RiskLoop

Privacy Policy

Last updated: March 15, 2026

1. Data Controller

RiskLoop is operated by Zapheron, a company registered in Norway.

For questions about this policy or your data, contact us at privacy@riskloop.eu.

2. Data We Collect

  • Account data: Name, email address, and password hash when you create an account.
  • Organization data: Risk registers, compliance assessments, contracts, vendor records, processing activities, mitigations, and other data you enter into the platform.
  • Usage data: Pages visited, features used, timestamps, and browser/device information for service improvement and security monitoring.
  • Payment data: Processed by Stripe. We do not store credit card numbers or bank details. We receive only transaction confirmations and subscription status from Stripe.

3. Purposes of Processing

  • Service delivery: Operating the platform, processing your data, and providing AI-powered analysis.
  • AI-powered analysis: Analyzing risks, scanning contracts, assessing GDPR compliance, and generating reports using AI models.
  • Billing: Managing subscriptions and processing payments via Stripe.
  • Platform improvement: Understanding usage patterns to improve features and performance.
  • Security monitoring: Detecting and preventing unauthorized access, fraud, and abuse.

4. Legal Bases (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to deliver the service you have subscribed to.
  • Legitimate interest (Art. 6(1)(f)): Platform improvement, security monitoring, and error tracking. We balance our interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)): Marketing communications, if any. You can withdraw consent at any time.

5. AI Processing

RiskLoop uses Anthropic's Claude AI to analyze risks, scan contracts, assess GDPR compliance, and generate reports. When you use AI-powered features:

  • Relevant data from your organization is sent to the Anthropic API for processing.
  • Data is processed under Anthropic's data processing terms and is not used to train AI models.
  • AI outputs are suggestions only and require human review and approval before being applied to your records.
  • AI agent run logs (inputs and outputs) are retained for 12 months for auditability.

AI-generated content does not constitute professional legal, financial, compliance, or risk management advice.

6. Data Recipients & Processors

We share data with the following processors to operate the service:

ProcessorPurposeLocation
SupabaseDatabase hosting & authenticationEU (Ireland)
VercelApplication hostingGlobal (Edge)
StripePayment processingUS/EU
AnthropicAI processing (Claude API)US
SentryError monitoringUS/EU

7. International Transfers

Primary data storage is in the EU (Ireland) via Supabase. Some processors operate outside the EU:

  • Anthropic: AI API requests may be processed in the US under Standard Contractual Clauses (SCCs).
  • Stripe: Payment processing under their Data Processing Agreement and SCCs.
  • Sentry: Error logs under their DPA and SCCs.

8. Data Retention

  • Account data: Retained while your account is active, plus 90 days after deletion to allow recovery.
  • Organization data: Retained while your subscription is active. Deleted within 30 days of subscription termination.
  • AI agent run logs: Retained for 12 months for auditability, then deleted.
  • Error logs: Retained for 90 days.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Port your data to another service
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interest

To exercise any of these rights, email privacy@riskloop.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

10. Cookies

RiskLoop uses essential cookies only by default:

  • Authentication cookies: Required to keep you signed in securely.
  • Cookie consent: Stores your cookie preference.

We do not use tracking, advertising, or third-party analytics cookies. If this changes in the future, we will update this policy and the cookie consent banner.

11. Children

RiskLoop is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@riskloop.eu.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to account holders. The "Last updated" date at the top of this page indicates when this policy was last revised.

Questions? Contact privacy@riskloop.eu.

Terms of Service →