Privacy Policy

Legal Entity and Product Brand

Attevera is the product and brand name for the EU AI Act readiness service provided by Rootlab LLC. In this Privacy Policy, “we,” “us,” and “our” mean Rootlab LLC unless the context refers to the Attevera platform or product experience.

At a glance

• We do not sell your personal data.
• Attevera does not run AI or large-language-model systems over your workspace content, and we do not use your data to train any AI model.
• Core workspace data is stored on EU infrastructure (Supabase, Frankfurt) with Row Level Security enforcing organisation-level boundaries.
• You can export all your organisation's data at any time from Settings → Data & privacy.

1. Data We Collect

When you use Attevera, we collect the following categories of data:

• Account information: email address, name, and organisation name provided during registration
• AI system records: information you enter about AI systems your organisation operates, including names, descriptions, risk classifications, and deployment contexts
• Controls and assignments: control records, ownership assignments, and completion status you create in the platform
• Evidence files and metadata: uploaded files, file names, sizes, upload dates, descriptions, and linkages for evidence you attach to controls or systems
• Audit logs: records of actions taken within your workspace, including who made changes and when
• Usage data: page visits, feature interactions, and error events collected to improve the platform
• Billing data: subscription plan, billing status, Stripe customer identifiers, and payment events. We do not store full payment card numbers.
• Support data: subject, message, attached screenshots, and page context you submit through the in-app support flow or by emailing us.
• Developer credentials: API key metadata (label, scopes, creation time, last-used time) for keys you create under your workspace. We never store the plaintext API key after it is generated; only a salted hash is kept for authentication.

2. How We Use Your Data

We use the data we collect to:

• Provide, operate, and maintain the Attevera platform
• Authenticate users and enforce organisation-level access boundaries
• Generate audit logs and readiness reports for your workspace
• Diagnose errors and improve platform reliability and performance
• Communicate service updates, billing information, and material changes to these policies

Our role under GDPR depends on the processing activity. The table below summarises each major activity, our role, and the legal basis we rely on:

• Customer workspace content (AI system records, controls, evidence, literacy records, documents, audit trail, monitoring reviews, serious-incident records) — your organisation is the controller; Rootlab LLC is the processor under our DPA. Legal basis: your performance of contract with the data subjects in question, as determined by your organisation.
• Account authentication and session management— Rootlab LLC is the controller. Legal basis: Art. 6(1)(b) performance of contract with you.
• Billing and subscriptions — Rootlab LLC is the controller. Legal basis: Art. 6(1)(b) performance of contract plus Art. 6(1)(c) compliance with tax and accounting obligations.
• Security monitoring and abuse prevention — Rootlab LLC is the controller. Legal basis: Art. 6(1)(f) legitimate interests in operating and securing the service.
• Error diagnostics — Rootlab LLC is the controller. Legal basis: Art. 6(1)(f) legitimate interests. Sampled session replay is disabled; only sessions that experience an error are recorded, with input masking applied.
• Support ticket handling — Rootlab LLC is the controller for the ticket lifecycle. If you include personal data about your end users in the ticket body, your organisation remains controller for that content.
• Anti-abuse / trial eligibility — Rootlab LLC is the controller. Legal basis: Art. 6(1)(f) legitimate interests in preventing abuse of the free trial.
• Service-update and billing communications— Rootlab LLC is the controller. Legal basis: Art. 6(1)(b) performance of contract.

Your data is never sold to third parties. We do not use your AI system records or workspace content for advertising or behavioural profiling. We do not make automated decisions producing legal or similarly significant effects about you.Atteveradoes not run AI or large-language-model systems over your workspace content, and we do not use your data to train any AI model, whether our own or a third-party's.

3. Data Storage & Security

Your workspace data is stored in Supabase-managed infrastructure. Data is protected in transit using TLS and protected at rest using provider-managed encryption controls. We use Supabase Row Level Security (RLS) policies to enforce organisation-level data boundaries so one organisation cannot access another organisation's workspace data through the application.

