Privacy Policy

Information You Provide Directly

• Account Information: Name, email address (corporate email required), job title, and organizational affiliation.
• Organization Data: Company name, country of operation, industry sector, and employee count for compliance assessment purposes.
• AI System Data: Descriptions, purposes, data types, decision categories, and deployment contexts of the AI systems you register for risk classification.
• Risk Assessment Responses: Information you provide through the free AI risk screener and penalty calculator tools.
• Communications: Information you provide when you contact us for support or feedback.

Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns.
• Device Information: Browser type, operating system, device identifiers, and IP address.
• Cookies and Similar Technologies: As detailed in Section 6.
• Log Data: Server logs including access times, pages viewed, and referring URLs.

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including AI risk classification, compliance assessment, and document generation.
• Legitimate Interests (Article 6(1)(f)): Processing for platform security, fraud prevention, service improvement, and aggregate analytics. We have assessed that these interests do not override your fundamental rights.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, regulations, or legal processes.
• Consent (Article 6(1)(a)): Where required, such as for marketing communications or optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

• To provide, maintain, and improve the Service, including AI risk classification, compliance documentation, and governance analytics.
• To process and complete AI system risk assessments, generating classification results, applicable regulation references, and compliance recommendations.
• To create and manage your account, authenticate your identity, and provide customer support.
• To send service-related notifications, classification alerts, regulation change notifications, and compliance updates.
• To analyze usage patterns in aggregate to improve user experience, platform performance, and classification confidence.
• To comply with legal obligations, including EU AI Act and Australian Privacy Act requirements.
• To detect, prevent, and address technical issues, security vulnerabilities, and fraudulent activity.
• To generate anonymized, aggregate industry benchmarks (no individual company data is identifiable).

Service Sub-Processors

• Supabase Inc. (United States): Cloud database hosting, authentication, and file storage. SOC 2 Type II certified.
• Anthropic PBC (United States): AI language model processing via Claude API. Data is processed via API and is NOT used for model training per Anthropic's data processing terms.
• Resend Inc. (United States): Transactional email delivery for notifications and alerts.
• Stripe Inc. (United States): Payment processing for subscriptions. We do not store your credit card details.

Other Sharing

• Within Your Organization: Team members within your organization can access shared AI system data, classification results, and compliance documents based on their assigned roles.
• Government Regulatory Portal: ONLY if you explicitly opt in through the Data Sharing Portal. Sharing is granular (you choose which data types), revocable, and fully audited with an immutable access log.
• Legal Requirements: We may disclose your information when required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your personal information becomes subject to a different privacy policy.

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled as they are necessary for the Service to function.
• Preference Cookies: Store your settings such as theme preference (light/dark mode) and language selection. These can be managed in your account settings.
• Analytics Cookies: Help us understand how the Service is used and identify areas for improvement. These are only set with your consent. You can opt out of analytics tracking at any time via your account settings or browser settings.

Data Retention Periods

• Active account data is retained for the duration of your subscription.
• Upon account deletion, personal data is permanently deleted within 30 days.
• Anonymized usage analytics may be retained indefinitely for service improvement.
• Audit logs required for regulatory compliance are retained for 7 years.
• Risk screener/penalty calculator lead data is retained for 12 months, then deleted.
• Backup data is purged within 90 days of primary deletion.

Data Security Measures

• All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Row Level Security (RLS) policies ensure complete data isolation between organizations at the database level — no organization can access another's data.
• Regular security assessments and vulnerability scanning are conducted.
• AI system data submitted for classification is processed securely via API and is not stored by our AI provider.
• All API endpoints are protected by rate limiting and authentication.

Under GDPR (EEA/UK Residents)

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
• Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing (Art. 18): Request limitation of processing of your personal data.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right Related to Automated Decision-Making (Art. 22): Our AI classifications are designed as decision-support tools, not fully automated decisions with legal effects. You always have the right to request human review of any AI-generated classification or assessment.
• Right to Lodge a Complaint: You may lodge a complaint with your local Data Protection Authority.

Under Australian Privacy Act

• Right of Access (APP 12): You may request access to the personal information we hold about you.
• Right of Correction (APP 13): You may request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
• Right to Complain: You may lodge a complaint about our handling of your personal information with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information. We have not sold personal information in the preceding 12 months.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of sensitive personal information to that which is necessary to perform the Service.

For questions, concerns, or to exercise your privacy rights, please contact

Data Protection Inquiries: [email protected]

Legal Inquiries: [email protected]

Postal Address: Arcus Technologies Pty Ltd, Melbourne, Victoria, Australia