Legal

Privacy Policy

Effective date: 1 January 2026  ·  Last updated: 1 March 2026

Gradaris ("Gradaris", "we", "our", or "us") operates the AI governance and compliance platform available at gradaris.com. This Privacy Policy describes how we collect, use, store, and share information about you when you use our website, platform, or services (collectively, the "Services").

Please read this policy carefully. By using the Services, you agree to the practices described here. If you do not agree, please discontinue use of the Services.

1. Information we collect

Information you provide directly

  • Account information: name, work email address, company name, job title, and password when you register for or request access to Gradaris.
  • Demo and contact requests: information submitted through the contact form, including your role, industry, and description of your AI governance challenge.
  • Newsletter subscription: email address provided when you subscribe to our newsletter.
  • Support communications: messages you send to info@gradaris.com or via in-platform support.

Information collected automatically

  • Usage data: pages visited, features used, time spent, click paths, and referring URLs collected via server logs and analytics.
  • Technical data: IP address, browser type and version, operating system, device type, and screen resolution.
  • Cookies and similar technologies: see the Cookies section below.

Platform telemetry (API and SDK usage)

When you use the Gradaris SDK or webhook integration, we collect governance telemetry as described in your service agreement. This includes agent metadata, timing, error signals, and cryptographic hashes of inputs and outputs. We do not receive, store, or process raw agent inputs, outputs, or any underlying personal data processed by your AI agents. Gradaris is intentionally designed to remain outside your data perimeter.

2. How we use your information

We use the information we collect to:

  • Provide, operate, and improve the Gradaris platform and Services.
  • Respond to demo requests, support enquiries, and general communications.
  • Send service communications, including account confirmations and security alerts.
  • Send the Gradaris newsletter and governance-related updates (where you have subscribed or consented).
  • Conduct security monitoring and detect fraudulent or abusive activity.
  • Comply with applicable legal obligations, including responses to lawful regulatory requests.
  • Perform analytics to understand how the Services are used and to prioritize product development.

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.

3. Your AI agents and your data

Gradaris processes governance metadata — not your AI agent's data. We receive only cryptographic hashes, timing measurements, and error signals. The content your agents process never leaves your infrastructure.

This design is intentional and a core architectural principle of the Gradaris platform. Your customers' data, proprietary models, and AI outputs remain entirely within your own systems. Gradaris assessments are based on structural and behavioural signals, not content.

Where the General Data Protection Regulation (EU 2016/679) applies, we process personal data on the following bases:

  • Contract performance: processing necessary to deliver the Services you have requested.
  • Legitimate interests: security monitoring, fraud prevention, product analytics, and direct marketing to existing customers — where our interests are not overridden by your rights.
  • Consent: newsletter subscriptions and non-essential cookies — you may withdraw consent at any time.
  • Legal obligation: compliance with applicable laws and regulatory requirements.

5. How we share your information

We share personal data only in the following circumstances:

  • Service providers: third-party vendors who assist us in operating the Services (hosting, email delivery, analytics, payment processing) under data processing agreements that restrict their use of your data.
  • Legal requirements: when required to do so by law, court order, or other governmental authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Gradaris, our users, or the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the acquirer's commitment to honor this Privacy Policy.
  • With your consent: in any other circumstances where you have given explicit consent.

We do not share personal data with advertisers or data brokers.

6. Data retention

We retain personal data for as long as necessary to provide the Services and comply with our legal obligations:

  • Account data: retained for the duration of your account and for up to 3 years after closure, unless a longer period is required by law.
  • Platform governance telemetry: retained for the period specified in your service agreement, typically 7 years to support regulatory audit requirements.
  • Newsletter data: retained until you unsubscribe. We will process one final confirmation email on unsubscription.
  • Support and contact records: retained for up to 3 years from the date of the communication.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data, subject to legal retention obligations.
  • Restriction: request that we restrict processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info@gradaris.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Cookies

We use the following categories of cookies:

  • Strictly necessary: session management and authentication. These cannot be disabled.
  • Analytics: aggregate usage statistics to improve the Services. These are set only with your consent.
  • Functional: remembering preferences such as language and region. These are set only with your consent.

We do not use advertising or tracking cookies. You can manage cookie preferences at any time via the cookie settings link in the footer.

9. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, network isolation via VPC, and access controls with role-based permissions. Governance telemetry is cryptographically hashed to ensure integrity.

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by applicable law.

10. International data transfers

Gradaris operates infrastructure in the United States (AWS). If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses approved by the European Commission for such transfers. You may request a copy of the relevant transfer mechanisms by contacting us.

11. Children

Gradaris is a business-to-business service and is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us at info@gradaris.com and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide notice by email or by a prominent notice on the Gradaris website at least 14 days before the change takes effect. Your continued use of the Services after any change constitutes acceptance of the updated policy.

13. Contact us

If you have questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us: