Skip to main content

Privacy Policy

Last updated: 11 March 2026

1. Data Controller

The data controller for AIPolicyKit is:

NLEJ Development
CVR: 46258304
Copenhagen, Denmark
Email: nlej@cimalys.com

2. What Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, hashed password (for email sign-up), or OAuth profile information (for Google sign-in).
  • Company profile data: Company name, industry, size, AI tools used, use cases, data handling practices, and regulatory concerns — as provided by you through the questionnaire.
  • Generated documents: The policy documents created by the Service based on your inputs.
  • Usage data: Generation logs (timestamps, token counts) for enforcing plan limits.
  • Payment data: If you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription ID but do not store credit card numbers or full payment details.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service, including generating personalised policy documents
  • Manage your account and authenticate your identity
  • Process payments and manage subscriptions
  • Enforce usage limits based on your plan
  • Improve the Service and fix issues
  • Communicate with you about your account or changes to the Service

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for (Art. 6(1)(b) GDPR).
  • Legitimate interest: Service improvement, security, and fraud prevention (Art. 6(1)(f) GDPR).
  • Consent: Where required, such as for optional communications (Art. 6(1)(a) GDPR).

5. Third-Party Processors

We use the following third-party services to operate AIPolicyKit:

  • Supabase (database and authentication) — stores your account data, company profiles, and generated documents. Hosted in the EU.
  • OpenRouter / Anthropic (AI generation) — your company profile data is sent to the AI model to generate policy documents. This data is not retained by the AI provider beyond the API request.
  • Stripe (payment processing) — processes subscription payments. Subject to Stripe's Privacy Policy.
  • Vercel (hosting) — serves the application. Subject to Vercel's Privacy Policy.
  • Google (OAuth authentication) — if you sign in with Google. Subject to Google's Privacy Policy.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and generated documents within 30 days, except where retention is required by law. Payment records may be retained for tax and accounting purposes as required by Danish law.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request that we limit processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at nlej@cimalys.com. We will respond within 30 days.

8. International Transfers

Your data may be processed outside the EU/EEA by our sub-processors (e.g., AI model providers hosted in the US). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Cookies

AIPolicyKit uses essential cookies only, required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), row-level security in our database, and secure authentication flows. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the revised policy.

13. Supervisory Authority

If you are unsatisfied with our handling of your personal data, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk

14. Contact

For any privacy-related questions or requests, contact us at:

NLEJ Development
CVR: 46258304
Copenhagen, Denmark
Email: nlej@cimalys.com