AI Comply HQ. EU AI Act compliance for small teams.

1. Data Controller

AI Comply HQ ("we", "us", "our") is the data controller for personal data processed through the AI Comply HQ platform at aicomplyhq.com.

Contact: privacy@aicomplyhq.com

2. What Personal Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address (required for authentication)
Full name (if provided)
Organization name

2.2 Interview Data

When you use our compliance interview, we collect:

Your responses to interview questions (text answers describing your AI system)
AI-generated follow-up questions and analysis
Specificity scores for your answers
Auto-filled form field values extracted by AI from your responses
Your edits and approvals of auto-filled fields
Interview session metadata (start time, completion time, mode, sections completed)

2.3 Voice Data (Voice Mode Only)

If you use voice mode, we additionally process:

Audio recordings of your speech (processed in real-time for transcription)
Transcriptions of your spoken responses

Important: Voice audio is processed by Cartesia (our speech processing provider) for transcription and text-to-speech. See Section 5 for details on third-party processing.

2.4 Payment Data

Payment information (credit card numbers, billing address) is collected and processed directly by Stripe, our payment processor. We do not store your payment card details. We receive from Stripe: your subscription status, plan tier, and a Stripe customer identifier.

2.5 Analytics Data (With Your Consent)

If you accept analytics cookies, we collect anonymized usage data via Google Analytics, including: pages visited, features used, session duration, and general geographic region. Analytics data is only collected after you explicitly consent via our cookie banner.

2.6 Automatically Collected Data

Authentication session tokens (strictly necessary cookies)
Audit logs of significant actions (for security and compliance)

3. How We Use Your Data

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Provide the compliance interview service	Account data, interview responses	Contract (Art. 6(1)(b))
Generate AI-powered compliance assessments	Interview responses sent to AI provider	Contract (Art. 6(1)(b))
Process voice interviews	Voice audio, transcriptions	Consent (Art. 6(1)(a))
Process subscription payments	Email, subscription tier (via Stripe)	Contract (Art. 6(1)(b))
Analytics and service improvement	Anonymized usage data	Consent (Art. 6(1)(a))
Security and fraud prevention	Audit logs, session data	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	As required by applicable law	Legal obligation (Art. 6(1)(c))

4. AI System Disclosure (EU AI Act Article 50)

AI Comply HQ uses artificial intelligence to process your interview responses and generate compliance assessments. Specifically:

Interview responses are processed by Anthropic's Claude AI model to generate follow-up questions, evaluate answer specificity, and extract structured compliance data.
Voice audio (voice mode only) is processed by Cartesia's speech AI for transcription (speech-to-text) and spoken responses (text-to-speech).
Risk classifications and auto-filled form fields are AI-generated outputs that should be reviewed by a qualified professional before use in any regulatory submission.

All AI-generated outputs are advisory. They do not constitute legal advice and must be reviewed by a human before any compliance submission or regulatory filing.

5. Third-Party Data Processors

We share personal data with the following processors, each under a Data Processing Agreement:

Processor	Purpose	Data Shared	Location
Anthropic (Claude API)	AI interview processing and data extraction	Interview responses, conversation history	United States
Cartesia	Voice processing (STT/TTS)	Voice audio, text for synthesis	United States
Supabase	Database hosting and authentication	All stored data (encrypted at rest)	See Supabase region settings
Stripe	Payment processing	Email, subscription data, payment card data	United States / EU
Netlify	Application hosting	Server logs, request metadata	Variable (CDN)
Google (Analytics)	Website analytics (consent-only)	Anonymized usage data	United States

6. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA). For transfers to the United States and other third countries, we rely on:

EU-US Data Privacy Framework adequacy decision (where applicable)
Standard Contractual Clauses (SCCs) approved by the European Commission
Supplementary measures as required by the CJEU Schrems II ruling

7. Data Retention

Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
Interview data: Retained for 12 months after interview completion, or until you request deletion, whichever is earlier.
Voice recordings: Processed in real-time for transcription. Audio is not stored by AI Comply HQ after transcription. Retention by Cartesia is governed by their privacy policy.
Payment data: Retained by Stripe per their data retention policy. We retain subscription status for the duration of your account.
Analytics data: Retained by Google Analytics per their standard retention settings (26 months).
Audit logs: Retained for 6 months for security purposes (append-only, cannot be modified).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Correct inaccurate personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restriction (Art. 18): Request that we limit processing of your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right regarding automated decisions (Art. 22): Our AI-generated risk classifications and form auto-fills are advisory outputs subject to human review, not automated decision-making with legal effects. You may edit or reject any AI output.
Right to withdraw consent: Where processing is based on consent (analytics, voice recording), you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@aicomplyhq.com. We will respond within 30 days.

9. Cookies

Strictly necessary cookies: Authentication session tokens managed by Supabase. These cannot be disabled as they are essential for the service to function.
Analytics cookies: Google Analytics cookies, loaded only after you explicitly consent via our cookie banner. You can withdraw consent at any time via the Cookie Settings link.

10. Data Security

We implement appropriate technical and organizational measures including:

Encryption in transit (TLS/HTTPS on all connections)
Encryption at rest (Supabase database encryption)
Row-Level Security (RLS) ensuring organization-level data isolation
Authentication via Supabase Auth with secure session management
Stripe webhook signature verification
Append-only audit logging

11. Children

AI Comply HQ is a business-to-business service intended for compliance professionals. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this privacy policy to reflect changes in our data practices or legal requirements. Material changes will be communicated via email or a prominent notice on our platform. We encourage you to review this policy periodically.

13. Complaints

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities is available at edpb.europa.eu.

14. Contact

For privacy inquiries or data subject requests:
Email: privacy@aicomplyhq.com
General: hello@aicomplyhq.com

Privacy Policy