpo@conflai.eu.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account data: name, email address, role within the organisation.
  • Platform usage data: AI system metadata, classifications, generated documents, vault access logs.
  • Technical data: IP address (hashed in audit logs), browser user agent (not stored), session identifiers.
  • Billing data: managed by Stripe; we store only the Stripe customer ID and subscription ID.

3. Legal Basis for Processing

  • Contract performance (GDPR Art. 6(1)(b)): processing necessary to provide the Service.
  • Legitimate interest (GDPR Art. 6(1)(f)): security logging, fraud prevention, and product improvement via anonymised analytics.
  • Legal obligation (GDPR Art. 6(1)(c)): tax and accounting requirements.

4. Data Residency

All personal data is stored and processed within the European Union. Our primary database is hosted on Neon (Frankfurt, Germany). Background workers run on Hetzner (Germany). See our Data Processing Agreement for the full list of sub-processors.

5. AI Processing

We use Anthropic Claude AI models to classify AI systems and generate compliance documents. Data sent to the AI model includes AI system metadata (name, description, purpose) but never personal data of end users. Anthropic does not use customer data for model training. Each AI output is stored with prompt version, model version, and input hash for reproducibility.

6. Analytics

We use Plausible Analytics, a privacy-first, cookieless analytics tool. Plausible does not collect personal data, does not use cookies, and does not track users across websites. All analytics data is aggregated and anonymous.

7. Cookies

We use only one strictly necessary session cookie for authentication. See our Cookie Policy for details.

8. Data Retention

  • Account data: retained while your subscription is active, then deleted within 30 days of termination.
  • Audit logs: retained for 3 years for regulatory compliance.
  • Billing records: retained for 5 years as required by Spanish tax law (Ley General Tributaria).

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access (Art. 15): request a copy of your data.
  • Rectification (Art. 16): correct inaccurate data.
  • Erasure (Art. 17): request deletion of your data.
  • Restriction (Art. 18): restrict processing in certain cases.
  • Portability (Art. 20): receive your data in a structured format.
  • Objection (Art. 21): object to processing based on legitimate interest.

To exercise these rights, contact dpo@conflai.eu. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, multi-tenant isolation, role-based access control, and append-only audit logging.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The “Last updated” date at the top indicates the most recent revision.

Contact

For privacy-related questions, contact dpo@conflai.eu.