Data Processing Terms

Last updated: 8 March 2026

1. Data Controller

Straitéis AI ("we", "us", "our") is the data controller responsible for your personal data. We are committed to protecting your privacy and ensuring transparency in how we collect, use, and store your information.

Contact: For data protection enquiries, contact us via your account settings or email support.

2. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

• Consent (Article 6(1)(a) GDPR): You explicitly consent to the collection and processing of your data when you register for our services.
• Contractual Necessity (Article 6(1)(b) GDPR): Processing is necessary to provide the AI maturity assessment services you requested.
• Legitimate Interests (Article 6(1)(f) GDPR): We may process data for service improvement, security, and fraud prevention, balancing our interests with your rights.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

• Full name
• Email address
• Password (encrypted using industry-standard bcrypt)
• Organisation name, industry, and size (optional)

3.2 Assessment Data

When you complete assessments, we collect:

• Your responses to assessment questions
• AI-generated maturity scores and analysis
• Timestamps of assessment completion

3.3 Technical Data

For security and service delivery, we automatically collect:

• IP address (for fraud prevention)
• Browser type and version
• Access timestamps

No cookies: We use JWT (JSON Web Token) authentication only. No tracking cookies or third-party analytics are used.

4. How We Use Your Data

Your data is used exclusively for the following purposes:

• Service Delivery: To provide AI maturity assessments, generate reports, and manage your account.
• AI Processing: Your assessment responses are processed by Claude AI (Anthropic) to generate maturity scores and recommendations. This processing occurs in the EU only.
• Communication: To send essential service notifications (password resets, assessment completion).
• Security: To protect against unauthorised access and ensure service integrity.
• Improvement: Anonymised, aggregated data may be used to improve our services. Individual responses are never shared.

5. Data Sharing and Third Parties

We do not sell your data. Data is shared only with the following trusted service providers, all of which are GDPR-compliant:

• Anthropic (Claude AI): Processes assessment responses to generate scores and analysis. Data is processed in the EU.
• Database Hosting (Neon): Stores encrypted data in EU data centres (Ireland region).
• Application Hosting (Render): Hosts our application infrastructure in EU regions.

All third-party processors have signed Data Processing Agreements (DPAs) ensuring GDPR compliance.

6. Data Retention

We retain your data as follows:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Assessment Data: Retained while your account is active. Deleted with account deletion.
• Technical Logs: Retained for 90 days for security purposes, then automatically deleted.
• Backups: Encrypted backups are retained for 30 days for disaster recovery, then permanently deleted.

You can request immediate deletion at any time (see Section 7).

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Article 15 GDPR)

You can request a copy of all personal data we hold about you. Access your data export tool in account settings.

7.2 Right to Rectification (Article 16 GDPR)

You can update or correct your data at any time through your account settings.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request complete deletion of your account and all associated data. This includes:

• All account information
• All assessment responses and scores
• All AI-generated reports

Deletion process: Initiated via account settings. Permanent deletion occurs within 30 days. Backups are purged after 30-day retention period.

7.4 Right to Data Portability (Article 20 GDPR)

You can export your data in machine-readable format (JSON) at any time through account settings.

7.5 Right to Restrict Processing (Article 18 GDPR)

You can request restriction of processing while we verify data accuracy or resolve disputes.

7.6 Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

7.7 Right to Withdraw Consent (Article 7(3) GDPR)

You can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal. Withdrawing consent may prevent us from providing services.

8. Data Security

We implement robust security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Authentication: Passwords are hashed using bcrypt. JWT tokens expire after 7 days.
• Access Controls: Strict role-based access. Only authorised personnel can access production systems.
• Monitoring: Continuous security monitoring for unauthorised access attempts.
• Incident Response: Data breaches are reported to relevant authorities within 72 hours as required by GDPR Article 33.

9. EU Data Residency

All data is processed and stored exclusively in the European Union. We use the following EU regions:

• Database: Neon PostgreSQL (Ireland region)
• Application: Render (EU region)
• AI Processing: Anthropic Claude (EU-based processing)

No data is transferred outside the EU. No US-based processing occurs.

10. Consent Management

When you register, you provide explicit consent for data processing. You can:

• Review consent: See what you consented to in account settings.
• Withdraw consent: Request account deletion to withdraw all consent.
• Modify consent: Update preferences in account settings.

Consent is recorded with timestamps for audit purposes (consent_given_at, data_processing_agreed_at).

11. AI Processing Transparency (EU AI Act Compliance)

Straitéis AI uses AI-assisted scoring to evaluate your assessment responses. In compliance with the EU AI Act:

• Transparency: All AI-generated content is clearly labelled with an "AI-generated" badge.
• Human Oversight: Assessment scores are generated by AI but can be reviewed by you. You control whether to accept or reject recommendations.
• Explainability: AI-generated scores include reasoning and methodology explanations.
• No Automated Decisions: We do not make automated decisions with legal or significant effects. All assessments are advisory.

12. Children's Data

Our services are not directed at children under 16. We do not knowingly collect data from children. If we discover such data, it will be deleted immediately.

13. Changes to These Terms

We may update these terms to reflect legal or operational changes. Material changes will be communicated via email. Continued use after changes constitutes acceptance.

Version history: Available in account settings.

14. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe your data rights have been violated. In Ireland (our primary jurisdiction), the supervisory authority is:

Data Protection Commission (DPC)
Website: www.dataprotection.ie

15. Contact Us

For data protection enquiries, requests, or complaints:

• Via settings: Use the data management tools in your account settings.
• Support: Contact via in-app support or email.

We respond to all data subject requests within 30 days as required by GDPR Article 12.

← Back to Sign Up