Privacy Policy for euaicompliance.net

Last updated: 2025-02-21

## Who We Are
euaicompliance.net ("we," "us," "our") provides synthetic QA datasets and compliance evidence for enterprise LLM teams. We are EU-based and operate globally, supporting buyers that must meet the EU AI Act, NIST AI RMF, CPRA/CCPA, California SB 942, and other in-force U.S. privacy or civil-rights requirements.

## Personal Data We Collect
- Website and analytics data: IP address, device/browser information, pages viewed, referral source, approximate location, and cookie identifiers.
- Business contact information: name, work email, phone, company, role, billing details, and communications you send to us (support, sales, or product feedback).
- Account administration records: license history, security controls requested, and opt-in preferences.
We do **not** ingest patient records or other sensitive personal data into our services; all QA packs and evidence runs are synthetic by design.

## How We Use Personal Data
We process limited business contact and usage data to:
- Provide and improve our products, support, and website.
- Provision licenses, deliver datasets, operate billing, and enforce agreements.
- Send product updates or marketing (opt-out available in each email).
- Maintain security, investigate misuse, comply with legal obligations, and resolve disputes.
Legal bases (where GDPR applies) include performance of a contract, legitimate interest (service operation and security), consent (for marketing where required), and compliance with legal obligations.

## Synthetic Data & PII Avoidance
Our synthetic generation pipeline is engineered to avoid personal data ingestion. Evidence Packs contain synthetic-only attestations, PII scan outputs, and SB 942 labeling guidance so downstream teams can disclose AI-generated content transparently.

## Automated Decision Transparency
We do not use personal data to make solely automated decisions that produce legal or similarly significant effects. When we provide assurance tooling or QA automation that informs your decisions, we include fairness metrics, bias notes, and human-in-the-loop recommendations to support obligations under CPRA/CCPA and applicable U.S. consumer-protection and civil-rights laws.

## Sharing and Transfers
We share personal data with subprocessors (hosting, analytics, email, billing) under data processing agreements and confidentiality obligations. When transferring personal data outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and implement supplementary safeguards when required.

## No Sale or Sharing of Personal Data
We do not sell or share personal information as defined by the CPRA/CCPA. Personal data is used only to operate and improve our services or as otherwise disclosed in this Policy.

## Your Rights
Where provided by law (including GDPR and CPRA/CCPA), you may request:
- Access to, correction of, or deletion of your personal data.
- Restriction of or objection to certain processing.
- A copy of your data in a portable format.
- Opt-out of marketing or opt-out of "sharing" as defined by the CPRA/CCPA (we do not perform such sharing, but honor the request route).
Submit requests by emailing [email protected]. We verify identity before acting and respond within applicable timelines. EU residents may contact their local supervisory authority; California residents can also submit authorized-agent requests consistent with CPRA regulations.

## Data Retention & Security
Business contact and account data are retained for the duration of the relationship plus up to 24 months after inactivity, unless a longer period is required by law (e.g., tax and accounting rules). We apply technical and organizational measures, including encryption in transit and at rest, role-based access controls, audit logging, and vulnerability management. Additional security details are available on our Trust & Security page (euaicompliance.net/trust-security).

## Cookies and Preferences
We use essential cookies for authentication and service delivery, plus limited analytics cookies to understand product usage. You can manage cookies through browser settings or opt-out mechanisms presented in our banner (where required). Blocking certain cookies may impact features.

## Links to More Information
For technical controls, provenance disclosures, and SB 942 labeling practices, please refer to our Trust & Security page (euaicompliance.net/trust-security).

## Changes to This Policy
We may update this Policy to reflect service, legal, or operational changes. We will post updates here and change the "Last updated" date. Material changes will be communicated through product notices or email when feasible.

## Contact
Privacy inquiries or rights requests: [email protected]
Postal/contact details are available upon request. We respond within statutory timelines and aim for two business days for enterprise due diligence questions.

## Governing Law
This Policy is governed by EU law and the laws of Belgium, without prejudice to mandatory protections in your jurisdiction.