Privacy Policy
Last updated: 17 June 2026
1. Data Controller
iCOMPLY is operated by AimRank AI Innovation Labs ("we", "us", "our"). We are the data controller for the personal data processed through the iCOMPLY platform.
Contact: privacy@aimrank.io
Data Protection Officer
Under GDPR Article 37a DPO is mandatory when the controller's core activities consist of regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special-category data (Article 9). iCOMPLY processes only business-to-business compliance data; the personal data we hold is account-level (names, work emails) plus customer-supplied AI system descriptions. We do not reach the Article 37 mandatory threshold and we have not formally appointed a DPO.
The privacy@aimrank.io mailbox is monitored by the founder (AIGP-certified) and serves as the single point of contact for all data-protection enquiries, subject-rights requests, and breach reports. This position will be re-assessed (and a formal DPO appointed) if (i) we begin large-scale processing of special-category data, (ii) we add features that systematically monitor natural persons at scale, or (iii) our headcount or processing volume crosses a threshold where a part-time external DPO becomes appropriate.
2. What Data We Collect
Account data
When you register, we collect your name, email address, and a password hash (bcrypt, cost 12). We also store your organization name and country.
AI system descriptions
You provide descriptions of your AI systems, including technical details, deployment information, model names, subprocessor lists, and uploaded documentation (model cards, DPIAs, vendor docs). This data is stored in our database and used exclusively to provide the compliance advisory service.
Conversation data
Conversations with our AI classification, mapping, and guidance engine are stored in full (your messages and the AI assistant's responses). These are retained to maintain conversation state, enable document generation from conversation data, and provide audit trail evidence.
Generated documents
Compliance documents generated by the platform (classification reports, Annex IV documentation, risk management plans) are stored as structured JSON and as downloadable DOCX files.
Audit logs
We maintain an immutable audit log of every significant action on the platform: system creation/edits, document generation, review submissions, status changes, logins. This log includes your user ID, IP address, user agent, and a description of the action.
Technical data
We collect standard server-side technical data: IP addresses, HTTP request metadata, and session tokens (via secure, HTTP-only cookies).
Waitlist / access requests
If you request private-beta access via our website, we store the email address you provide (and any optional name, company, or use-case notes) to contact you about access. The lawful basis is your consent (GDPR Article 6(1)(a)), which you give by ticking the consent box on the form.
For abuse prevention we also store a salted, irreversible hash of your IP address (not the raw IP) on the basis of our legitimate interest (Article 6(1)(f)) in protecting the form from automated submissions.
We keep waitlist data until access is granted or you ask us to remove it, and we delete stale or unconverted entries when we close the beta. We do not share waitlist data with third parties or use it for marketing. To withdraw consent or have your details erased, email privacy@aimrank.io.
3. Why We Process Your Data (Legal Basis)
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the compliance advisory service | Article 6(1)(b) — performance of a contract |
| Sending transactional emails (verification, password reset, review notifications, team invites) | Article 6(1)(b) — necessary for the service |
| Maintaining audit logs | Article 6(1)(f) — legitimate interest (regulatory compliance and security) |
| Improving the platform | Article 6(1)(f) — legitimate interest (service improvement). We do NOT train AI models on your data. |
4. AI Processing Disclosure (EU AI Act Article 50)
iCOMPLY uses artificial intelligence to deliver its core service. Specifically:
- Classification, mapping, and guidance conversations are powered by Anthropic's Claude models (Claude Sonnet and Claude Opus) accessed via AWS Bedrock in the
eu-central-1region. - Document generation uses the same Claude models to produce structured compliance documentation from conversation data.
- All AI-generated outputs are clearly markedin the platform UI with an "AI" indicator and in generated documents with a disclosure footer.
- Paid-tier outputs are human-reviewed by a compliance specialist before delivery. The expert review status is visible on every document.
We do notuse your data to train, fine-tune, or improve any AI model. Conversation data is sent to Anthropic (via AWS Bedrock) for real-time inference only and is subject to Anthropic's privacy policy and AWS's data processing terms. AWS Bedrock does not use customer inputs/outputs for model training.
5. Sub-Processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting (compute, self-hosted PostgreSQL, and file storage) — the EU VPS the platform runs on | EU (Germany — Falkenstein / Nuremberg) |
| Amazon Web Services (Bedrock only) | AI inference (Claude models via eu.anthropic.* profiles). Under AWS's model-provider terms, Bedrock does not retain prompts or outputs after the request and Anthropic does not train on them. AWS does not host our database, application, files, or email. | EU (eu-central-1, Frankfurt) |
| Anthropic (via AWS Bedrock) | AI model provider. Your prompts are processed by Claude for real-time inference only. No training on, or retention of, customer data. | US-based company; inference runs in the EU via AWS Bedrock eu-central-1 |
| Brevo (Sendinblue SA) or Mailjet SAS | Transactional email delivery (verification, password reset, review notifications, team invites) | EU (France) |
6. Data Retention
- Account data: retained as long as your account exists. Deleted upon account deletion request.
