Privacy Policy

As of March 2026 · In accordance with EU GDPR (Regulation 2016/679)

Table of Contents

Controller
General Data Processing
Legal Bases
Hosting (IONOS)
Backend Infrastructure (Supabase)
Payment Processing (Stripe)
AIGOY AI Governance Platform
Local Data Storage
Cookies & Technical Storage
Email Communication
Data Sharing with Third Parties
Data Transfer to Third Countries
Storage Duration
Your Rights (GDPR)
Right to Lodge a Complaint
AI-Powered Risk Assessment
Changes

🏢 1. Controller

Thomas Brandt
Sole proprietor operating under the brands AX1S and AIGOY

AX1S c/o Clevver · Winterhuder Weg 29, 7th Floor · 22085 Hamburg, Germany

Email: · Website: aigoy.io

📋 2. General Data Processing

We process personal data only to the extent necessary for providing a functional AI Governance Platform as well as our content and services.

🔒 Privacy by Design: The AIGOY Platform was designed from the ground up with data minimization in mind. We use no tracking cookies, no Google Analytics, and no ad networks.

⚖ 3. Legal Bases

Art. 6 para. 1 lit. a GDPR – Consent of the data subject
Art. 6 para. 1 lit. b GDPR – Performance of a contract or pre-contractual measures
Art. 6 para. 1 lit. c GDPR – Compliance with legal obligations (EU AI Act, NIS2, DORA)
Art. 6 para. 1 lit. f GDPR – Legitimate interests (IT security, fraud prevention)

🌐 4. Hosting (IONOS)

This website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. When visiting, the web server automatically captures IP address, timestamp, requested files, and referrer URL. This data is deleted after no more than 7 days.

Data Processing Agreement: Contract concluded with IONOS per Art. 28 GDPR.

🗄 5. Backend Infrastructure (Supabase)

For authentication, data storage, and server-side logic, we use Supabase Inc. Our project is hosted in AWS eu-central-1 (Frankfurt) — all data remains in the EU.

5.1 Data Processed

Authentication: Email, encrypted password (bcrypt), login timestamp
Profile data: Name, email, department, tenant assignment
AI system entries: System ID, name, vendor, risk assessment
Tenant data (B2B): Company name, license key, subscription status

5.2 AI-Powered Processing (Edge Functions)

For risk assessment, we use Supabase Edge Functions that call Anthropic Claude. No personal data is transmitted — only system name and use case. Anthropic contractually does not train its models on the transmitted data (no-training commitment); a data processing agreement (DPA) pursuant to Art. 28 GDPR is in place.

5.3 Security Measures

Encryption (TLS 1.2+ / AES-256), row-level security, regular EU backups, hosting with a SOC 2 Type II certified provider (Supabase).

💳 6. Payment Processing (Stripe)

Paid licenses are processed via Stripe Payments Europe, Ltd. (Dublin, Ireland). Payment data is processed exclusively by Stripe and never stored on our servers.

Stripe Privacy Notice: stripe.com/en/privacy

📊 7. AIGOY AI Governance Platform

7.1 Registration

Email address, name, and password (encrypted) are processed for use.

7.2 AI System Inventory and Risk Assessment

We store master data, risk assessments, and AI suggestions for your AI systems. This processing is required for documentation per EU AI Act, NIS2, and DORA.

7.3 Competency Certificates

Upon training completion, internal competency certificates are issued. These are not state-recognized certificates.

💾 8. Local Data Storage

The application uses your browser's localStorage for language selection, AI system entries (cache), and session data. This data does not leave your computer.

🍪 9. Cookies & Technical Storage

✅ No Cookie Banner Required: We use exclusively technically necessary cookies (login status, language selection). No tracking, no Google Analytics, no advertising cookies.

✉ 10. Email Communication

Email inquiries are stored for processing. System notifications are sent via Supabase Auth.

🔄 11. Data Sharing with Third Parties

Current data processors: IONOS SE (DE, hosting), Supabase Inc. (EU Frankfurt, backend), Stripe Payments Europe (IE, payment), Anthropic PBC (USA, AI service, Claude model — transmitted data not used for training, DPA pursuant to Art. 28 GDPR).

🌍 12. Data Transfer to Third Countries

All personal data is processed within the EU/EEA: IONOS (DE), Supabase (Frankfurt), Stripe (Dublin). For any access from third countries, Standard Contractual Clauses apply.

AI service (Anthropic): For AI-assisted analyses and the Compliance CoWorker “Felix” we use the Claude model from Anthropic PBC (San Francisco, USA). Anthropic contractually does not train its models on the data transmitted via the API (no-training commitment). For the transfer to the USA, Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR and the EU-U.S. Data Privacy Framework apply; a data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. EU inference (e.g. via AWS Bedrock in Frankfurt) and customer-side model/key choice (BYOK) are in preparation.

⏱ 13. Storage Duration

Server log files: max. 7 days
Account data: until account deletion + retention periods
Invoice data: 10 years (§147 German Tax Code)
AI register entries: min. 5 years (EU AI Act documentation obligation)

🛡 14. Your Rights (GDPR)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent.

Contact: · Processing deadline: max. 1 month.

📮 15. Right to Lodge a Complaint

Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
Ludwig-Erhard-Str. 22, 7th Floor · 20459 Hamburg
Phone: +49 40 42854-4040 · [email protected]
datenschutz-hamburg.de

🤖 16. AI-Powered Risk Assessment

The AIGOY Platform offers an AI-powered risk assessment as a guidance tool. It does not replace legal review. AIGOY assumes no liability for decisions based on AI-powered risk assessment.

📝 17. Changes

We reserve the right to update this Privacy Policy. Material changes will be announced.