Privacy Policy — ActLinter

Zero-Retention Architecture

Documents you upload (PDFs, technical specifications, or any other compliance documentation) are processed entirely in volatile memory for the duration of a single analysis session. Upon session completion:

1Your documents are never written to persistent storage, databases, or file systems.
2No copies are retained on ActLinter servers, backup systems, or cold storage.
3Your document content is strictly NOT used to train, fine-tune, or improve any AI model — including Anthropic’s Claude or any other third-party model.
4Anthropic’s API is invoked under a data-processing agreement that prohibits training on customer inputs by default.

1. Data Controller

The data controller responsible for personal data processed through the Service is:

ActLinter Ltd

Registered in Ireland

Data Protection contact: privacy@actlinter.com

Where we act as a processor on behalf of an enterprise customer who has uploaded their own users’ data, that enterprise customer is the data controller and we act strictly as a data processor under a Data Processing Agreement (“DPA”) available on request.

2. Personal Data We Collect

Account Data

When you register, we collect your name, business email address, company name, and payment information (processed by Stripe — see Section 5). We retain this data for the lifetime of your account and for seven (7) years thereafter to comply with Irish financial record-keeping obligations.

Usage Data

We automatically collect technical data including IP addresses, browser type, pages visited, audit request timestamps, and aggregate feature usage. This data is pseudonymised and used solely for service improvement and security monitoring. Retention period: 12 months rolling.

Document Content (Zero-Retention — see above)

PDF files and technical documentation submitted for compliance analysis are processed in volatile memory only. They are not stored, indexed, or associated with your account in persistent form after the analysis session ends. We do not retain, log, or archive document content.

Compliance Report Data

Structured report outputs (compliance scores, risk classifications, article-by-article analyses) are stored against your account so that you can access your audit history. These reports do not contain your raw document content. Retention period: for the duration of your account plus 2 years, or until deletion is requested.

3. Legal Bases for Processing

We rely on the following GDPR legal bases:

Contract performance (Art. 6(1)(b)): Processing account and billing data to deliver the Service you have subscribed to.
Legitimate interests (Art. 6(1)(f)): Processing usage data to maintain security, prevent fraud, and improve service reliability.
Legal obligation (Art. 6(1)(c)): Retaining financial transaction records to comply with tax and accounting law.
Consent (Art. 6(1)(a)): For optional marketing communications, which you may withdraw at any time.

4. How We Use Your Data

To authenticate your account and manage subscriptions.
To process compliance analysis requests and deliver structured reports.
To send transactional communications (receipts, audit completions, service notices).
To detect and prevent fraud, abuse, and security incidents.
To comply with legal obligations and respond to lawful requests from public authorities.

We will never sell your personal data to third parties, nor use it for behavioural advertising.

5. Third-Party Processors

We engage the following sub-processors under binding Data Processing Agreements. Each is selected for their GDPR compliance posture and, where applicable, Standard Contractual Clauses (“SCCs”) for international transfers.

Stripe, Inc.

United States (SCCs in place)

Payment processing

Card-holder name, billing address, payment card tokens. ActLinter never stores raw card numbers.

Anthropic, PBC

United States (SCCs in place)

AI inference (Claude API)

Document content passed as prompt context during analysis sessions only. Anthropic processes this data solely to return inference results and is contractually prohibited from using it for model training under the API Terms of Service.

Vercel, Inc.

United States / EU edge nodes (SCCs in place)

Frontend hosting and edge delivery

IP addresses, request logs (pseudonymised, 30-day retention).

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (“EEA”) to processors located in the United States, we rely on the European Commission Standard Contractual Clauses (Module 2: Controller to Processor) as the transfer mechanism under GDPR Art. 46(2)(c). Copies of applicable SCCs are available on request at privacy@actlinter.com.

7. Your Rights Under GDPR

As a data subject, you have the following rights, exercisable free of charge within 30 days of a verified request submitted to privacy@actlinter.com:

Right of Access (Art. 15): Obtain a copy of the personal data we hold about you and information about how it is processed.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17): Request deletion of your personal data where no overriding legal basis exists for continued processing.
Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances (e.g., while accuracy is disputed).
Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller.
Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at dataprotection.ie or the supervisory authority in your EU Member State of habitual residence.

8. Data Security

We implement technical and organisational measures appropriate to the risks presented by our processing activities, including:

TLS 1.3 encryption in transit for all data flows between client, server, and sub-processors.
AES-256 encryption at rest for all persistent account and report data.
Role-based access controls and principle of least-privilege for internal systems.
Regular automated vulnerability scanning and annual third-party penetration testing.
In-memory-only processing of uploaded documents with no disk write path.

In the event of a personal data breach likely to result in high risk to individuals, we will notify the Irish DPC within 72 hours and affected data subjects without undue delay, as required by GDPR Art. 33–34.

9. Cookies

We use strictly necessary cookies for session management and authentication. We do not use tracking cookies, third-party advertising cookies, or persistent analytics cookies without your prior consent. You may manage cookie preferences via your browser settings.

10. Children’s Privacy

The Service is intended for business use by adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has submitted data to us, please contact us immediately and we will delete it promptly.

11. Changes to This Policy

We will update this Privacy Policy when our processing practices change. Material changes will be communicated by email and/or in-app notification at least 14 days before they take effect. The “Last Updated” date at the top of this page will always reflect the current version.

12. Contact & Data Protection Enquiries

For privacy-related questions, data subject rights requests, or DPA inquiries, please contact our data protection team at privacy@actlinter.com. We aim to respond to all requests within 5 business days.