Last updated: April 13, 2026
AI Attest collects the following categories of personal data:
Account data: name, email address when you create an account.
Project data: compliance documents you upload, artifacts you create, audit results, and compliance reports generated within the platform.
Usage analytics: we record events such as when you start an audit, complete an audit (including regulation selected, document count, and readiness score), and submit feedback. These events are linked to your user account.
Feedback: when you use the in-app feedback prompt, we store your rating, optional comment, the page it was submitted from, and your user ID.
Technical data: session cookies for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics services.
Your data is used solely to provide and improve the compliance platform service:
Running audits, generating gap reports, building compliance artifacts, and maintaining your project history.
Analytics events are used to understand product usage patterns, identify friction points, and improve the user experience.
We do not sell, share, or use your data for advertising, profiling, or automated decision-making.
Your data is processed by the following third parties:
Neon (PostgreSQL): database hosting for account data, project data, analytics, and feedback. EU infrastructure.
AI model providers (Anthropic, OpenAI, Google): when you run an audit, your uploaded documents are sent to the AI provider you select for classification. You supply your own API key. All providers are contractually bound by their API terms, which prohibit training on API inputs.
IONOS: VPS hosting for the application server. EU infrastructure (Germany).
DigiCert: RFC 3161 trusted timestamping for the cryptographic audit trail.
Project data is stored on European infrastructure. Database is hosted on Neon (PostgreSQL, EU region). API keys are encrypted at rest using AES-256-GCM. All compliance artifacts are protected by SHA-256 hash chains and RFC 3161 trusted timestamps.
Authentication uses secure session cookies. Passwords are hashed with bcrypt. Login attempts are rate-limited.
Compliance data is retained for the duration required by the applicable regulation:
EU AI Act projects: 10 years (per Article 18)
GDPR DPIA projects: duration of processing + 3 years
CRA projects: 10 years (per Article 23)
You may request earlier deletion if no regulatory retention obligation applies. Projects under legal hold cannot be deleted regardless of retention period.
Under GDPR, you have the right to:
Access your personal data and receive a copy
Correct inaccurate personal data
Request deletion (subject to retention obligations)
Port your data to another service
Object to processing of your personal data
To exercise any of these rights, contact privacy@aiattest.io.
For privacy inquiries: privacy@aiattest.io
AI Attest — Privacy Policy — Updated April 13, 2026