What does GuardianAI do?

GuardianAI analyzes technical documentation and detects compliance risks under the EU AI Act, GDPR and ISO 42001.

What documents can I scan?

PDF, DOCX and TXT files up to 25 MB: technical specifications, model cards, risk assessments, privacy policies.

Does GuardianAI replace legal advice?

No. GuardianAI is a RegTech support tool. It does not replace professional legal advice. Human review is recommended for final decisions.

TLS 1.3 + AES-256 encryption. GDPR-compliant European infrastructure. Minimal retention. Your documents are never used to train models.

Last updated: February 4, 2026

Privacy Policy

At GuardianAI we take your data privacy very seriously. This policy clearly explains how we collect, use and protect your information when you use our platform.

End-to-end encryption

TLS in transit and AES-256 at rest for all your documents.

Never trained on your data

We never use your documents to train AI models.

Your GDPR rights

Access, rectification, erasure and data portability guaranteed.

Hosted in Europe

Infrastructure in EU data centers with Supabase/Vercel.

1. Who we are

GuardianAI GuardianAI is a RegTech (Regulatory Technology) platform specialized in automating compliance with the EU AI Act, GDPR and ISO 42001 for European companies. We operate online at guardian-ai.online.

The controller of your personal data is GuardianAI. You can contact us at any time at contact@guardian-ai.online.

2. Data we collect

Account data

Full name
Email address
Company name (optional)
Encrypted password (bcrypt, never in plain text)

Documents you upload

PDF, DOCX, TXT files uploaded for analysis
URLs submitted for scanning
Documents retrieved from integrations (Google Drive, Dropbox, OneDrive)

These documents are used exclusively to generate your compliance report. They are not shared with third parties or used to train AI models.

Usage and metrics data

Number of scans performed
Compliance score and findings generated
Dashboard activity history
Access logs (timestamps, anonymized IP)

Billing data

Subscription and plan history
Payment data processed by Stripe (we never store card numbers)
Invoices and transaction confirmations

Payment data is securely processed and stored by Stripe Inc., compliant with PCI DSS Level 1.

3. How we use your data

Provide the service

Analyze your documents, generate compliance reports and keep your dashboard updated.

Manage your account

Authentication, quota management, scan history and profile settings.

Billing and payments

Process subscriptions, issue invoices and manage plan changes via Stripe.

Customer support

Answer your queries, resolve incidents and improve service quality.

Security and fraud prevention

Detect anomalous activity, protect platform integrity and meet legal obligations.

Product improvement

Analyze aggregated usage metrics (no personal data) to improve features.

4. Legal basis for processing

Performance of contract (Art. 6.1.b GDPR)

Processing necessary to provide the service you subscribed to.

Legitimate interest (Art. 6.1.f GDPR)

Platform security, fraud prevention and service improvement via aggregated metrics.

Legal obligation (Art. 6.1.c GDPR)

Retention of invoices and accounting records under applicable tax law.

Consent (Art. 6.1.a GDPR)

Marketing communications and newsletters, when you have given explicit consent.

5. Sub-processors and third parties

To provide the service we work with the following trusted providers. All have data processing agreements (DPAs) in place and comply with the GDPR:

Provider	Purpose	Location
Supabase	Database, authentication and storage	EU (AWS Frankfurt)
Vercel	Hosting and application deployment	EU / USA (SCCs)
Stripe	Payment processing	USA (SCCs + PCI DSS)
Google (Gemini API)	AI-powered document analysis	USA (SCCs)
Vercel Analytics	Aggregated usage metrics (no cookies)	USA (SCCs)

SCCs = Standard Contractual Clauses issued by the European Commission for international transfers.

6. Data retention

Active account dataWhile account is active

Analyzed documents90 days after scan (automatic deletion)

Reports and findingsSubscription duration + 30-day grace period

Billing records5 years (tax obligation)

Access logs30 days (security)

After account cancellationComplete deletion within 30 days

7. Your GDPR rights

Access (Art. 15)

Request a copy of all your personal data we process.

Rectification (Art. 16)

Correct inaccurate or incomplete data in your profile.

Erasure (Art. 17)

Request deletion of your data ('right to be forgotten').

Restriction (Art. 18)

Restrict processing of your data in certain circumstances.

Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Objection (Art. 21)

Object to processing based on legitimate interest or for marketing.

To exercise any of these rights, send an email to contact@guardian-ai.online stating the right you wish to exercise and your registered email address. We will respond within 30 days. If you believe processing is not compliant, you may lodge a complaint with your national data protection authority (in Spain: AEPD).

8. Data security

We implement enterprise-grade technical and organizational measures:

Encryption in transit (TLS 1.3)

Encryption at rest (AES-256)

Two-factor authentication available

Row Level Security (RLS) in database

Session tokens with automatic expiry

Periodic security audits

Environment separation (prod/staging)

Anomalous access monitoring

9. Changes to this policy

We may update this Privacy Policy occasionally. We will notify you by email or via a prominent notice on the platform before changes take effect. The "last updated" date at the top of this document always reflects the current version.

Questions about your privacy?

We are available to answer any questions about the processing of your personal data.

contact@guardian-ai.online Contact form