Access to production data is restricted to authorisedRootlab LLC personnel on a need-to-know basis. We conduct regular security reviews and monitor for anomalous access patterns.

Breach notification. If we become aware of a personal data breach, our response depends on who is the controller for the affected data:

• Where Rootlab LLC is the controller (for example, account authentication, billing, and security monitoring), we will notify affected data subjects without undue delay and notify the competent supervisory authority within 72 hours of becoming aware of the breach, where notification is required by GDPR Articles 33 and 34.
• Where your organisation is the controller and Rootlab LLCis the processor (workspace content, AI system records, controls, evidence, monitoring reviews, serious-incident records), we will notify your organisation's admin contacts without undue delay and in any event within 48 hours of becoming aware, with sufficient detail for your organisation to meet its own 72-hour obligation under Article 33 where applicable. This commitment is also captured in our Data Processing Agreement §7.

4. Sub-processors

We engage the following third-party sub-processors to deliver the service. The authoritative list — including pending entries and our change-notification policy — is maintained at attevera.com/sub-processors.

• Supabase — database, authentication, and evidence-file storage. Production data is hosted in the EU (Frankfurt) as configured for the Attevera project.
• Stripe — payment processing, subscription billing, and invoicing. Rootlab LLC does not store full payment card details.
• Sentry — error monitoring. When a session experiences an error, Sentry may receive a short diagnostic replay with input fields and text content masked before transmission. No sampled or non-error session recording is sent.
• Resend (Plus Five Five, Inc.) — delivers transactional email: password reset, email confirmation, workspace invitations, and result emails sent when a person using the public classifier or assessment asks us to email their result. Primary processing is in the United States; Resend is EU–US DPF-certified and data flows are covered by 2021 SCCs Module 2.
• Vercel (Vercel Inc.) — hosts the Attevera application tier, delivers the public marketing site via CDN, and provides cookieless Vercel Web Analytics and anonymous Vercel Speed Insights (Core Web Vitals) on public pages. Primary edge and origin regions are in the EU; analytics and Speed Insights samples aggregate in the United States. Vercel is EU–US DPF-certified and transfers are covered by 2021 SCCs Module 2. Analytics events are retained for 30 days.

We will provide at least 30 days' notice before engaging a new sub-processor that will process personal data, as described in our Data Processing Agreement.

Some sub-processors, or support operations carried out byRootlab LLCpersonnel based in the United States, may involve transfers of personal data outside the EU/EEA. For those transfers, we rely primarily on the European Commission's 2021 Standard Contractual Clauses (Module 2 or Module 3 as applicable), supplemented by the EU–US Data Privacy Framework where a sub-processor is certified under it, and by applicable adequacy decisions.

5. Data Retention & Deletion

Your data is retained for the duration of your active subscription and as needed to provide the service. Specific retention windows apply to different categories of data:

• Workspace content (AI system records, controls, evidence, documents, monitoring reviews, serious-incident records): retained while your subscription is active and as governed by the DPA after termination.
• High-risk AI system records: Article 18(1) of the EU AI Act requires a provider to keep the record of a high-risk AI system for at least ten years after placing it on the market or putting it into service. When you remove a high-risk or unacceptable-risk AI system from Attevera, the record is archived rather than hard-deleted and retained for ten years to support this obligation.
• Audit log entries: retained for the life of the organisation and for a reasonable period after termination for security, dispute-handling, and recordkeeping purposes.
• Billing records and invoices: retained for the period required by tax and accounting law (typically seven years).
• Backup snapshots: retained on a 30-day rolling window by our infrastructure provider.
• Sentry error diagnostics: retained on a 90-day rolling window.
• Support tickets: retained for two years after resolution.

Account deletion removes your user account from the organisations you belong to; organisation workspaces and the records listed above continue to apply to remaining members of the organisation. To delete an entire organisation workspace, contact support@attevera.com — we will complete supervised deletion within 30 days, subject to overriding retention obligations above.

