Privacy

Privacy Policy

How SetAIComply collects, uses, and protects your personal data under GDPR.

Last updated: March 2026

1. Introduction

This privacy policy describes how SetAIComply SAS (hereinafter "SetAIComply", "we", "our"), a simplified joint-stock company registered in France, collects, uses, stores, and protects the personal data of its users (hereinafter "you", "the User") in connection with the use of the SetAIComply SaaS platform dedicated to compliance with the European Regulation on Artificial Intelligence (Regulation (EU) 2024/1689, hereinafter "AI Act").

This policy is established in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, as amended.

2. Data Controller

The data controller for personal data is:

3. Data Collected and Processing Purposes

3.1 Identification and Account Data

When creating your account and using the platform, we collect the following data:

  • Last name and first name
  • Professional email address
  • Company name and sector of activity of your organisation
  • Role within the organisation
  • Password (stored in hashed form)

Purpose: creation and management of your user account, authentication, service-related communications.

Legal basis: performance of the contract (Article 6.1.b of the GDPR).

3.2 Billing Data

For the processing of your payments, we collect:

  • Billing address
  • Intra-community VAT number (where applicable)
  • Invoice and payment history

Credit card data is collected and processed exclusively by our payment provider Stripe, Inc. and is never stored on our servers.

Purpose: billing, subscription management, compliance with accounting and tax obligations.

Legal basis: performance of the contract (Article 6.1.b of the GDPR) and legal obligation (Article 6.1.c of the GDPR).

3.3 Platform Usage Data

We collect data relating to your use of the platform:

  • Descriptions and parameters of AI systems you register on the platform
  • Risk classification results and compliance assessments
  • Generated documents (Annex IV technical documentation)
  • Action history and audit log
  • Comments and annotations

Purpose: provision of the AI Act compliance service, documentation generation, compliance monitoring.

Legal basis: performance of the contract (Article 6.1.b of the GDPR).

3.4 Technical and Connection Data

We automatically collect certain technical data:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and navigation path
  • Date and time of connection
  • Session identifiers

Purpose: platform security, service improvement, technical diagnostics, compliance with legal obligations for connection data retention.

Legal basis: legitimate interest (Article 6.1.f of the GDPR) and legal obligation (Article 6.1.c of the GDPR).

3.5 Cookies

Our platform uses cookies strictly necessary for the operation of the service (authentication, session preferences). We do not use advertising cookies or third-party trackers for profiling purposes. For audience analysis cookies, your consent is obtained beforehand in accordance with Article 82 of the French Data Protection Act.

4. Use of Artificial Intelligence

Our platform uses artificial intelligence services provided by Anthropic, PBC (Claude API) for automated generation of technical documentation and assistance with AI system classification.

In this context, certain descriptive data of your AI systems (functional descriptions, use cases, technical parameters) may be transmitted to the Anthropic Claude API for request processing. This data is used exclusively to generate responses to your requests and is not used by Anthropic to train its models, in accordance with our data processing agreement with this sub-processor.

No personal data directly identifying natural persons is transmitted to the Anthropic Claude API in the normal course of platform use.

5. Data Recipients

Your personal data is accessible exclusively to:

  • Authorised SetAIComply personnel, strictly to the extent necessary for the performance of their duties
  • Our sub-processors, under the conditions described in Section 6
  • Where applicable, competent authorities in response to a legal obligation or court order

We never sell, rent, or share your personal data with third parties for commercial or advertising purposes.

6. Sub-processors and Data Transfers

We use the following sub-processors for the operation of the platform:

Sub-processorPurposeData LocationGuarantees
Scaleway SASInfrastructure and database hostingFrance (Paris, DC3/DC5)French sovereign cloud, ISO 27001 certified, HDS
Stripe, Inc.Payment processingEuropean UnionPCI DSS Level 1 certified, GDPR-compliant DPA
Anthropic, PBCAI-powered documentation generation (Claude API)United StatesGDPR-compliant DPA, European Commission standard contractual clauses (SCCs)

Regarding the transfer of data to the United States (Anthropic), it is governed by standard contractual clauses adopted by the European Commission (Implementing Decision 2021/914), supplemented by appropriate additional measures. Only descriptive data of AI systems is subject to this transfer; no directly identifying data is transferred.

7. Data Security

We implement appropriate technical and organisational measures to ensure the security of your data, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Hosting on French sovereign infrastructure (Scaleway)
  • Secure authentication with password hashing (bcrypt)
  • Role-based access control (RBAC)
  • Access and action logging
  • Regular encrypted backups
  • Regular security testing and audits
  • Security incident management policy

8. Data Retention Periods

Your data is retained for the following periods:

  • Account data: for the duration of your subscription, then 3 years after account closure for litigation management purposes
  • Billing data: 10 years in accordance with accounting and tax obligations (Article L.123-22 of the French Commercial Code)
  • Usage data (AI systems, documents): for the duration of your subscription, then deleted within 90 days following account closure, unless a contrary legal obligation applies
  • Technical data and logs: 12 months in accordance with applicable legislation (Decree No. 2011-219 of 25 February 2011)
  • Cookies: 13 months maximum in accordance with CNIL recommendations

Upon expiry of these periods, your data is permanently deleted or irreversibly anonymised.

9. Your Rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights over your personal data:

  • Right of access (Article 15 GDPR): obtain confirmation that data concerning you is being processed and obtain a copy
  • Right to rectification (Article 16 GDPR): request the correction of inaccurate data or the completion of incomplete data
  • Right to erasure (Article 17 GDPR): request the deletion of your data in the cases provided for by regulation
  • Right to restriction of processing (Article 18 GDPR): request the suspension of the processing of your data in certain cases
  • Right to data portability (Article 20 GDPR): receive your data in a structured, commonly used and machine-readable format
  • Right to object (Article 21 GDPR): object to the processing of your data based on legitimate interest
  • Right to define post-mortem directives: in accordance with Article 85 of the French Data Protection Act, define directives regarding the fate of your data after your death

To exercise your rights, you can contact us:

  • By email: [email protected]
  • By post: SetAIComply SAS - Data Protection Officer - Paris, France

We undertake to respond to your request within one month of receipt. This period may be extended by two months in the case of complex or numerous requests, in which case you will be informed.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

Website: www.cnil.fr

10. Changes to the Privacy Policy

We reserve the right to modify this privacy policy at any time. In the event of a substantial modification, you will be informed by email or by a notification on the platform at least 30 days before the modifications take effect. Continued use of the platform after the modifications take effect constitutes acceptance of the modified policy.

11. Contact

For any questions regarding this privacy policy or the processing of your personal data, you can contact our Data Protection Officer at: [email protected].