This Privacy Policy explains how RisqBase d.o.o. ("RisqBase", "we", "us", or "our") collects, uses, and protects your personal data when you use RALIA, our compliance platform, available at ralia.io ("the Platform").
We are committed to protecting your privacy and being transparent about how we handle your data. This policy is written in plain language so you can easily understand what happens to your information.
1. Who We Are
Data Controller:
RisqBase d.o.o.
Zagreb, Croatia
Contact Us:
Email: privacy@risqbase.com
Website: ralia.io
Data Protection Queries:
For any questions about how we handle your personal data, please contact our Privacy Team at privacy@risqbase.com.
We are an AI-native, privacy-first company. This means we have built privacy protection into every part of our platform from the very beginning, not as an afterthought.
2. What Personal Data We Collect
We only collect the personal data we need to provide you with our services. Here is what we collect:
2.1 Account Information
When you create an account, we collect:
- Your name
- Your email address
- Your password (stored in encrypted form - we cannot see it)
- Your organisation name
- Your job title or role
Why we collect this: To create and manage your account, and to communicate with you about our services.
2.2 Assessment Data
When you use our compliance assessment tools, we collect:
- Your answers to assessment questions
- Information about your AI systems that you provide
- Documents you upload for analysis
Why we collect this: To generate your compliance reports and provide personalised recommendations.
2.3 Usage Information
When you use our Platform, we automatically collect:
- Pages you visit within the Platform
- Features you use
- Time and date of your visits
- Your device type and browser
Why we collect this: To improve our Platform and fix technical issues.
2.4 Payment Information
When you subscribe to a paid plan, we collect:
- Billing name and address
- Payment card details (processed securely by Stripe - we do not store your full card number)
Why we collect this: To process your payments and manage your subscription.
2.5 Communication Data
When you contact us, we collect:
- Your email address
- The content of your messages
- Any attachments you send
Why we collect this: To respond to your enquiries and provide support.
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) | Explanation |
|---|---|---|
| Providing our services | Contract (Art. 6(1)(b)) | We need your data to deliver the compliance assessment services you have requested |
| Managing your account | Contract (Art. 6(1)(b)) | We need your data to create and maintain your account |
| Processing payments | Contract (Art. 6(1)(b)) | We need billing data to process your subscription payments |
| Sending service updates | Contract (Art. 6(1)(b)) | We send emails about your account, assessments, and important Platform changes |
| Improving our Platform | Legitimate Interest (Art. 6(1)(f)) | We analyse usage patterns to make our Platform better for everyone |
| Security and fraud prevention | Legitimate Interest (Art. 6(1)(f)) | We monitor for suspicious activity to protect your account and our Platform |
| Marketing communications | Consent (Art. 6(1)(a)) | We only send marketing emails if you have agreed to receive them |
| Regulatory compliance | Legal Obligation (Art. 6(1)(c)) | We may need to process data to comply with laws |
Our Legitimate Interests
Where we rely on legitimate interests, we have carefully balanced our interests against your rights. Our legitimate interests include:
- Improving and developing our Platform
- Keeping our Platform secure
- Understanding how our customers use our services
- Running our business effectively
We have conducted and documented Legitimate Interest Balancing Tests for all processing activities relying on legitimate interest as a legal basis. You may request further information about these assessments by contacting us.
You have the right to object to processing based on legitimate interests. See Section 7 for how to exercise this right.
4. Who We Share Your Data With
We do not sell your personal data to anyone. Ever.
We share your data only with the following categories of recipients who help us provide our services:
4.1 Service Providers (Processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting and authentication | EU/US | Standard Contractual Clauses |
| Vercel | Platform hosting | EU/US | Standard Contractual Clauses |
| Anthropic | AI analysis (Claude API) | US | Standard Contractual Clauses |
| OpenAI | AI analysis (Backup provider) | US | Standard Contractual Clauses |
| Stripe | Payment processing | EU/US | Standard Contractual Clauses |
| Resend | Email delivery | US | Standard Contractual Clauses |
We have entered into appropriate data processing agreements with all our service providers, ensuring they process your data only on our instructions and maintain appropriate security measures.