You may request deletion of your personal data at any time in accordance with your rights under GDPR Article 17 (Right to Erasure). To make a deletion request, contact support@attevera.com. We will respond within 30 days.

6. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data:

• Article 15 — Right of access: request a copy of the personal data we hold about you
• Article 16 — Right to rectification: request correction of inaccurate personal data
• Article 17 — Right to erasure: request deletion of your personal data
• Article 18 — Right to restriction: request that we limit how we process your data in certain circumstances
• Article 20 — Right to portability: receive your data in a structured, machine-readable format
• Article 21 — Right to object: object to processing based on legitimate interests
• Article 22 — Automated decisions: request safeguards where a decision based solely on automated processing would produce legal or similarly significant effects
• Article 7(3) — Withdraw consent: where our processing of your personal data is based on your consent, you may withdraw that consent at any time. Withdrawal is as easy as the original opt-in and does not affect the lawfulness of processing carried out before the withdrawal.

Many of these rights can be exercised directly in the product. Signed-in users can export their organisation's data at any time from Settings → Data & privacy → “Export all data” (this also covers the Article 20 right to portability), edit profile fields from Settings → Profile, and delete their own account from Settings → Data & privacy → Delete account. For any request that cannot be completed self-service, contact support@attevera.com.

We aim to acknowledge requests within five business days and to provide a substantive response within 30 days. Where a request is particularly complex or we receive a high volume of requests, we may extend the response period by up to 60 additional days under GDPR Article 12(3), and will let you know if we do so.

You also have the right to lodge a complaint with your national data protection authority.

7. Cookies and Browser Storage

Attevera uses the minimum browser cookies and local storage needed to operate the service. Each item below is strictly necessary to provide the functionality you have asked for.

Cookies:

• Supabase authentication cookies — keep you signed in (HttpOnly, Secure, SameSite).
• active_org_id — remembers which organisation workspace you have active.
• attevera_signup_intent — carries your chosen plan across the signup and checkout flow. Short-lived.

Local browser storage:

• Onboarding progress — remembers which product-tour steps you have completed.
• Classification form drafts — preserves your in-progress entries so you can close and reopen the tab without losing work.

Error diagnostics:

We use Sentry for error monitoring. When your session encounters an error, Sentry may record a short diagnostic replay of the page state at the time of the error. Input fields and displayed text are masked before the replay is sent, and media is blocked. We do not record sessions that do not error.

Analytics and performance:

We use Vercel Web Analytics to measure aggregate usage of our public pages (page views, referrer, browser and OS family, country-level geolocation). Vercel Web Analytics is cookieless, does not track you across sites, and derives visitor counts from a daily-rotating salted hash of your IP address and user agent that does not persist beyond 24 hours.

We also use Vercel Speed Insights to collect anonymous Core Web Vitals samples (LCP, CLS, INP, FCP, TTFB) so we can keep pages fast. Speed Insights does not set cookies, does not identify you, and records only the metric value alongside the URL path and coarse device family.

Lawful basis for both: legitimate interest under GDPR Article 6(1)(f) in understanding and improving product usage. Vercel Inc. is our sub-processor for hosting, analytics, and Speed Insights; see the entry under §4 above.

We do not use advertising cookies and we do not use third-party analytics that identify you across sites. You may clear cookies and local storage via your browser settings. Clearing session cookies will sign you out of Attevera, and clearing local storage may remove saved form drafts.

8. Contact & EU Representative

For privacy-related questions, data subject requests, or concerns about how we handle your data, contact us at:

Rootlab LLC
Email: support@attevera.com
Postal address: will be published here before the Service is made generally available.

EU representative under GDPR Article 27: Rootlab LLCis established outside the European Union and has appointed an EU representative to act as a point of contact for data subjects and supervisory authorities. The representative's identity and contact details will be published in this section before the Service is made generally available to EU customers. Until that appointment is published, please contact us at support@attevera.com.

We aim to acknowledge privacy enquiries within five business days and to fulfil data-subject requests within 30 days (extendable by up to 60 days for complex requests, with notice).