Privacy Policy
Effective 26 April 2026 · Last updated 26 April 2026
This privacy policy explains what personal data aicompliancevendors.com (“we”, “us”) collects, why we collect it, how long we keep it, who we share it with, and the rights you have over it. It is written to satisfy the disclosure requirements of the EU General Data Protection Regulation (GDPR) Articles 13 and 14, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and Colorado, Virginia, Connecticut, Utah, and other US state privacy laws as they apply.
1. Who is the controller
The data controller for personal data processed through this site is the editorial team that publishes aicompliancevendors.com. Because the team operates anonymously (see the About page), the contact channel for any privacy request is the editorial inbox below; we will respond from a named team member when responding to a rights request that requires identity verification.
- Privacy contact: privacy@aicompliancevendors.com
- Editorial & corrections: editorial@aicompliancevendors.com
If you are in the EU/EEA or the UK and we are required to designate a representative under Article 27 GDPR, we will publish the representative’s name and contact address here once appointed. While we have no permanent EU establishment, you can lodge a complaint with your local supervisory authority (see Section 11) at any time.
2. What data we collect
We collect personal data in three contexts: when you submit a form, when you visit a page, and when a vendor claims its profile. We do not buy lists, do not enrich submissions with third-party data brokers, and do not collect special-category data (health, religion, biometric, etc.) intentionally.
2.1 Forms you submit
Each form names the fields it collects at the point of submission. The categories below are the superset across all forms; an individual form will only collect the subset shown on that form.
| Form | Fields | Purpose |
|---|---|---|
| Get quotes / Lead | Name, work email, company, role, frameworks, vendor preferences, free-text notes | Forward your enquiry to the vendors you select |
| RFP submission | Same as Lead, plus uploaded RFP document and timeline/budget signals | Forward the RFP to selected vendors |
| Vendor claim | Claimant name, work email at the vendor domain, role, evidence of authority | Verify claimant is authorised to edit a vendor profile |
| List your company | Submitter name, work email, company, role, product details for review | Evaluate the company for editorial inclusion |
| Vendor portal (after claim) | Edits to profile content, attestation evidence URLs, contact preferences | Update the vendor’s profile pending editorial review |
| Newsletter | Email address only | Send the editorial newsletter |
| Featured slot checkout (Stripe) | Billing name, billing email, payment-card details (collected by Stripe — never reach our servers) | Process payment for paid placement |
2.2 Server logs
When you visit any page, our hosting provider (Vercel) logs the request for security and operational reasons: IP address, user-agent string, requested URL, response code, response time, and timestamp. These logs are retained for up to 30 days and are not used to build advertising profiles.
2.3 Analytics
We use Google Analytics 4 (property G-8HQS33F98F), Vercel Analytics, and Vercel Speed Insights to understand which content is useful and to detect performance regressions. These tools record: page paths, referrers, anonymised geographic region (typically country/region, not city-level precision), device type, browser, screen size, and the events listed in Section 4 (form submissions, PDF downloads, outbound clicks). We have configured GA4 with IP anonymisation enabled and ad-personalisation signals disabled, and we do not use Google Signals or Google Ads remarketing. Vercel Analytics is cookieless by design.
2.4 Cookies and similar technologies
We try to keep cookie use minimal. The categories we use are listed below.
| Category | Examples | Purpose | Lifetime |
|---|---|---|---|
| Strictly necessary | Theme preference, vendor-portal session token, CSRF token | Make the site work; remember light/dark choice; authenticate vendor edits | Session to 1 year |
| Analytics (consent-based in EEA/UK) | _ga, _ga_*, Vercel Speed Insights ID | Aggregate page-view and event measurement | Up to 13 months |
| Payment | Stripe.js cookies on checkout pages | Fraud prevention during payment | Set by Stripe; see their notice |
We do not use advertising cookies or third-party social-media trackers. We do not place analytics cookies until you grant consent if you visit from the EU/EEA or the UK; the consent banner appears on your first visit and your choice is remembered for 12 months. You can withdraw consent at any time using the “Cookie preferences” link in the footer.
3. Why we process your data and the lawful basis
For each processing purpose we identify the GDPR Article 6 lawful basis we rely on. Where we rely on legitimate interests, the interest and the balancing test are summarised below; you can request the full Legitimate Interests Assessment at any time using the contact channel in Section 1.
