Privacy Policy
Last updated: 22 March 2026
1. Data Controller
Abstract Colormix Studios, LLC d/b/a AI Comply ("we", "us", "our") is the data controller for personal data processed through the AI Comply HQ platform at aicomplyhq.com.
Contact: privacy@aicomplyhq.com
2. What Personal Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address (required for authentication)
- Full name (if provided)
- Organization name
2.2 Interview Data
When you use our compliance interview, we collect:
- Your responses to interview questions
- AI-generated follow-up questions and analysis
- Specificity scores for your answers
- Auto-filled form field values extracted by AI from your responses
- Your edits and approvals of auto-filled fields
- Interview session metadata (start time, completion time, mode, sections completed)
2.3 Voice Data (Voice Mode Only)
If you use voice mode, we additionally process:
- Audio recordings of your speech (processed in real-time for transcription)
- Transcriptions of your spoken responses
Important: Voice audio is processed by Cartesia (our speech processing provider) for transcription and text-to-speech. See Section 5 for details.
2.4 Payment Data
Payment information (credit card numbers, billing address) is collected and processed directly by Stripe, our payment processor. We do not store your payment card details. We receive from Stripe: your subscription status, plan tier, and a Stripe customer identifier.
2.5 Analytics Data (With Your Consent)
If you accept analytics cookies, we collect anonymized usage data via Google Analytics, including: pages visited, features used, session duration, and general geographic region. Analytics data is only collected after you explicitly consent via our cookie banner.
2.6 Automatically Collected Data
- Authentication session tokens (strictly necessary cookies)
- Audit logs of significant actions (for security and compliance)
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Provide the compliance interview service | Account data, interview responses | Contract (Art. 6(1)(b)) |
| Generate AI-powered compliance assessments | Interview responses sent to AI provider | Contract (Art. 6(1)(b)) |
| Process voice interviews | Voice audio, transcriptions | Consent (Art. 6(1)(a)) |
| Process subscription payments | Email, subscription tier (via Stripe) | Contract (Art. 6(1)(b)) |
| Analytics and service improvement | Anonymized usage data | Consent (Art. 6(1)(a)) |
| Security and fraud prevention | Audit logs, session data | Legitimate interest (Art. 6(1)(f)) |
4. AI System Disclosure (EU AI Act Article 50)
AI Comply HQ uses artificial intelligence to process your interview responses and generate compliance assessments. Specifically:
- Interview responses are processed by Anthropic's Claude AI model to generate follow-up questions, evaluate answer specificity, and extract structured compliance data.
- Voice audio (voice mode only) is processed by Cartesia's speech AI for transcription (speech-to-text) and spoken responses (text-to-speech).
- Risk classifications and auto-filled form fields are AI-generated outputs that should be reviewed by a qualified professional before use in any regulatory submission.
5. Third-Party Data Processors
We share personal data with the following processors, each under a Data Processing Agreement:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude API) | AI interview processing | United States |
| Cartesia | Voice processing (STT/TTS) | United States |
| Supabase | Database and authentication | EU Region |
| Stripe | Payment processing | United States / EU |
| Netlify | Application hosting | Variable (CDN) |
| Google (Analytics) | Website analytics (consent-only) | United States |
6. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA). For transfers to the United States and other third countries, we rely on:
- EU-US Data Privacy Framework adequacy decision (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures as required by the CJEU Schrems II ruling
7. Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
- Interview data: Retained for 12 months after interview completion, or until you request deletion.
- Voice recordings: Processed in real-time. Audio is not stored after transcription.
- Payment data: Retained by Stripe per their data retention policy.
- Analytics data: Retained by Google Analytics for 26 months.
- Audit logs: Retained for 6 months (append-only).
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Correct inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your personal data.
- Right to restriction (Art. 18): Request that we limit processing of your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right regarding automated decisions (Art. 22): Our AI outputs are advisory and subject to human review, not automated decision-making with legal effects.
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time.
To exercise any of these rights, contact us at privacy@aicomplyhq.com. We will respond within 30 days.
9. Cookies
- Strictly necessary cookies: Authentication session tokens managed by Supabase. Cannot be disabled.
- Analytics cookies: Google Analytics cookies, loaded only after explicit consent via our cookie banner.
10. Data Security
We implement appropriate technical and organizational measures including:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest (Supabase database encryption)
- Row-Level Security (RLS) ensuring organization-level data isolation
- Secure authentication via Supabase Auth
- Stripe webhook signature verification
- Append-only audit logging
11. Children
AI Comply HQ is a business-to-business service. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.
12. Changes to This Policy
We may update this privacy policy to reflect changes in our data practices or legal requirements. Material changes will be communicated via email or a prominent notice on our platform.
13. Complaints
If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities is available at edpb.europa.eu.
14. Contact
For privacy inquiries or data subject requests:
Email: privacy@aicomplyhq.com
General: hello@aicomplyhq.com