4.2 Within Your Organisation
If you are part of an organisation using RALIA, your organisation's administrators may have access to:
- Your account information
- Assessment data you create
- Activity within the organisation's workspace
4.3 Legal Requirements
We may disclose your data if required by law, court order, or government request, or to protect our rights, property, or safety.
4.4 Business Transfers
If RisqBase is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
5. International Data Transfers
Some of our service providers are based outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure it remains protected by using one of these safeguards:
5.1 Adequacy Decisions
Some countries have been recognised by the European Commission as providing adequate data protection. Transfers to these countries do not require additional safeguards.
5.2 Standard Contractual Clauses (SCCs)
For transfers to countries without an adequacy decision, we use Standard Contractual Clauses approved by the European Commission. These are legal agreements that require the recipient to protect your data to EU standards.
5.3 EU-US Data Privacy Framework
Some of our US-based service providers (such as Stripe and Vercel) participate in the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing adequate protection for personal data transferred from the EU to participating US organisations.
Where applicable, we rely on our providers' Data Privacy Framework certification as an additional safeguard for international transfers.
5.4 Your Right to Information
You can request a copy of the safeguards we use for international transfers by contacting us at privacy@risqbase.com.
6. How Long We Keep Your Data
We keep your personal data only for as long as necessary for the purposes described in this policy. Here are our retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years | To allow account reactivation and handle queries |
| Assessment data | Duration of account + 7 years | Legal and compliance record-keeping |
| Payment records | 7 years from transaction | Tax and accounting obligations |
| Usage logs | 12 months | Security and Platform improvement |
| Marketing preferences | Until you withdraw consent | To respect your communication choices |
| Support communications | 3 years from last contact | To provide consistent support |
Account Deletion
When you delete your account:
- Your personal data is deleted or anonymised within 30 days
- Backup copies are deleted within 90 days
- Some data may be retained longer if required by law
7. Your Rights
Under GDPR, you have the following rights over your personal data:
7.1 Right of Access
You can request a copy of all personal data we hold about you.
7.2 Right to Rectification
You can ask us to correct any inaccurate or incomplete data.
7.3 Right to Erasure ("Right to be Forgotten")
You can ask us to delete your personal data in certain circumstances, such as when it is no longer needed for the purposes it was collected.
7.4 Right to Restriction
You can ask us to limit how we use your data in certain circumstances.
7.5 Right to Data Portability
You can request your data in a structured, commonly used format to transfer to another service.
7.6 Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
7.7 Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
How to Exercise Your Rights
To exercise any of these rights:
- Email us at privacy@risqbase.com
- Log into your account and use the privacy settings
- Use the data export feature in your account settings
We will respond to your request within 30 days. If your request is complex, we may extend this by a further 60 days, but we will let you know.
Right to Complain
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with a supervisory authority.
Your primary supervisory authority is the Croatian Personal Data Protection Agency (AZOP):
Agencija za zastitu osobnih podataka (AZOP)
Selska cesta 136
10000 Zagreb, Croatia
Website: www.azop.hr
If you are located in another EU member state, you may also lodge a complaint with your local data protection authority.
8. Cookies
RALIA uses cookies that are strictly necessary for the operation of our Platform. We do not use cookies for advertising, tracking, or analytics purposes.
8.1 Essential Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication cookies | Keep you signed in securely | Session / 1 hour (auto-refreshed) |
These cookies are essential for the Platform to function. Without them, you would not be able to log in or access your account.
8.2 What We Don't Use
We do not use:
- Advertising or marketing cookies
- Third-party tracking cookies
- Social media cookies
- Non-essential analytics cookies
8.3 Analytics
We use Vercel Analytics for basic website performance monitoring. Vercel Analytics is privacy-focused and does not use cookies or collect personal data.
8.4 Your Choices
Because we only use essential cookies required for the Platform to function, there is no option to disable them while using RALIA. If you prefer not to accept these cookies, you may choose not to use our Platform.
