Privacy Policy

1. Introduction

This privacy policy explains how Parallax Technologies GmbH (i.Gr.) ("we", "us", "our"), operating the platform witness-compliance.eu ("Witness", "the Service"), collects, uses, and protects your personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Austrian data protection law.

2. Data Controller

The data controller responsible for processing your personal data is:

Parallax Technologies GmbH (i.Gr.)

E-Mail: kevin@witness-compliance.eu

Full address and registration details will be published upon GmbH formation.

3. Data We Collect

We collect and process the following categories of personal data:

Account Data

Email address and name, collected during registration for authentication via magic link.

Organization Data

Company name, country, industry, and organization size, provided by you to establish your compliance context.

Compliance Documentation

Form field data you enter when using our compliance tools (classifier, technical documentation, risk management, FRIA, etc.). This is the core service of Witness and constitutes your compliance work product.

Uploaded Documents

If you upload documents for AI-assisted analysis, the extracted text is sent to our AI provider for processing. Documents are processed in memory only and are not stored as files on our servers.

Chat Conversations

Messages you send through the expert chat feature are stored in our database and sent to our AI provider to generate responses.

Payment Information

Payment processing is handled entirely by Stripe. We only store your Stripe customer ID and access tier. We do not have access to your credit card details or bank information.

Analytics Data

We collect anonymous page-level analytics via Umami. This is a privacy-friendly, cookieless analytics tool that does not collect personal data, does not use cookies, and does not track individual users.

Technical Data

Authentication session tokens stored in an httpOnly cookie for maintaining your logged-in session.

4. Legal Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

Contract Performance (Art. 6(1)(b))

Processing of account data, organization data, compliance documentation, and chat conversations is necessary for the performance of our contract with you — providing the Witness compliance platform.

Legitimate Interest (Art. 6(1)(f))

Anonymous analytics data is processed based on our legitimate interest in understanding how the platform is used and improving our service. Security logging is based on our legitimate interest in protecting the service.

Consent (Art. 6(1)(a))

Document uploads for AI-assisted analysis are processed based on your explicit consent. You actively choose to upload each document. You can withdraw consent at any time by simply not uploading further documents.

5. Third-Party Processors

We use the following third-party service providers to operate Witness:

• Anthropic (USA) — AI-powered document analysis and chat responses. Receives: extracted document text from uploads and chat messages.
• OpenAI (USA) — Embedding generation for semantic search over public EU AI Act regulatory text. No user data is sent to OpenAI — only publicly available EU regulation text.
• Resend (USA) — Email delivery for magic link authentication and team invitations. Receives: email addresses only.
• Sentry (EU/USA) — Application error monitoring and incident diagnostics. Receives: technical error metadata, request identifiers, and stack traces when failures occur.
• Cloudflare (Global) — DNS, proxying, bot protection, and Turnstile verification. Receives: IP addresses, browser metadata, and anti-abuse telemetry needed to protect the service.
• Stripe (USA) — Payment processing. Receives: standard payment data as entered by you during checkout. We do not store payment details.
• Railway (EU West) — Database and application hosting in the EU. All persistent user data is stored here.
• Umami (cloud.umami.is) — Anonymous, cookieless website analytics. No personal data is collected or transmitted.

6. International Data Transfers

Some of our processors are based in or may process data from outside the European Union (Anthropic, OpenAI, Resend, Sentry, Stripe, Cloudflare). Data transfers are conducted on the basis of the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) in accordance with GDPR Article 46 where required. Our database hosting (Railway) is located in the EU West region — no international transfer applies to your stored data at rest.

7. Data Retention

We retain your data for the following periods:

• Account data: Retained while your account is active. Deleted upon account deletion.
• Compliance data: Retained while your account is active. Deleted upon account deletion.
• Chat messages: Retained while your account is active. Deleted upon account deletion.
• Uploaded documents: Not retained. Processed in memory and discarded immediately after analysis.
• Analytics: Anonymized at collection. No personal data is retained.
• Payment records: Retained as required by Austrian tax law (Bundesabgabenordnung, § 132) for a period of 7 years.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — You can request correction of inaccurate data.
• Right to erasure (Art. 17) — You can request deletion of your data, subject to legal retention obligations.
• Right to restrict processing (Art. 18) — You can request that we limit how we use your data.
• Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format.
• Right to object (Art. 21) — You can object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at kevin@witness-compliance.eu. We will respond within 30 days.

9. Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

10. Cookies

Witness uses only one cookie, which is essential for the operation of the service:

• authjs.session-token — An httpOnly, secure session cookie used for authentication. This is a strictly necessary cookie and does not require consent under ePrivacy rules.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Our analytics tool (Umami) is completely cookieless.

11. Children

Witness is a business-to-business compliance platform and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or through an in-app notice. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.