Data Protection

GDPR Compliance

Our commitment to protecting your data under the General Data Protection Regulation.

Last updated: March 1, 2026

Our Commitment

Stratoscan AI is fully committed to GDPR compliance for all personal data we process in connection with our AI-powered business audit services. We process data lawfully, fairly, and in a transparent manner; we collect only what we need; and we keep it only as long as necessary to deliver your audit and meet legal obligations.

This statement summarizes how we align with the Regulation. It does not replace our Privacy Policy or any Data Processing Agreement (DPA) you may have with us, which control where they differ in detail.

Lawful Basis for Processing

Depending on the activity, we rely on one or more of the following lawful bases under Article 6 GDPR:

  • Consent — Where we ask for clear, affirmative permission (for example, certain marketing communications or optional analytics), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Contractual necessity — Processing required to perform our contract with you: delivering audits, operating your account, billing, and support.
  • Legitimate interests — Where we have a legitimate interest that is not overridden by your rights, such as securing our services, preventing fraud, improving product reliability, or limited internal analytics—balanced with appropriate safeguards.
  • Legal obligation — Where we must process data to comply with applicable law, including tax, accounting, or regulatory requirements.

Data We Process

We process categories of data proportionate to running audits and our business. These include:

  • Personal identification data — Name, work email, job title, company affiliation, and contact details you provide when signing up or communicating with us.
  • Business operational data — Information you or your integrations supply for the audit (for example, financial metrics, operational KPIs, or documents you choose to share), which may include personal data about individuals in your organization where relevant.
  • Usage analytics — Technical and usage information about how you interact with our platform (e.g., feature usage, device/browser type, approximate location derived from IP where needed for security), subject to our privacy settings and consent where required.
  • Communication data — Content of emails, in-app messages, and support tickets to resolve issues and improve service.

Your Rights Under GDPR

If we process your personal data and the GDPR applies, you have the following rights, subject to conditions and exceptions in the Regulation:

  • Right to Access (Art. 15) — Request confirmation of whether we process your data and obtain a copy of it, together with certain information about the processing.
  • Right to Rectification (Art. 16) — Request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure (Art. 17) — Request deletion where applicable—for example, where data is no longer necessary, consent is withdrawn, or you object and there are no overriding grounds.
  • Right to Restrict Processing (Art. 18) — Request restriction in defined circumstances, such as while we verify accuracy or the lawfulness of processing.
  • Right to Data Portability (Art. 20) — Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
  • Right to Object (Art. 21) — Object to processing based on legitimate interests or for direct marketing; we will stop unless we demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Art. 22) — Where applicable, you have safeguards regarding decisions based solely on automated processing that produce legal or similarly significant effects; our human-in-the-loop audit workflows are designed so meaningful review is available where such processing occurs.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance, advise on data protection impact assessments, and serve as a point of contact for supervisory authorities and data subjects on privacy matters.

Contact: dpo@stratoscan.ai

International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards required by GDPR, including:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved clauses with recipients where needed.
  • Adequacy decisions — Transfers to countries benefitting from an EU adequacy decision, where applicable.
  • Successor frameworks — We monitor developments such as the EU-U.S. Data Privacy Framework and equivalent arrangements and update our transfer mechanisms to remain compliant.

Data Processing Agreements

Enterprise customers may execute a Data Processing Agreement (DPA) with Stratoscan AI that reflects Article 28 GDPR requirements, including our obligations as processor (or sub-processor, as agreed), confidentiality, subprocessors, security measures, assistance with data subject requests, deletion or return of data at end of service, and audit cooperation.

DPAs describe permitted processing, subprocessors, and data handling procedures so your legal and security teams can assess risk consistently with your own records of processing.

Data Breach Notification

We maintain incident response procedures to detect, contain, and assess personal data breaches. Where a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required by GDPR, within 72 hours of becoming aware, unless the breach is unlikely to pose a risk.

When the breach is likely to result in a high risk to affected individuals, we will also communicate to those individuals without undue delay unless a narrow exception applies. We will document breaches as required by Article 33(5).

Sub-Processors

We engage carefully vetted sub-processors to host and operate our service. Examples include:

  • AWS — Cloud infrastructure and storage.
  • Stripe — Payment processing.
  • Google Analytics — Anonymized or aggregated website analytics, configured to reduce personal data where possible.
  • SendGrid — Transactional and operational email delivery.

Our DPA and sub-processor list (where provided) describe locations and purposes; we notify customers of material changes in line with our agreements.

Exercising Your Rights

To exercise any GDPR right, email gdpr@stratoscan.ai with your request and enough information for us to verify your identity. We will respond within one month, extendable by up to two further months where complex, and we will explain any extension as required by law.

There is no fee for reasonable requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. We encourage you to contact us first so we can try to resolve your concern.

Contact

Stratoscan AI Inc.
Data Protection Officer
2400 Market Street, Suite 300
San Francisco, CA 94114
dpo@stratoscan.ai