9. AI and Automated Processing
RALIA uses artificial intelligence to help you with compliance assessments. RALIA's AI features are designed exclusively to support organisations in understanding, documenting, and managing compliance obligations under relevant EU regulatory frameworks.
The Platform provides analytical support, structured guidance, and draft documentation. It does not provide legally binding determinations, regulatory approvals, or final compliance decisions.
Here is how it works and what it means for your data:
9.1 How We Use AI
- Compliance Analysis: Our AI analyses your assessment answers to determine your AI Act risk classification and generate recommendations.
- Document Creation: Our AI helps create compliance documents such as Legitimacy Impact Assessments and Data Protection Impact Assessments.
- Conversational Interface: Our AI-powered assistant helps guide you through assessments.
9.2 Human Oversight
Our AI provides guidance and analysis, but:
- Final compliance decisions are always yours
- AI recommendations should be reviewed by qualified personnel
- We recommend seeking professional legal advice for complex situations
AI-generated outputs may be incomplete, inaccurate, and depend on the quality and completeness of the information provided by users.
9.3 Your Data and AI Training
9.4 AI Service Providers
Our AI capabilities are powered by Anthropic's Claude API. When you use AI features:
- Your queries are processed by Anthropic to generate responses
- Anthropic is contractually bound not to use your data for training
- Data is transmitted securely and not stored beyond the session
For our AI features, we have set up OpenAI Platform as a backup for our services to ensure continued availability to our users. The same processing carried out by Anthropic's Claude API will be carried out by OpenAI Platform if Anthropic's Claude API is not available.
9.5 Roles Under the EU AI Act
For the purposes of the EU Artificial Intelligence Act, RisqBase acts as the provider of the RALIA AI system. Customers and users act as deployers and remain responsible for determining how AI-generated outputs are used within their organisations.
10. Security
We take the security of your personal data seriously. Here are some of the measures we use to protect your information:
10.1 Technical Measures
- Encryption: Personal data is encrypted in transit (TLS 1.3) and, where appropriate, at rest, using industry-standard security measures.
- Access Controls: Strict role-based access to personal data
- Authentication: Secure password hashing and optional two-factor authentication
- Monitoring: Continuous security monitoring and incident detection
10.2 Organisational Measures
- Staff Training: All staff receive data protection training
- Access Limitation: Data access limited to those who need it
- Supplier Management: All suppliers are assessed for security compliance
- Incident Response: Documented procedures for handling data breaches
10.3 Certifications
We are working towards the following certifications:
- ISO 27001 (Information Security Management)
- ISO 42001 (AI Management System)
- SOC 2 Type II
10.4 Reporting Security Issues
If you discover a security vulnerability, please report it to security@risqbase.com. We appreciate responsible disclosure.
10.5 Data Breach Notification
In the unlikely event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay, as required by GDPR Article 34. We will inform you of:
- The nature of the breach
- The likely consequences
- The measures we have taken or propose to take
We also maintain incident response procedures and will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.
11. Children's Privacy
RALIA is a business-to-business service designed for organisations and professionals. Our Platform is not intended for children under 16 years of age.
We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@risqbase.com, and we will delete the information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
How We Notify You
- Material Changes: For significant changes that affect your rights, we will notify you by email and display a prominent notice on our Platform.
- Minor Changes: For minor updates (such as corrections or clarifications), we will update the "Last Updated" date at the top of this policy.
Review Date
We review this policy at least annually to ensure it remains accurate and up to date.
Previous Versions
| Version | Effective Date | Summary of Changes |
|---|---|---|
| v1.0 | July 2025 | Initial Privacy Policy published |
| v2.0 | January 2026 | Updated jurisdiction, added Responsible AI references, enhanced AI governance section |
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Email: privacy@risqbase.com
Post:
RisqBase d.o.o.
Zagreb, Croatia
Response Time: We aim to respond to all enquiries within 5 business days.
For data protection rights requests, we will respond within 30 days as required by GDPR.
For more information about how we govern AI systems, please see our Responsible AI Use page.