Privacy Policy

Last Updated: April 3, 2026

1. Introduction

ConformAI ("Company," "we," "us," or "our") operates the website conformfit.com and provides EU AI Act compliance automation services. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and process your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable EU data protection laws.

This Privacy Policy explains our data practices and your rights under EU data protection legislation. If you do not agree with our practices, please refrain from using our services.

2. Data Controller

ConformAI is the data controller responsible for your personal data. For inquiries regarding data processing, please contact:

3. Data We Collect

We collect the following categories of personal and sensitive data to provide our compliance automation services:

3.1 Account Information

• Full name and email address
• Company name and organization details
• Job title and professional role
• Phone number (optional)
• Physical company address

3.2 AI Compliance Data (Sensitive)

• AI system inventories and descriptions
• Technical specifications of your AI systems
• Compliance assessment questionnaire responses
• Risk classifications and impact assessments
• Documentation and audit trails
• Sensitive business process information related to AI deployment

3.3 Payment Information

• Billing address and payment method details (processed by Paddle)
• Invoice records and transaction history

3.4 Usage Data

• Log data (IP address, browser type, pages visited)
• Cookies and similar tracking technologies
• Feature usage patterns and analytics (via Plausible)
• Interaction timestamps and session duration

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contractual Necessity (Article 6(1)(b)): Processing required to provide compliance services under your subscription agreement
• Legal Obligation (Article 6(1)(c)): Compliance with EU AI Act requirements and other regulatory obligations
• Legitimate Interests (Article 6(1)(f)): Improving our services, fraud prevention, and security
• Consent (Article 6(1)(a)): Where you have explicitly consented to specific processing activities (e.g., marketing communications)

For processing of special category data (Articles 9-10 GDPR), we rely on your explicit consent and the necessity to provide our services.

5. How We Use Your Data

We use your personal data for the following purposes:

• Service Delivery: Providing EU AI Act compliance automation, generating compliance reports, and delivering audit trails
• Account Management: User authentication, account administration, and customer support
• Compliance & Legal: Meeting legal and regulatory requirements, handling disputes, and maintaining audit logs
• Analytics & Improvement: Understanding user behavior to improve platform features and user experience
• Communication: Sending service updates, important notices, and (with consent) promotional content
• Security: Detecting and preventing fraud, abuse, and security incidents
• AI Analysis: Processing compliance data through our AI system to generate risk assessments and recommendations

6. Data Recipients and Third Parties

We share your personal data with the following third-party service providers who act as data processors on our behalf:

6.1 Essential Service Providers

• Supabase: Database infrastructure and authentication services. Supabase processes your account data and compliance assessments in PostgreSQL databases. Data residency: EU (Frankfurt region where possible)
• Cloudflare: Content delivery network and security infrastructure. Processes IP addresses and HTTP request metadata for security and performance
• Paddle: Payment processing and billing management. Processes billing address and payment method information for subscription management
• Plausible: Web analytics. Processes aggregated usage data and behavior analytics without cookies or personal identification (privacy-first analytics)

6.2 AI Processing Services

• OpenAI: Processes your AI system descriptions and compliance data to generate recommendations and risk assessments. Data is processed in accordance with OpenAI's privacy terms

6.3 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party processors to ensure GDPR compliance. These agreements are available upon request and outline:

• Data processing scope and purpose
• Data protection obligations and safeguards
• Sub-processor authorization and notification
• Data subject rights and assistance
• Deletion and return of data obligations
• Audit and inspection rights

We do not sell, rent, or lease your personal data to third parties for marketing purposes.

7. Data Retention

We retain your personal data based on the following retention schedules:

• Active Account Data: Retained for the duration of your subscription plus 30 days after account closure
• Compliance Records: Retained for 3 years to meet regulatory and audit requirements, then securely deleted
• Payment Records: Retained for 7 years as required by financial and tax regulations
• Backup Data: Retained for up to 90 days for disaster recovery purposes
• Analytics Data: Retained for 12 months of historical analysis
• Support Communications: Retained for 2 years after resolution of support request

After the retention period expires, data is securely deleted or anonymized. You may request earlier deletion subject to legal and contractual obligations.

8. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether your personal data is being processed and to access that data in a structured, commonly-used, and machine-readable format.

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Article 17 - "Right to be Forgotten")

You have the right to request deletion of your personal data, except where processing is necessary for legal compliance, contractual performance, or other lawful grounds.

8.4 Right to Restrict Processing (Article 18)

You have the right to restrict our processing of your personal data pending correction, objection, or deletion claims.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly-used, machine-readable format and to transmit it to another controller without hindrance.

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds or legal obligations.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.

8.9 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] with a clear description of your request. We will respond within 30 days (extendable by 60 days for complex requests) and verify your identity before processing.

9. Data Security

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data in transit uses TLS 1.2+ encryption; sensitive data at rest is encrypted
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Cloudflare DDoS Protection: Enterprise-grade security against distributed attacks
• Regular Audits: Third-party security assessments and penetration testing
• Incident Response: Documented procedures for reporting and responding to data breaches within 72 hours
• Employee Training: GDPR and data protection training for all personnel with data access
• Secure Development: Code reviews, dependency scanning, and secure coding practices

While we maintain robust security measures, no system is completely immune to breaches. In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by GDPR Article 33.

10. Data Processing Agreement

If you are a business controller using our platform to process personal data on behalf of your customers or users, we can provide a Data Processing Agreement (DPA) that outlines our obligations as a data processor under GDPR Article 28.

The DPA is available upon request and covers:

• Processing instructions and limitations
• Data security and confidentiality obligations
• Sub-processor authorization procedures
• Data subject assistance and rights fulfillment
• Deletion and return of data
• Audit and inspection rights
• International data transfers (if applicable)

To request a DPA or discuss data processing arrangements, contact us at [email protected].

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

This Privacy Policy may be updated periodically to reflect changes in our data practices or legal requirements. We will notify you of material changes by email or through the platform. Your continued use of our services constitutes acceptance of the updated policy.