| Purpose | Lawful basis | Notes |
|---|---|---|
| Forwarding leads/RFPs to vendors you choose | Art 6(1)(b) contract / pre-contract steps at your request | You select the vendors; we route, we do not broker. |
| Verifying vendor profile claims | Art 6(1)(b) contract / pre-contract | Necessary to give claimant edit rights. |
| Editorial directory and articles | Art 6(1)(f) legitimate interests | Public-interest journalism in a regulated market. We name only individuals already identified in primary public sources (SEC filings, regulator publications, vendor websites). |
| Server logs & security | Art 6(1)(f) legitimate interests | Preventing abuse, debugging. |
| Analytics (EEA/UK visitors) | Art 6(1)(a) consent | Banner-based opt-in; withdrawable. |
| Analytics (US visitors) | Legitimate interests with opt-out under state law | CCPA “Do Not Sell or Share” honoured; we do not sell or share for cross-context advertising. |
| Newsletter | Art 6(1)(a) consent | Single opt-in; one-click unsubscribe in every email. |
| Stripe payments | Art 6(1)(b) contract; Art 6(1)(c) tax/AML compliance | Stripe is the processor and joint controller for payment data per its terms. |
4. Events we record
We record the following named events in our analytics tools to measure whether the directory is useful: page_view, lead_submitted, rfp_submitted, vendor_claim_requested, vendor_edits_submitted, file_download, and outbound_click. Event payloads contain the page path and (for outbound clicks) the destination domain — never the contents of forms.
5. Who we share data with
We share personal data only with the categories of recipient below, and only as needed to operate the service. We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as those terms are defined under California, Colorado, Connecticut, Virginia, Utah, and similar US state laws.
- Vendors you have explicitly selected on a Get Quotes, RFP, or similar form. These vendors become independent controllers of the contact details you have entered. We list each selected vendor on the page before you submit. We do not pre-select vendors on your behalf and do not forward your enquiry to vendors you did not select.
- Hosting and infrastructure (processors): Vercel (US/EU regions) for application hosting and analytics; Neon (US East) for the PostgreSQL database; Resend (US) for transactional email; Cloudflare (global) for DNS and edge caching.
- Payment (joint controller / processor): Stripe processes card data on our checkout pages under its own privacy notice; card numbers never reach our servers.
- Analytics (processors): Google (Google Analytics 4) and Vercel Analytics. Both are configured to anonymise IP and disable ad-personalisation signals.
- Legal requests: we will disclose data only on receipt of a valid legal process, and where the law permits, we will notify you first.
6. International transfers
Some of the recipients above are based in the United States. Where personal data of EU/EEA, UK, or Swiss residents is transferred to those recipients, the transfer relies on the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK Addendum, or the EU–U.S. Data Privacy Framework where the recipient is self-certified. We do not transfer personal data to jurisdictions that the European Commission has not assessed.
7. How long we keep data
- Lead and RFP submissions: 24 months from submission, then deleted from active systems.
- Vendor claim verification records: for as long as the vendor profile is claimed, plus 12 months.
- List-your-company submissions that are not accepted: 12 months, then deleted.
- Newsletter subscribers: until you unsubscribe, then we retain only an unsubscribe-flag record.
- Server logs: up to 30 days.
- Analytics data: 14 months in Google Analytics; 90 days in Vercel Analytics raw events.
- Stripe payment records: as required by tax law (typically 7 years for invoices).
8. Your rights
Subject to local law, you have the rights listed below. To exercise any of them, email privacy@aicompliancevendors.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice) and will not charge a fee unless the request is manifestly unfounded or excessive.
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — delete data we hold about you, subject to legal-retention exceptions.
- Restriction — pause processing while a dispute is resolved.
- Portability — receive data you provided in a machine-readable format.
- Objection — object to processing based on legitimate interests; we will stop unless we demonstrate compelling grounds.
- Withdraw consent — for analytics or newsletter, with no effect on processing already carried out.
- Not be subject to solely-automated decision-making — we do not make any solely-automated decisions with legal or similarly significant effect on you.
- US state-law rights — California, Colorado, Connecticut, Virginia, Utah, and other state residents have rights of access, deletion, correction, and to opt out of sale, sharing, or targeted advertising. We do not sell or share personal data for cross-context behavioural advertising, but you may still send us a verifiable request through the privacy contact above.
9. Children
The site is intended for B2B audiences (compliance, legal, risk, and procurement professionals). We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted personal data, contact us and we will delete it.
10. Security
We protect data with TLS in transit, encrypted storage at the database level, scoped access tokens for vendors and admins, and least-privilege deployment credentials. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify supervisory authorities within 72 hours where required and notify you without undue delay where the breach is likely to result in a high risk to your rights.
11. Complaints
You can complain to a supervisory authority at any time. EU/EEA residents may complain in their country of residence (a list is published by the European Data Protection Board). UK residents may complain to the Information Commissioner’s Office. Swiss residents may complain to the Federal Data Protection and Information Commissioner. US state residents may complain to their state attorney general. We’d appreciate the chance to address concerns directly first — please email privacy@aicompliancevendors.com.
12. Common-ownership disclosure
The same editorial team operates a small group of related reference sites (ailawsbystate.com, ailawsuittracker.com, soc2vendors.com). Each site has its own privacy policy and operates an independent database. We do not share or combine personal data between these sites.
13. Changes to this policy
We will update the “Last updated” date at the top of this page when we change anything substantive. For changes that affect the lawful basis or recipients of your data, we will give 30 days’ notice before the change takes effect, where feasible, by email to active newsletter subscribers and via a banner on the site.
See also: Terms of Service · Methodology · About