Privacy Policy

ActScope is operated by [Legal entity name, e.g. ActScope B.V.], a company registered in [country / Chamber of Commerce number], with its registered office at Haringbuisdijk 103, 1086 VA Amsterdam, Netherlands (“ActScope”, “we”, “us”, “our”). We are the controller of personal data processed through actscope.eu and related services (the “Service”) within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the “GDPR”).

For privacy matters, contact us at privacy@actscope.eu.

This policy applies to personal data we collect when you (a) visit actscope.eu; (b) use our free AI Act risk classifier; (c) sign up for an account or paid subscription; (d) contact us. Where you use ActScope inside an organisation that has its own agreement with us, that organisation may itself be a controller for certain processing — in which case our role is governed by the data processing agreement between us and that organisation.

A. Data you provide directly

• Account: full name, work email address, password (hashed), company name, country, industry, company size.
• Compliance contact (DPO): name and email of the person you nominate as your AI Act compliance contact for use inside generated documents.
• Classifier inputs: the descriptions, answers, and supporting text you submit to the risk classifier and document generator (which may incidentally include personal data of third parties — see Section 4).
• Generated content: compliance documents you create, edit, or upload.
• Support: messages and attachments you send via the contact or support forms.
• Billing: name, billing address, VAT identification number, and payment details (processed directly by Stripe — see Subprocessors).

B. Data we collect automatically

• Authentication and session cookies (strictly necessary).
• Server logs: IP address, user agent, request path, response status, timestamps. Used for security and abuse-prevention.
• Product analytics via PostHog (EU region): pseudonymous events about feature usage. We do not use cross-site tracking or advertising cookies.

We process personal data only where one of the following applies:

• Contractual necessity (Art. 6(1)(b) GDPR) — to provide the Service: account creation, authentication, classifier execution, document generation, billing, customer support.
• Legal obligation (Art. 6(1)(c)) — accounting and tax record-keeping; responding to lawful requests from competent authorities.
• Legitimate interests (Art. 6(1)(f)) — service security, fraud and abuse prevention, defending legal claims, and informing existing customers about material product changes. We have weighed these interests against your rights and do not consider them to override your privacy.
• Consent (Art. 6(1)(a)) — receiving the optional drip-email series following a free classification, and any future marketing communications. Consent can be withdrawn at any time without affecting prior processing — see Section 9.

Classifier inputs may incidentally contain personal data of third parties (e.g. employees affected by an AI system you describe). You are responsible for ensuring you have a lawful basis to share that data with us; for the processing we carry out on your behalf, see the Data Processing Agreement referred to in Section 11.

Inputs you submit to the classifier and document generator are sent to Anthropic, PBC(United States) for processing by the Claude API. Our agreement with Anthropic prohibits the use of customer data for training Anthropic's models. Anthropic processes the data as a sub-processor on our instructions and retains it only for the period required to provide its API service.

Article 22 GDPR (automated individual decisions). The classifier and document generator are decision-support tools, not automated decision-makers. They produce informational outputs — risk tier suggestions, obligation lists, draft documents — that you review and decide whether to act on. They do not by themselves produce legal effects on, or significantly similarly affect, any natural person. You remain the decision-maker for any compliance action taken on the basis of an output.

We use the following sub-processors to operate the Service:

• Supabase — database, authentication, storage. Hosting region: [your Supabase project region].
• Vercel Inc. (United States) — web hosting and edge runtime.
• Anthropic, PBC (United States) — Claude API for classification and document generation.
• Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (United States) — subscription billing and payment processing. Stripe is an independent controller for fraud-prevention and regulatory purposes.
• Resend (United States) — transactional and drip emails.
• PostHog (EU region) — product analytics.

We will give existing customers prior notice (at least 30 days) of any new or replacement sub-processor that processes personal data, with a reasonable opportunity to object on legitimate grounds.

Some sub-processors are located outside the European Economic Area, primarily the United States. Where we transfer personal data outside the EEA we rely on the following safeguards (Articles 44–49 GDPR):

• The European Commission's Standard Contractual Clauses (Decision 2021/914) signed with the relevant sub-processor, supplemented where appropriate by additional technical and organisational measures (encryption in transit and at rest, access controls, logging).
• Where a recipient is certified under the EU–US Data Privacy Framework, we additionally rely on that certification.

You may obtain a copy of the safeguards in place for a specific transfer by contacting us at privacy@actscope.eu.

• Account data — while your account is active and for up to 6 years after closure, to meet Dutch tax and accounting record-keeping obligations and to defend potential claims.
• AI systems, classifications, documents — while your account is active. Deleted on request or 30 days after account closure, whichever is sooner.
• Anonymous classifier sessions (no email captured) — pseudonymised and retained for up to 90 days for product-quality monitoring.
• Drip-email leads — retained until you unsubscribe or 24 months after the last email is sent, whichever comes first.
• Server logs — 30 days.
• Support correspondence — 24 months.
• Billing and tax records — 7 years (Dutch fiscal retention requirement).

Where retention exceeds the period required to deliver the Service it is justified by a legal obligation or legitimate interest, as identified in Section 4.

You have the following rights, subject to the conditions in the GDPR:

• Access (Art. 15) — confirmation of, and a copy of, your personal data.
• Rectification (Art. 16) — correction of inaccurate or incomplete data.
• Erasure (Art. 17) — deletion in defined circumstances (“right to be forgotten”).
• Restriction (Art. 18) — temporary restriction on processing.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object (Art. 21) — object to processing carried out under legitimate interests, including direct marketing.
• Withdraw consent (Art. 7(3)) at any time, where processing is based on consent.
• Not be subject to a solely automated decision with legal effects (Art. 22). See Section 5.

To exercise any of these rights, email privacy@actscope.eu. We will respond within one month and may extend by up to two months for complex requests, with notice. We may need to verify your identity before acting on a request.

If you believe we have not handled your data lawfully, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the supervisory authority in your EU member state of residence or workplace.

We apply technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS 1.2+) and at rest, hashed password storage, role-based access controls, strict separation of customer tenants via row-level security in the database, audit logging of administrative actions, dependency vulnerability scanning, and least-privilege access for staff. We test our backups periodically. No system is perfectly secure; in the event of a personal-data breach likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours and, where required, notify affected users without undue delay.

Where you use ActScope to process personal data of your own customers, employees, or other data subjects, we act as a processor under Article 28 GDPR and you act as the controller. A Data Processing Agreement (DPA) incorporating the Standard Contractual Clauses where applicable is available on request from privacy@actscope.eu and is automatically incorporated into your subscription terms.

We use only strictly necessary cookies (authentication, session, CSRF) and a preference cookie that stores your selected colour theme. We do not use third-party advertising cookies, cross-site tracking, or fingerprinting. Our product analytics (PostHog, EU region) operate on pseudonymous events and respect Do-Not-Track signals.

ActScope is a B2B service not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@actscope.eu and we will delete it promptly.

We may update this policy to reflect changes in the Service, in our sub-processors, or in applicable law. We will post the updated version with a new “Last updated” date and, for material changes affecting registered users, give reasonable advance notice (typically by email and a banner inside the dashboard). Your continued use after the effective date constitutes acceptance.

ActScope — Data Protection Contact
privacy@actscope.eu
Haringbuisdijk 103, 1086 VA Amsterdam, Netherlands