AI-Act Compliance

Privacy Policy

Last updated: 3 May 2025

This Privacy Policy explains how AI-Act Compliance(“Provider,” “we,” “us”) collects, uses, shares, and protects personal data when you visit actready.ai or use any of our compliance services (collectively, the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable laws.

1. Who we are

Provider is the controller for website‑visitor data. When you upload logs or events through our SDK/API, we act as processoron your behalf; those activities are governed by the Data Processing Addendum (“DPA”).

2. Data we collect

2.1 Data you provide

  • Account details — name, business email, company, role
  • Billing info — VAT ID, billing address, payment tokens (Stripe)
  • Support tickets — messages and attachments you send us
  • AI system metadata you choose to upload via the Service

2.2 Data we collect automatically

  • Log files — IP address, user‑agent, timestamps, pages visited
  • Device & usage data — OS, browser, referral URL, clicks
  • Cookies & local storage (see § 6) for analytics and session management

3. How we use data

  • Operate, secure, and improve the Service
  • Authenticate users and process transactions
  • Provide customer support and technical notices
  • Analyse aggregate usage to develop new features
  • Comply with legal obligations and defend legal claims
  • Send marketing emails only with your opt‑in consent

Our lawful bases under GDPR are: (i) contract performance,(ii) legitimate interests, (iii) consent (for marketing), and (iv) legal obligation.

4. Cookies

We use first‑party cookies (session, preference, analytics) and do not employ third‑party advertising cookies. You can manage preferences via our cookie banner or browser settings. Blocking cookies may impair core functionality.

5. Data sharing

We share personal data only with:

  • Sub‑processors — hosting (Vercel EU), database (Supabase DE), payments (Stripe US ↔ SCCs). Full list:/subprocessors.
  • Professional advisers (lawyers, auditors) under confidentiality duties
  • Authorities or courts when required by law or to protect legal rights

6. International transfers

Where data is transferred outside the EEA/UK, we rely on adequacy decisions or Standard Contractual Clauses (EU 2021/914). Copies are available on request.

7. Data security

Security measures include TLS 1.3, AES‑256 at rest, least‑privilege access, ISO 27001‑certified data centres, routine penetration tests, and incident‑response procedures.

8. Data retention

  • Account data — life of the subscription + 6 years (tax)
  • SDK event logs — 18‑month rolling window (unless you configure less)
  • Support tickets — 3 years after closure

9. Your rights

You may request access, rectification, erasure, restriction, portability, or object to processing. To exercise rights, email

10. Children

The Service is not directed to children under 16. We do not knowingly process children’s data.

11. Changes

We may update this Policy periodically. Material changes will be announced via email or banner 30 days before taking effect. Continued use constitutes acceptance.