Privacy Policy

Last Updated: December 2024

RiskAI Technologies GmbH ("RiskAI," "we," "our," or "us") is committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI governance and compliance automation platform.

1. Data Controller

RiskAI Technologies GmbH
Dorothee-Sölle-Platz 2
50672 Köln, Germany
Email: privacy@riskai.tech

2. Personal Data We Collect

We collect the following categories of personal data in the RiskAI platform:

2.1 Account Information

• Name, email address, and job title
• Department, Company name and industry
• Account credentials and preferences

2.2 Usage Data

• Platform usage logs and analytics
• Feature interactions and performance metrics
• Error logs and system diagnostics

2.3 Technical Data

• IP addresses and device information
• Browser type and version
• Cookies and similar tracking technologies

3. Purpose and Legal Basis for Processing

We process your personal data for the following purposes under the legal bases specified:

3.1 Service Delivery (Art. 6(1)(b) GDPR)

• Providing and maintaining our AI Safety & Governance platform
• Processing transactions and managing accounts
• Using the RiskAI platform to manage AI risks and compliance
• Delivering customer support and technical assistance

3.2 Legitimate Interests (Art. 6(1)(f) GDPR)

• Improving our services and user experience
• Security monitoring and fraud prevention
• Business analytics and research

3.3 Legal Obligations (Art. 6(1)(c) GDPR)

• Compliance with applicable laws and regulations
• Responding to legal requests and court orders
• Maintaining audit trails for regulatory purposes

3.4 Consent (Art. 6(1)(a) GDPR)

• Marketing communications
• Non-essential cookies and tracking
• Optional surveys and feedback collection

4. Data Sharing and Transfers

We may share your personal data with:

4.1 Service Providers

• Cloud hosting providers (AWS, Azure)
• Analytics and monitoring services
• Customer support and communication tools

4.2 Legal Requirements

• Government authorities when required by law
• Regulatory bodies for compliance purposes
• Legal advisors in connection with disputes

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the business transaction.

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for certain countries
• Additional security measures and contractual protections

6. Data Security

We implement comprehensive security measures to protect your personal data:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee training on data protection
• Incident response procedures

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account data: Duration of account plus 7 years for legal compliance
• Usage logs: 2 years for analytics and security
• Marketing data: Until consent withdrawal or 3 years
• Legal/regulatory data: As required by applicable laws

8. Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15 GDPR)

You can request a copy of your personal data and information about how we process it.

8.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data in certain circumstances.

8.4 Right to Restriction (Art. 18 GDPR)

You can request limitation of processing in specific situations.

8.5 Right to Data Portability (Art. 20 GDPR)

You can request a copy of your data in a structured, machine-readable format.

8.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

9. Contact Information

10. Complaints

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection authority.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying prominent notices on our platform