Privacy Policy

As of March 2026 · In accordance with EU GDPR (Regulation 2016/679)

🏢 1. Controller

📋 2. General Data Processing

We process personal data only to the extent necessary for providing a functional AI Governance Platform as well as our content and services.

⚖ 3. Legal Bases

• Art. 6 para. 1 lit. a GDPR – Consent of the data subject
• Art. 6 para. 1 lit. b GDPR – Performance of a contract or pre-contractual measures
• Art. 6 para. 1 lit. c GDPR – Compliance with legal obligations (EU AI Act, NIS2, DORA)
• Art. 6 para. 1 lit. f GDPR – Legitimate interests (IT security, fraud prevention)

🌐 4. Hosting (IONOS)

This website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. When visiting, the web server automatically captures IP address, timestamp, requested files, and referrer URL. This data is deleted after no more than 7 days.

Data Processing Agreement: Contract concluded with IONOS per Art. 28 GDPR.

🗄 5. Backend Infrastructure (Supabase)

For authentication, data storage, and server-side logic, we use Supabase Inc. Our project is hosted in AWS eu-central-1 (Frankfurt) — all data remains in the EU.

5.1 Data Processed

• Authentication: Email, encrypted password (bcrypt), login timestamp
• Profile data: Name, email, department, tenant assignment
• AI system entries: System ID, name, vendor, risk assessment
• Tenant data (B2B): Company name, license key, subscription status

5.2 AI-Powered Processing (Edge Functions)

For risk assessment, we use Supabase Edge Functions that call Anthropic Claude. No personal data is transmitted — only system name and use case.

5.3 Security Measures

Encryption (TLS 1.2+ / AES-256), row-level security, regular EU backups, SOC 2 Type II certified.

💳 6. Payment Processing (Stripe)

Paid licenses are processed via Stripe Payments Europe, Ltd. (Dublin, Ireland). Payment data is processed exclusively by Stripe and never stored on our servers.

Stripe Privacy Notice: stripe.com/en/privacy

📊 7. AIGOY AI Governance Platform

7.1 Registration

Email address, name, and password (encrypted) are processed for use.

7.2 AI System Inventory and Risk Assessment

We store master data, risk assessments, and AI suggestions for your AI systems. This processing is required for documentation per EU AI Act, NIS2, and DORA.

7.3 Competency Certificates

Upon training completion, internal competency certificates are issued. These are not state-recognized certificates.

💾 8. Local Data Storage

The application uses your browser's localStorage for language selection, AI system entries (cache), and session data. This data does not leave your computer.

🍪 9. Cookies & Technical Storage

✉ 10. Email Communication

Email inquiries are stored for processing. System notifications are sent via Supabase Auth.

🔄 11. Data Sharing with Third Parties

Current data processors: IONOS SE (DE, hosting), Supabase Inc. (EU Frankfurt, backend), Stripe Payments Europe (IE, payment), Anthropic PBC (USA, AI service — no personal data).

🌍 12. Data Transfer to Third Countries

All personal data is processed within the EU/EEA: IONOS (DE), Supabase (Frankfurt), Stripe (Dublin). For any access from third countries, Standard Contractual Clauses apply.

⏱ 13. Storage Duration

• Server log files: max. 7 days
• Account data: until account deletion + retention periods
• Invoice data: 10 years (§147 German Tax Code)
• AI register entries: min. 5 years (EU AI Act documentation obligation)

🛡 14. Your Rights (GDPR)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent.

Contact: info@aigoy.de · Processing deadline: max. 1 month.

📮 15. Right to Lodge a Complaint

🤖 16. AI-Powered Risk Assessment

The AIGOY Platform offers an AI-powered risk assessment as a guidance tool. It does not replace legal review. AIGOY assumes no liability for decisions based on AI-powered risk assessment.

📝 17. Changes

We reserve the right to update this Privacy Policy. Material changes will be announced.