Legal
Privacy Policy
Last updated: 15 May 2026
1. Data Controller
The data controller responsible for your personal data is:
EU ACT Guard
Operated by Dhanmeet Singh Nijhawan
Stuttgart, Baden-Württemberg, Germany
Email: privacy@euactguard.com
Website: https://euactguard.com
For all data protection enquiries, contact us at: privacy@euactguard.com
2. Overview
EU ACT Guard ("we", "our", "us") operates euactguard.com, an EU AI Act compliance scanning platform. This privacy policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
We are committed to processing your personal data lawfully, fairly, and transparently. We collect only what we need and retain it only as long as necessary.
3. Data We Collect and Why
3.1 Account data
When you create an account, we collect:
- Email address — to identify your account, send you scan results, and communicate access approvals
- Name (optional) — if you provide it during signup
- Authentication provider data — if you sign in with Google, we receive your email and display name from Google OAuth
Legal basis: Article 6(1)(b) GDPR — performance of a contract (providing you the service you signed up for).
3.2 GitHub repository data
When you connect a GitHub repository for scanning, we use GitHub OAuth to request read-only access. We access your repository files temporarily to analyze them for EU AI Act compliance patterns.
What we store: We store the scan findings (file paths, line numbers, violation descriptions) and the repository URL. We do not store the source code itself.
Legal basis: Article 6(1)(b) GDPR — performance of a contract.
3.3 Website and policy scan data
When you provide a website URL or privacy policy text for scanning, we crawl the provided URL and analyze the content. We store the scan results (findings, scores, recommendations) but not the full crawled HTML.
Legal basis: Article 6(1)(b) GDPR — performance of a contract.
3.4 Questionnaire responses
When you complete our AI governance questionnaire, we store your answers to generate your compliance report. These answers describe your AI governance practices, not your end users.
Legal basis: Article 6(1)(b) GDPR — performance of a contract.
3.5 Waitlist data
If you join our waitlist, we store your email address and the date you joined. We use this to notify you when your access is approved.
Legal basis: Article 6(1)(a) GDPR — your consent (given when you click "Join waitlist").
3.6 Usage data and logs
We collect basic technical logs including:
- IP address (anonymized after 30 days)
- Browser type and version
- Pages visited and timestamps
- Scan start and completion events
Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating and improving our service.
3.7 Cookies
We use cookies as described in Section 8 of this policy. Analytics cookies are used only with your consent.
4. AI Processing and Automated Analysis
Our platform uses artificial intelligence to analyze your repository, website, and privacy policy. This processing is automated and produces compliance scores and recommendations.
AI providers we use:
- Anthropic, Inc. — Claude API — used for executive summary generation and policy analysis. Data Processing Agreement: signed. Data location: United States (with Standard Contractual Clauses).
- OpenAI Ireland Ltd — GPT API — used for remediation plan generation. Data Processing Agreement: signed. Data location: EU/United States (with SCC).
We send only the minimum necessary data to these providers — typically anonymized code snippets or policy text excerpts. We do not send your personal data to AI providers.
Automated decision-making: Our compliance scores and risk classifications are generated automatically. These are informational outputs to assist your compliance work — they do not constitute legal advice and do not produce legal effects. You have the right to request human review of any automated finding by contacting us at privacy@euactguard.com.
5. Data Sharing and Processors
We share your data only with processors necessary to operate our service. All processors are bound by Data Processing Agreements.
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication — EU (Ireland) region | EU (Ireland) |
| Vercel Inc. | Hosting and CDN | EU / USA (SCC) |
| Anthropic, Inc. | AI analysis (anonymized excerpts only) | USA (SCC) |
| OpenAI Ireland Ltd | AI analysis (anonymized excerpts only) | EU / USA (SCC) |
| GitHub, Inc. | Repository access (OAuth, read-only) | USA (SCC) |
| Google LLC | OAuth sign-in (if used) | USA (SCC) |
We do not sell your data. We do not share your data with third parties for marketing purposes.
6. International Data Transfers
Some of our processors are based outside the European Economic Area. Where data is transferred to the United States, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion, then 30 days |
| Scan results and reports | 24 months from scan date, or until account deletion |
| Waitlist data | Until waitlist withdrawn or 24 months |
| Server logs | 90 days |
| IP addresses | Anonymized after 30 days |
| Cookie consent records | 12 months |
8. Cookies
We use the following categories of cookies:
Essential cookies
Required for the platform to function. Cannot be disabled.
- supabase-auth-token — keeps you logged in. Session duration.
- euactguard_cookie_consent — stores your cookie preference. 12 months.
Analytics cookies (consent required)
Used to understand how visitors use our platform so we can improve it. Only set if you accept analytics cookies.
Marketing cookies (consent required)
Used to understand which channels bring users to our platform. Only set if you accept marketing cookies.
You can change your cookie preferences at any time by clicking "Cookie Settings" in the footer.
9. Your Rights Under GDPR
Under GDPR, you have the following rights:
- Right of access (Art. 15) — request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate personal data
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18) — request that we limit processing of your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7) — withdraw consent at any time where processing is based on consent
- Right not to be subject to automated decisions (Art. 22) — request human review of automated compliance findings
To exercise any of these rights, contact us at: privacy@euactguard.com
We will respond within 30 days. We do not charge for exercising your rights.
You also have the right to lodge a complaint with your national supervisory authority. In Germany, this is the Landesbeauftragte für den Datenschutz Baden-Württemberg (LfDI BW): www.baden-wuerttemberg.datenschutz.de
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Row-level security on all database tables
- Access controls — staff access limited to what is necessary
- Regular security review of our codebase
If you discover a security vulnerability, please report it to: security@euactguard.com
11. Children
Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at privacy@euactguard.com.
12. Changes to This Policy
We may update this policy as our service evolves or as legal requirements change. We will notify you of material changes by email and by updating the "Last updated" date at the top of this page.
Continued use of the service after changes are posted constitutes acceptance of the updated policy.
13. Contact
For all privacy-related questions, requests, or complaints:
Email: privacy@euactguard.com
Response time: Within 30 days
Postal: EU ACT Guard, Stuttgart, Baden-Württemberg, Germany