Privacy Policy

Data Controller: Vigil AI
Address: Riva Paradiso 24 A, 6900 Paradiso
Switzerland
Email: vigilaiact@gmail.com

If you have questions about how we process your data, contact us at vigilaiact@gmail.com.

We collect the following categories of personal data:

Data you provide directly:

• Email address (when subscribing to deadline reminders or joining the waitlist)
• Company name, industry, and size (for compliance scanning)
• Descriptions of AI systems you enter into the scanner

Payment data (Assessment report purchases):

• Payments are processed by Paddle.com (our Merchant of Record). We do not directly collect, store, or have access to your full credit card number or payment credentials.
• Paddle shares with us: your name, email address, billing country, transaction amount, and order reference number — for the purpose of fulfilling your purchase and providing customer support.
• For Paddle's data handling practices, see Paddle's Privacy Policy.

Data collected automatically:

• IP address (anonymized after 30 days)
• Browser type and version
• Pages visited and time spent
• Referring website
• Device type and screen resolution

Data we do NOT collect:

• Your AI system descriptions are transmitted to our server and forwarded to Anthropic's API for classification. We do not persist scan results — they are returned to your browser and discarded.
• We do not directly collect or store credit card numbers, bank account details, or other payment credentials. All payment processing is handled by Paddle.

We use your data for the following purposes:

• To provide the Service: Processing your AI system information to generate compliance classifications and reports.
• To deliver reports: Generating and enabling download of your PDF compliance report.
• To process payments: Facilitating your Assessment report purchase through Paddle, including order fulfilment and providing purchase receipts.
• To communicate with you: Sending compliance-relevant updates if you opt in via the waitlist or email subscription (you can unsubscribe at any time).
• To improve the Service: Analyzing anonymized, aggregated usage patterns to improve our scanning accuracy and user experience.
• To ensure security: Detecting and preventing abuse of the Service.

Under the GDPR, we process your data on the following legal bases:

• Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies.
• Contractual necessity (Art. 6(1)(b)): For providing the compliance scanning service you request.
• Legitimate interest (Art. 6(1)(f)): For service improvement and security, where our interest does not override your rights.

We do not sell your personal data. We share data only with:

• AI processing providers: Your AI system descriptions are sent to Anthropic's Claude API for classification. This data is processed per Anthropic's data processing terms and is not used to train models. See Anthropic's Privacy Policy.
• Payment processor: Paddle.com Market Limited processes payments as our Merchant of Record. When you purchase the Assessment report, Paddle receives your payment details, name, email, and billing address to process the transaction and handle tax compliance. Paddle is based in the United Kingdom with EU operations and processes personal data in compliance with GDPR. See Paddle's Privacy Policy.
• Hosting and infrastructure providers: Located in the EU/EEA, bound by data processing agreements.
• Legal requirements: If required by law, regulation, or valid legal process.

Scan data: Not stored. Processed entirely in your browser session. Note: if you purchase an Assessment report, your email address is stored in our payment verification system to enable report access.

Payment records: Transaction records (order reference, email, amount, date) are retained for 7 years to comply with EU tax and accounting obligations. Full payment credentials are held only by Paddle per their retention policies.

Contact information: Retained for as long as you remain on our mailing list. Deleted within 30 days of unsubscription.

Anonymized analytics: Retained for up to 26 months.

Server logs: IP addresses anonymized after 30 days. Logs deleted after 90 days.

Under the GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent at any time (Art. 7(3))

To exercise any of these rights, email us at vigilaiact@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection supervisory authority.

We use cookies to operate and improve the Service. For full details, see our Cookie Policy.

Essential cookies are required for the Service to function. Analytics and marketing cookies are only set with your consent.

Your data may be processed outside the EU/EEA by the following US-based providers:

• Anthropic (AI classification): Governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• Paddle (payment processing): Based in the UK with EU operations, GDPR-compliant as Merchant of Record.

All other data processing occurs within the EU/EEA.

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), access controls, and regular security reviews.

We are committed to maintaining appropriate security standards.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. For significant changes affecting your rights, we will provide prominent notice on the Service.

For any questions about this Privacy Policy or your personal data:

Email: vigilaiact@gmail.com
Subject line: "Privacy Inquiry"