Privacy Policy

Effective: April 20, 2026

1. Introduction

This privacy policy explains how Parallax Technologies GmbH ("we", "us", "our"), operating the platform witness-compliance.eu ("Witness", "the Service"), collects, uses, and protects your personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Austrian data protection law.

2. Data Controller

The data controller responsible for processing your personal data is:

Parallax Technologies GmbH

E-Mail: [email protected]

Favoritenstraße 92/131, 1100 Wien, Österreich. Registered with the commercial register of the Handelsgericht Wien under FN 678180 z. VAT ID (UID): ATU83326713.

3. Data We Collect

We collect and process the following categories of personal data:

Account Data

Email address and name, collected during registration for authentication via magic link.

Organization Data

Company name, country, industry, and organization size, provided by you to establish your compliance context.

Compliance Documentation

Form field data you enter when using our compliance tools (classifier, technical documentation, risk management, FRIA, etc.). This is the core service of Witness and constitutes your compliance work product.

Uploaded Documents

If you upload documents for AI-assisted analysis, the extracted text is sent to our AI provider (Anthropic) for processing within the scope of the compliance workflow you have requested. Uploaded document files are processed in memory only and are not stored as files on our servers. After the workflow completes, only the extracted field values and the associated guidance metadata you have accepted into your compliance artifact are persisted; the original file content is discarded. You remain in control: you decide which uploaded field values to accept into your artifact and can remove them at any time.

Chat Conversations

Messages you send through the expert chat feature are stored in our database and sent to our AI provider to generate responses.

Payment Information

Payment processing is handled entirely by Paddle. We only store your Paddle customer ID and access tier. We do not have access to your credit card details or bank information.

Analytics Data

We collect aggregate page-level analytics via Umami Cloud. Umami is configured without cookies and is used to understand broad product usage, not to build advertising profiles.

Technical Data

Authentication session tokens, locale preferences, anti-abuse verification data, request identifiers, and security logs needed to operate and protect the service.

4. Legal Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

Contract Performance (Art. 6(1)(b))

Processing of account data, organization data, compliance documentation, uploaded document text submitted for AI-assisted analysis, and chat conversations is necessary for the performance of our contract with you — providing the Witness compliance platform and the features you request.

Legitimate Interest (Art. 6(1)(f))

Cookieless page-level analytics, security logging, abuse prevention, and service diagnostics are processed based on our legitimate interests in understanding how the platform is used, improving reliability, and protecting the service.

Consent (Art. 6(1)(a))

Where we ask for consent, such as for optional communications or optional non-essential features, you may withdraw that consent at any time. Document uploads are user-requested service inputs and are processed under the contract basis described above.

5. Third-Party Processors

We use the following third-party service providers to operate Witness:

  • Anthropic (USA) AI-powered document analysis and chat responses. Receives: extracted document text from uploads and chat messages.
  • OpenAI (USA) Embedding generation for semantic search over public EU AI Act regulatory text. No user data is sent to OpenAI — only publicly available EU regulation text.
  • Resend (USA) Email delivery for magic link authentication and team invitations. Receives: email addresses only.
  • Sentry (EU/USA) Application error monitoring and incident diagnostics. Receives: technical error metadata, request identifiers, and stack traces when failures occur.
  • Cloudflare (Global) DNS, proxying, bot protection, and Turnstile verification. Receives: IP addresses, browser metadata, and anti-abuse telemetry needed to protect the service.
  • Paddle (UK/EU) Payment processing and merchant of record. Receives: standard payment data as entered by you during checkout. Paddle acts as merchant of record for payment, tax, and invoice processing. We do not store card details.
  • Railway (EU West) Database and application hosting in the EU for persistent application data.
  • Umami (cloud.umami.is) Aggregate, cookieless website analytics via Umami Cloud.

6. International Data Transfers

Some of our processors are based in or may process data from outside the European Union (including Anthropic, OpenAI, Resend, Sentry, Cloudflare, and Paddle). Data transfers are conducted on the basis of an adequacy decision, the EU-US Data Privacy Framework, and/or Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V where required. Our database hosting (Railway) is located in the EU West region, so stored application data is hosted in the EU at rest.

7. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active. Deletion is available by contacting [email protected].
  • Compliance data: Retained while your account is active. Deletion is available by contacting [email protected], subject to legal retention obligations.
  • Chat messages: Retained while your account is active. Deletion is available by contacting [email protected], subject to legal retention obligations.
  • Uploaded documents: Not retained. Processed in memory and discarded immediately after analysis.
  • Analytics: retained only as aggregate, page-level metrics without advertising identifiers.
  • Payment records: Retained as required by Austrian tax law (Bundesabgabenordnung, § 132) for a period of 7 years.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — You can request correction of inaccurate data.
  • Right to erasure (Art. 17) — You can request deletion of your data, subject to legal retention obligations.
  • Right to restrict processing (Art. 18) — You can request that we limit how we use your data.
  • Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — You can object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

8a. Data Accuracy and Regulatory Consequences

Parallax Technologies GmbH processes personal data only as necessary to provide the Service. We are not responsible for the accuracy or completeness of personal data that you or your authorised users enter, upload, or include in compliance artifacts. To the extent permitted by applicable law, we are not liable for regulatory fines, audit findings, notified-body decisions, or other regulatory consequences arising from inaccurate, incomplete, or outdated data that you have provided. This section does not limit liability that cannot be limited under mandatory data-protection law (including Article 82 GDPR).

9. Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Wien, Austria

[email protected]

https://www.dsb.gv.at

10. Cookies

Witness uses essential cookies and local browser storage needed for authentication, language selection, anti-abuse verification, and saving in-progress form state:

  • Session and security cookies: Store your authentication state, selected locale, and completed Turnstile verification. Authentication cookies are httpOnly, secure in production, and sameSite=lax.

We do not use advertising cookies. Umami analytics is configured without cookies; Cloudflare Turnstile may process technical browser signals for abuse prevention.

11. Children

Witness is a business-to-business compliance platform and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or through an in-app notice. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

Back to home