Privacy Policy
How ShieldBase collects, processes, and protects your personal data — in full compliance with the GDPR.
Last updated: February 2026
1. Introduction
ShieldBase ("we", "us", "our") is committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data-protection laws. This Privacy Policy explains what data we collect, why we collect it, and how we process it when you use our AI-powered regulatory compliance platform ("Service").
2. Data Controller
The data controller for the processing activities described in this policy is:
3. Data We Collect
We collect and process the following categories of personal data:
| Category | Examples | Legal Basis |
|---|---|---|
| Identity data | Name, email, job title | Contract performance (Art. 6(1)(b)) |
| Organisation data | Company name, sector, member-state, VAT number | Contract performance |
| Compliance content | Policies, risk assessments, audit evidence | Contract performance |
| Usage & analytics | Pages visited, feature usage, timestamps | Legitimate interest (Art. 6(1)(f)) |
| Payment data | Billing address, last-4 card digits (via Stripe) | Contract performance |
| Technical data | IP address, browser, device type, cookies | Legitimate interest |
4. How We Use Your Data
We use your personal data to:
- Provide and operate the ShieldBase compliance platform
- Generate AI-powered compliance recommendations and gap analyses
- Process payments and manage subscriptions via Stripe
- Send transactional emails (verification, password resets, invitations)
- Monitor platform security and prevent abuse
- Improve the Service based on aggregated usage analytics
- Comply with legal obligations (e.g. tax records, audit requirements)
5. AI Processing
ShieldBase uses large language models (LLMs) provided by third-party AI providers to generate compliance content on your behalf. When you use AI features:
- Your prompts and relevant compliance context are sent to the AI provider for processing
- AI providers process data under our Data Processing Agreements and do not use your data for model training
- AI-generated outputs are stored within your organisation's workspace and treated as compliance content
- All AI-generated content is clearly marked and requires human review before adoption
6. Data Sharing & Sub-processors
We share personal data only with trusted sub-processors who are contractually bound by GDPR-compliant Data Processing Agreements. We do not sell personal data to third parties.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | PostgreSQL database hosting | EU (Frankfurt) |
| Vercel | Frontend hosting & CDN | EU edge nodes |
| Railway | API server hosting | EU (Frankfurt) |
| Anthropic | AI model provider (Claude) | US (EU DPA in place) |
| OpenAI | AI model provider (GPT) | US (EU DPA in place) |
| Stripe | Payment processing | EU (Dublin) |
| Resend | Transactional email delivery | US (EU DPA in place) |
7. International Data Transfers
Where data is transferred outside the European Economic Area (EEA), we rely on EU-approved transfer mechanisms including:
- EU–US Data Privacy Framework (where certified)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules where applicable
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — obtain confirmation and a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restriction — restrict processing in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by the GDPR.
9. Data Retention
We retain personal data according to the following schedule:
- Active accounts: Data is retained for the duration of your subscription
- After account deletion: Personal data is erased within 30 days; anonymised analytics may be retained
- Billing records: Retained for 7 years as required by EU tax regulations
- Audit logs: Retained for 2 years for security and compliance purposes
- Backups: Fully purged within 90 days of deletion request
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit for all communications
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) support
- Regular security audits and penetration testing
- SOC 2-compliant infrastructure providers
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page reflects when the policy was last revised.
13. Contact & Complaints
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:
Data Protection Enquiries
Email: [email protected]
You also have the right to lodge a complaint with your national Data Protection Authority (DPA). A list of EU DPAs is available on the European Data Protection Board website.