- Conversations and messages: retained as long as the associated AI system exists in your organization. Deleted when the system is deleted (cascade).
- Generated documents: retained as long as the associated AI system exists. Download your DOCX files before deleting a system.
- Audit logs: retained indefinitely for regulatory compliance purposes (the EU AI Act requires demonstrable compliance history).
- Email verification / password reset tokens: expire and become unusable after 24 hours / 1 hour respectively. Expired tokens are not automatically purged but are functionally dead.
7. Your Rights (GDPR Articles 15–22)
You have the right to:
- Access your personal data (Article 15)
- Rectify inaccurate data (Article 16)
- Eraseyour data ("right to be forgotten", Article 17) — subject to our legitimate interest in retaining audit logs
- Restrict processing (Article 18)
- Data portability (Article 20) — your AI system descriptions and generated documents can be exported as JSON/DOCX
- Object to processing based on legitimate interest (Article 21)
To exercise any of these rights, email privacy@aimrank.io. We will respond within 30 days.
8. International Transfers
Your data is hosted in the EU on a single VPS (Hetzner Online GmbH, Germany) — compute, the self-hosted PostgreSQL database, and file storage all stay in the EU. AI inference via AWS Bedrock runs in the EU region (eu-central-1, Frankfurt) under AWS's contractual data-residency commitments. Anthropic supplies the model weights but, under AWS's model-provider terms, does not train on, retain, or store your prompts or outputs beyond the request.
Residency is not the same as sovereignty. Your data stays in EU AWS regions, but AWS and Anthropic are US-incorporated companies, so access requests under US law remain theoretically possible. To close that gap we plan to migrate to an EU-sovereign cloud; until then we rely on EU-region residency plus the SCC-based safeguards below.
Transfer mechanism.For any incidental transfer of personal data outside the EEA that arises from the relationship with Anthropic (e.g. service telemetry, account administration), the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor), 2021/914 EU SCCs as updated. The SCCs are incorporated by reference into the AWS Customer Agreement's Data Processing Addendum and are available on request from privacy@aimrank.io.
Supplementary measures beyond the SCCs:
- Encryption in transit (TLS 1.3) across all connections. Data at rest is stored on EU-hosted infrastructure; full-disk encryption of the VPS data volume is a documented operational commitment completed before any real customer personal data is processed
- IP-address handling — audit logs retain the originating IP address of each security-relevant action, used solely for security investigation and tamper-evidence, with access restricted to administrators
- No training on customer data— under AWS's Bedrock model-provider terms, Anthropic does not train on, and AWS does not retain, prompts or outputs after the request
- Tamper-evident audit log of every inference call (hash-chained per Article 12) for transparency over any incidental cross-border processing
We do not currently rely on an adequacy decision for these transfers. Should the EU-US Data Privacy Framework status change materially (Schrems III, framework invalidation, etc.), our SCC fallback remains valid and is the operative mechanism today.
9. Cookies
iCOMPLY uses a single session cookie set by NextAuth.js. This cookie is:
- Strictly necessary for authentication
- HTTP-only and Secure-flagged
- Not used for tracking or advertising
We do not use any third-party tracking cookies. If we add analytics in the future, we will update this policy and implement a consent mechanism before setting any non-essential cookies.
10. Children
iCOMPLY is a business-to-business service. We do not knowingly collect data from individuals under 16 years of age.
11. Changes to This Policy
We will update this page when our data practices change. Material changes will be communicated via email to registered users.
12. Personal Data Breach Notification (GDPR Articles 33–34)
If we become aware of a personal data breach affecting your data, our process is:
- Within 72 hours we notify the lead supervisory authority where notification is required under Article 33(1) — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- Without undue delay we notify affected data subjects directly when the breach is likely to result in a high risk to their rights and freedoms (Article 34(1)). Notification will describe the nature of the breach, the likely consequences, the measures we have taken to address it, and the contact point at iCOMPLY for further information.
- Internal record. We maintain an internal log of every personal data breach (Article 33(5)) covering the facts, effects, and remedial action taken — irrespective of whether notification was triggered.
Suspected breach? Report it to security@aimrank.io — this mailbox is monitored alongside the data-protection mailbox above and triggers the same 72-hour clock internally.
13. Records of Processing Activities (GDPR Article 30)
We maintain an internal Record of Processing Activities (RoPA) per Article 30, covering categories of data subjects, categories of personal data, purposes, legal basis, recipients, retention periods, international transfers, and security measures. The summary is publicly available in the repository at docs/RoPA.md; the full record is available to supervisory authorities on request.
14. Supervisory Authority
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your national data protection authority.
Questions? Contact privacy@aimrank.io.