Legal
Privacy Policy
Last updated: July 3, 2026
1. Data controller
Growthlab Ventures ApS, Copenhagen, Denmark, operating the EAU (EU AI Watch) service. Contact: info@bragiandco.com.
2. What data we collect
- Account data — your email address, provided when you create an account with email and password or sign in with Google. Used for authentication, account access, and transactional communications.
- Organisation data — the organisation you belong to, your role in it, and members you invite. Used to provide team features.
- Stack selections — which vendors and findings you track, deployment context you record, and remediation notes you enter. Stored in your organisation’s account to provide your exposure view.
- Correction submissions — name, email, role, and the content of corrections you submit via the public corrections form. Used to review and act on the correction.
- Payment data — when paid subscriptions launch, payments will be processed by Paddle as Merchant of Record. We will not store payment card details or billing addresses.
3. Legal basis for processing (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — processing account, organisation, and stack data to provide the service.
- Legitimate interest (Art. 6(1)(f)) — processing correction submissions to maintain data accuracy. You can object at any time.
4. How we use your data
We use your data to authenticate you, provide the service, store your organisation’s stack and deployment context, and send transactional emails (team invitations, account notices). We do not send marketing emails unless you explicitly opt in. We do not sell, share, or trade personal data with third parties for their marketing purposes. The service currently runs no third-party analytics or advertising trackers.
5. Data processors
- Supabase — database and authentication hosting. Stores account, organisation, and stack data.
- Vercel — website hosting. Processes requests to serve the service.
- Resend — email delivery for transactional emails.
- Google — if you choose Google sign-in, authentication is processed by Google under their privacy policy.
- Paddle — payment processing as Merchant of Record, once paid subscriptions launch.
6. Data retention
- Account and organisation data — retained while your account is active; deleted within 30 days of a deletion request.
- Correction submissions — retained as part of the research audit trail; submitter contact details can be removed on request.
7. Your rights (GDPR)
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. To exercise any right, email info@bragiandco.com. We respond within 30 days.
8. Cookies
We use functional authentication cookies only (Supabase session cookies, prefixed sb-). They identify your signed-in session and are required for the service to function. No tracking, analytics, or advertising cookies are set.
9. International transfers
Primary data storage is in EU-region infrastructure. Vercel, Resend, and Google may process data in the United States under Standard Contractual Clauses.
10. Supervisory authority
You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.
11. Changes
We may update this policy. Material changes will be communicated by email to account holders. The date at the top reflects the most recent version.