Legal
Privacy Policy
What personal data we process, why we process it, how long we keep it, and which rights you have — aligned with GDPR and operational transparency.
Review flow
Who we are
Agent Mai (“we”, “us”) provides an EU AI Act compliance software platform (the “Service”). This policy explains how we collect, use, store, and protect personal data when you use our websites, cloud application, APIs, support channels, and related communications — whether you are a trial user, a paying customer, or a visitor browsing our marketing pages.
Controller
Agent Mai
Scope
Website, app, API, support
Primary framework
GDPR
Data we process
At a glance
Data minimization
Only what is needed to run, secure, and bill for the service.
Purpose limitation
Processing stays within declared operational and contractual purposes.
Security by design
Encryption, access control, and monitoring are baseline controls.
Accountability
Policies, logs, and ownership support audits and supervisory dialogue.
Categories
- Account & contact data: name, work email, organization, role hints, and billing identifiers when you purchase or trial the Service. We use this to provision access, invoice, and communicate about the contract.
- Usage & technical data: IP address, device and browser metadata, timestamps, request routing data, and diagnostic logs strictly necessary to operate, debug, and secure the Service — including detecting abuse and proving uptime.
- Content you submit: documents and text you upload for audits (e.g., model cards, technical specifications). We treat this as confidential business information and process it only to provide the Service and as described in your Data Processing Agreement unless otherwise agreed.
- Support communications: messages you send to support or sales inboxes, including attachments you choose to include, so we can resolve incidents and answer pre-sales questions.
Data minimization principle
We do not sell personal data. Fields that are optional stay optional; we avoid collecting sensitive categories unless strictly necessary and lawfully justified for a stated purpose.
Purposes & legal bases (GDPR)
We process personal data to perform our contract with you (Art. 6(1)(b) GDPR), to comply with legal obligations such as invoicing, tax records, and responding to lawful requests (Art. 6(1)(c)), and — where applicable — based on legitimate interests in securing our systems, preventing abuse, and improving reliability (Art. 6(1)(f)), balanced against your rights. Direct marketing, if any, relies on consent or soft opt-in as permitted by law.
Art. 6(1)(b)
Contract performance — access, delivery, billing, and support.
Art. 6(1)(c)
Legal obligations — tax, accounting, and regulatory cooperation.
Art. 6(1)(f)
Legitimate interests — security monitoring, product improvement, fraud prevention.
International transfers
Where personal data is transferred outside the EEA, we implement appropriate safeguards such as the EU Commission Standard Contractual Clauses and supplementary measures (e.g., encryption, access restrictions) where required by risk assessment. Our product roadmap prioritizes EU-first hosting for production tenants; subprocessors and transfer mechanisms are listed in enterprise agreements and DPIA materials.
If you need a transfer impact assessment or a list of current hosting regions before procurement, contact your account team — we provide structured answers for security and legal review cycles.
Retention
Accounts, billing, and audit content
SchedulesWe retain account and billing records for the duration of the relationship and as required by commercial and tax law after termination. Uploaded audit content retention is configurable per workspace; defaults follow your order form or administrator console, with export and deletion workflows for offboarding.
Logs and security telemetry
Rolling windowsSecurity and application logs are retained on a rolling basis proportionate to risk — long enough to investigate incidents and demonstrate controls to auditors, not indefinitely. Aggregated analytics may be stored in shortened or pseudonymous form beyond raw log windows.
Your rights
Subject to applicable law, you may request access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You may lodge a complaint with your supervisory authority. To exercise rights, contact us at privacy@agentmai.example — replace with production contact before launch; we may ask proportionate questions to verify identity and scope.
Response commitment
Requests are handled through verified support channels, logged for accountability, and answered within statutory timelines. Complex requests involving multiple systems may be completed in phases with interim updates.
Security
We implement administrative, technical, and organizational measures including encryption in transit and at rest where applicable, least-privilege access, vulnerability management, and monitoring. No method of transmission is 100% secure; we work continuously to reduce risk and to document controls for customer assurance processes.
Control families
Identity, encryption, monitoring, logging, change management, and access governance mapped to operational roles.
Operational posture
Continuous hardening, incident playbooks, and periodic review as product features and threat models evolve.
Updates
Policy revisions
Material changesWe may update this policy to reflect new product capabilities, subprocessors, hosting regions, or legal requirements. The date at the top of this page indicates when the text was last substantively reviewed.
How we notify you
ChannelsMaterial updates are communicated through the Service and, where appropriate, by email to administrators or billing contacts. We recommend revisiting this policy after major releases or before renewal discussions so your records of processing stay accurate.
Structured for legal, security, and operations review. For enterprise assurance requests, contact your account owner.
Need a cross-functional legal readiness review?
Coordinate legal, security, and product stakeholders using one consistent policy and evidence workflow.
Open compliance workflow