GDPR & Cookie Policy
Last updated: January 9, 2025
All data stored in Frankfurt, Germany within the EU.
Full compliance with EU data protection regulations.
Manage your cookie preferences at any time.
Access, export, or delete your data on request.
Part 1: Cookie Policy
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences, keep you logged in, and understand how you use the site.
Types of Cookies We Use
Essential Cookies (Required)
These cookies are necessary for the website to function and cannot be disabled. They include:
| Cookie Name | Purpose | Duration |
|---|---|---|
sb-*-auth-token | Authentication session | 7 days |
comply-cookie-consent | Cookie preference | 1 year |
theme | Theme preference | 1 year |
region | Region/language preference | 1 year |
Analytics Cookies (Optional)
These cookies help us understand how visitors interact with our website. They collect anonymous information about page visits and user behavior.
| Cookie Name | Purpose | Duration |
|---|---|---|
_ga | Google Analytics ID | 2 years |
_gid | Google Analytics session | 24 hours |
ph_* | PostHog analytics | 1 year |
Marketing Cookies (Optional)
These cookies are used to deliver relevant advertisements and track the effectiveness of marketing campaigns.
| Cookie Name | Purpose | Duration |
|---|---|---|
_gcl_* | Google Ads conversion | 90 days |
li_sugr | LinkedIn tracking | 90 days |
Managing Your Cookie Preferences
You can manage your cookie preferences at any time by:
- Clicking the cookie settings link in the footer
- Adjusting your browser settings to block or delete cookies
- Using browser extensions that manage cookies
Note: Blocking essential cookies may prevent the website from functioning properly.
Part 2: GDPR Compliance
Data Controller
ArvexLab acts as a data controller for your account information and as a data processor for compliance data you upload to the platform.
- Controller: ArvexLab GmbH, Frankfurt, Germany
- DPO Contact: dpo@arvexlab.com
Your GDPR Rights
Under the GDPR, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restriction (Art. 18)
Request that we limit the processing of your personal data.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for marketing.
How to Exercise Your Rights
To exercise any of these rights:
- Email us at privacy@arvexlab.com
- Include your full name and the email associated with your account
- Specify which right(s) you wish to exercise
- We will respond within 30 days
Data Processing Agreements
For enterprise customers, we provide Data Processing Agreements (DPAs) that detail:
- The scope and purpose of data processing
- Security measures implemented
- Sub-processor information
- Data breach notification procedures
- Audit rights
Contact legal@arvexlab.com to request a DPA.
International Data Transfers
Your data is stored and processed exclusively within the European Union. Our infrastructure is hosted in Frankfurt, Germany. We do not transfer personal data outside the EEA unless:
- The destination country has an adequacy decision from the European Commission
- Standard Contractual Clauses (SCCs) are in place
- You have explicitly consented to the transfer
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected individuals without undue delay
- Document the breach and our response measures
Sub-Processors
We use the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database & Authentication | EU (Frankfurt) |
| Vercel | Application Hosting | EU (Frankfurt) |
| Google LLC (Gemini) | AI Evidence Mapping & Policy Assessment | EU Data Processing |
| Anthropic PBC (Claude) | AI Document Parsing & Contract Analysis | US (with SCCs) |
| Resend | Transactional Email | US (EU-US DPF) |
We will notify data controllers at least 14 days before engaging a new sub-processor or changing an existing one. If you object to a new or replacement sub-processor, you may notify us at privacy@arvexlab.com within 14 days of our notification. If we are unable to reasonably address your objection, you may terminate the affected services by providing 30 days' written notice. We will provide reasonable assistance with data export during the transition period at no additional cost.
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden, Germany
datenschutz.hessen.de
Contact Us
For any questions about cookies or GDPR compliance:
- Privacy Inquiries: privacy@arvexlab.com
- Data Protection Officer: dpo@arvexlab.com
- General Legal: legal@arvexlab.com