1. Overview

ConformAI ("Company," "we," "us," or "our") operates the conformfit.com website and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

ConformAI is committed to protecting your privacy and ensuring transparency about how we handle your information. This policy applies to all users and customers of our EU AI Act compliance platform.

2. Data Collection

2.1 Information You Provide Directly

• Account Information: When you create an account, we collect your name, email address, company name, industry, country, and company size.
• Billing Information: Payment details are collected through Paddle (our payment processor) and are never stored directly on our servers.
• Profile Data: Optional information such as job title, preferences, and communication settings.
• Communications: When you contact support, we collect the content of your messages and any attachments.

2.2 Information Collected Automatically

• Usage Analytics: Via Plausible Analytics, we track page views, feature usage, and interaction patterns (no personal identification).
• Technical Data: Browser type, IP address, device information, and operating system.
• Cookies: We use functional and analytical cookies (see Cookie Policy section below).

2.3 Platform Data

• AI system descriptions and metadata you upload
• Compliance documentation and artifacts
• Team member invitations and roles
• Audit log records of platform activity

3. Data Usage & Processing

3.1 Purposes of Processing

We process your personal data for the following purposes:

• Providing and maintaining the ConformAI service
• Processing subscriptions and billing (via Paddle)
• Sending service notifications and compliance updates
• Improving the platform based on usage analytics
• Responding to customer support requests
• Complying with legal obligations
• Detecting and preventing fraud or security issues
• Sending regulatory alerts and obligation reminders

3.2 Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

• Contractual necessity: Processing required to provide the service you've requested
• Legitimate interests: Improving service quality, fraud prevention, security
• Legal compliance: Meeting regulatory and statutory requirements
• Consent: For marketing communications and optional analytics features

4. Data Storage & Security

4.1 Where We Store Your Data

ConformAI uses Supabase as our primary data infrastructure. Supabase provides PostgreSQL databases hosted on secure, ISO 27001-certified infrastructure within the European Union. Your data is encrypted both in transit (TLS 1.3) and at rest (AES-256).

• Primary Storage: EU-based Supabase infrastructure (Frankfurt region preferred)
• Backup Storage: Geographically redundant encrypted backups within the EU
• Payment Data: Handled exclusively by Paddle (PCI-DSS compliant)
• Analytics: Plausible Analytics (GDPR-compliant, privacy-first)

4.2 Data Security Measures

• End-to-end encryption for all API communications
• Role-based access control (RBAC) for team members
• Regular security audits and penetration testing
• Two-factor authentication (2FA) available for all accounts
• Automatic session timeout and activity logging
• Compliance with GDPR, ISO 27001, and SOC 2 Type II standards

4.3 Data Retention

We retain your personal data for as long as your account is active. After account deletion, we retain non-identifiable audit logs for 90 days for security purposes, then permanently delete all personal data within 30 days.

5. Global Compliance: GDPR, PDPL & Data Protection

5.0 Saudi Personal Data Protection Law (PDPL) Compliance

ConformAI complies with the Saudi Personal Data Protection Law (PDPL) for all users subject to Saudi law. If you are a Saudi resident or organization, you have the following rights under PDPL:

• Right to Access: You may request a copy of your personal data we hold
• Right to Correction: You may request correction of inaccurate data
• Right to Deletion: You may request deletion of your data (subject to legal retention requirements)
• Right to Data Portability: You may request your data in portable, machine-readable format
• Right to Restrict Processing: You may request limitation of how we process your data
• Consent Withdrawal: You may withdraw consent for non-essential processing

Cross-Border Data Transfers Disclosure (PDPL Article 29): ConformAI's core infrastructure (Supabase) is EU-based. However, some processing occurs outside Saudi Arabia:

• Email delivery via Resend (US-based, justified by contractual necessity)
• Plausible Analytics (EU-based, anonymized)

All transfers are justified under PDPL Article 29 and your consent is required. You may request data not be transferred outside the KSA by contacting [email protected].

Arabic Language Version Available: An Arabic translation of this Privacy Policy and all compliance documents are available upon request.

5.1 Data Processing Agreement (DPA)

ConformAI is a data processor for EU customers. We have executed Data Processing Agreements (DPA) compliant with GDPR Article 28. A copy of our DPA is available upon request at [email protected].

5.2 Data Residency

All personal data of EU residents is stored exclusively within the European Union. We do not transfer data outside the EU without appropriate safeguards and your explicit consent.

5.3 Sub-processors

Service	Purpose	Location	DPA
Supabase	Database & infrastructure	EU (Frankfurt)	Yes
Paddle	Payment processing	EU / US	Yes
Plausible Analytics	Analytics (anonymized)	EU (Estonia)	Yes
Resend	Email delivery	US	Yes

6. Cookie Policy

6.1 Essential Cookies

These cookies are necessary for the platform to function and cannot be disabled:

• Session cookies: Maintain your login session and security state
• CSRF tokens: Prevent cross-site request forgery attacks
• Preference cookies: Remember your language and theme preferences

6.2 Analytical Cookies

We use Plausible Analytics to understand how users interact with our platform. Plausible is GDPR-compliant and does not use cookies for tracking; instead, it uses server-side analytics. You can opt-out of analytics at any time in your Settings.

6.3 Cookie Consent

Essential cookies are automatically enabled. When you first visit, we ask your consent for analytical tracking. You can change your preferences at any time in your account settings or by contacting us.

7. Your Rights Under GDPR

As an EU resident, you have the following rights under GDPR Articles 15-22:

7.1 Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly-used, machine-readable format within 30 days.

7.2 Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

7.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("Right to be Forgotten"). We will delete your data within 30 days, except where legal obligations require retention.

7.4 Right to Data Portability (Article 20)

You can request a copy of your data in a portable format. Use the "Export Data" feature in Settings or contact support for assistance.

7.5 Right to Object (Article 21)

You can object to processing of your data for marketing purposes. We will honor objections within 10 business days.

7.6 Right to Restrict Processing (Article 18)

You can request that we limit how we process your data while we verify disputes or process your requests.

7.7 Rights Related to Automated Decision-Making (Article 22)

ConformAI does not make fully automated decisions that produce legal effects on users. All AI risk classifications and recommendations require human review.

8. Data Processing Agreement

For organizations that need formal data processing terms compliant with GDPR Article 28, ConformAI provides a comprehensive Data Processing Agreement. This document outlines:

• Data processor responsibilities and obligations
• Security and confidentiality measures
• Data subject rights and assistance
• Sub-processor information
• Data transfer and deletion procedures

View our Data Processing Agreement

8. Data Protection Officer & Legal Basis

ConformAI has appointed a Data Protection Officer to oversee GDPR compliance and EU AI Act requirements. You can contact our DPO with any data protection or privacy concerns through the official support channel only:

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.

9. Contact Us & Privacy Inquiries

For privacy-related questions, data subject rights requests, or to exercise any of your GDPR rights:

Data Subject Rights Requests

When submitting a data rights request, please include:

• Your full name and email address associated with your account
• Description of your request
• Type of right you're exercising (access, deletion, portability, etc.)
• Proof of identity (copy of ID may be required)

We will acknowledge receipt within 24 hours and provide a substantive response within 30 days. Extensions of up to 60 days may apply for complex requests, and we will notify you of any delays.