PlatformAI EngineFree ToolsSecurityResources

Privacy Policy

Last updated: February 23, 2026

ArvexLab ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Personal Information

We collect personal information that you voluntarily provide to us when you:

  • Register for an account
  • Complete your organization profile
  • Contact us for support

This information may include:

  • Name and job title
  • Email address
  • Phone number
  • Organization name and details
  • Legal Entity Identifier (LEI)

1.2 Compliance Data

When you use our platform, you may upload or input compliance-related data including:

  • Vendor information and assessments
  • SOC 2, ISO 27001, and other audit reports
  • Contract documents
  • ICT incident reports
  • Register of Information data

1.3 Automatically Collected Information

We automatically collect certain information when you visit our platform:

  • IP address and location data
  • Browser type and version
  • Device information
  • Pages visited and time spent
  • Referral source

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our platform
  • Process and complete your compliance workflows
  • Generate Register of Information reports
  • Send administrative information and updates
  • Respond to inquiries and provide support
  • Improve our platform and develop new features
  • Detect and prevent fraud or security incidents
  • Comply with legal obligations

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

  • Contract Performance: Processing necessary to provide our services
  • Legitimate Interests: Improving our platform and ensuring security
  • Legal Obligation: Compliance with applicable laws and regulations
  • Consent: Where you have given explicit consent (e.g., marketing)

4. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Third parties who perform services on our behalf (hosting, analytics, support)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale

We never sell your personal data to third parties.

5. Sub-Processors

We use the following third-party sub-processors to deliver our services:

  • Supabase (EU Frankfurt): Database hosting, authentication, and storage
  • Vercel: Application hosting and edge delivery
  • Resend: Transactional email delivery

AI Document Processing

We use two AI providers to analyse compliance documents uploaded to the platform:

  • Google LLC (Gemini 2.5 Flash): Used for NIS2 evidence-to-control mapping and policy document assessment. Document text (truncated to 100,000 characters) is sent to Google's Gemini API for analysis. Processing is governed by Google's Cloud Data Processing Addendum (EU data processing). Google does not use customer data for model training or improvement.
  • Anthropic PBC (Claude Haiku 4.5 / Claude Sonnet 4): Used for SOC 2 report parsing (via Modal.com), contract clause analysis, and board report narrative generation. Document content is sent to Anthropic's API for analysis. Processing is governed by Anthropic's Commercial Terms of Service and Data Processing Addendum. Data transfers to the US are protected by Standard Contractual Clauses (SCCs). Anthropic does not train models on customer data submitted through the API.

Both providers process document content only for the purposes described above. We do not share personal data (names, emails, contact details) with AI providers — only document content and metadata necessary for analysis.

All sub-processors are bound by data processing agreements and maintain appropriate security measures.

6. Data Storage and Security

Your data is stored in secure data centers located in the European Union (Frankfurt, Germany). We implement industry-standard security measures including:

  • Encryption at rest and in transit (TLS 1.3)
  • Regular security audits and penetration testing
  • Access controls and authentication
  • Continuous monitoring and logging

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Compliance data is retained according to regulatory requirements (typically 5-7 years for financial records). You may request deletion of your data at any time, subject to legal retention requirements.

8. Your Rights Under GDPR

As an EU data subject, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit processing of your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at privacy@arvexlab.com.

9. International Data Transfers

Your data is processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies

We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.

11. Children's Privacy

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

14. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. Our lead supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Website: datenschutz.hessen.de