Last updated: February 2026
The data controller for the processing of personal data described in this Privacy Policy is:
We collect and process the following categories of personal data:
| Category | Data Collected |
|---|---|
| Account data | Name, email address, password hash |
| Organization data | Company name, industry, company size, country |
| AI system data | System names, descriptions, purposes, risk classifications |
| Employee data | Names, email addresses, departments, training progress |
| Usage data | Feature usage, page views, session data |
| Payment data | Processed by Stripe. We do not store credit card numbers or full payment details on our servers. |
We process personal data for the following purposes:
We process your personal data on the following legal bases under the General Data Protection Regulation:
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period |
|---|---|
| Account data | Retained while your account is active, plus 30 days after account deletion |
| Organization and compliance data | Retained while your subscription is active, plus 90 days after cancellation |
| Analytics data | 26 months |
| Payment records | 7 years (as required by Norwegian accounting law / Bokforingsloven) |
We share personal data with the following third-party processors, each of which is bound by a data processing agreement:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting | EU (Frankfurt) | EU data residency |
| Stripe | Payment processing | US / EU | SCCs |
| Anthropic | AI generation (Claude API) | US | SCCs + DPA |
| OpenAI | Text embeddings | US | SCCs + DPA |
| Resend | Transactional email | US | SCCs |
| Vercel | Application hosting | US / EU | SCCs |
| PostHog | Product analytics | EU | EU data residency |
Some of our third-party processors are located outside the European Economic Area (EEA). When personal data is transferred to countries that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place:
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at support@aktai.eu. We will respond to your request within 30 days.
We use cookies and similar technologies on our platform:
You can manage your cookie preferences at any time through the cookie settings on our platform.
AktAI is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as promptly as possible. If you believe that a child under 16 has provided us with personal data, please contact us at support@aktai.eu.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. For material changes, we will provide at least 30 days' advance notice by email to the address associated with your account.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
If you have any questions about this Privacy Policy or wish to exercise your data subject rights, please contact us at:
If you are unsatisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority: