Privacy Policy

Version 1.0 · June 2026 · Compliant with GDPR (EU) 2016/679 and EU AI Act (EU) 2024/1689

2.1 Data Controller

The data controller is: [Company name], a private limited company (osaühing) registered in Estonia under registry code [number], with registered address at [address], Tallinn, Estonia.

Contact for data protection matters: [email protected]

2.2 Categories of Data, Purposes and Legal Bases

Category of data	Purpose	Legal basis
Registration data (email, hashed password)	Account creation and management	Performance of contract (Art. 6(1)(b) GDPR)
Text of queries submitted in chat	AI response generation; knowledge base improvement	Performance of contract (Art. 6(1)(b) GDPR)
Usage data (sessions, timestamps, subscription plan)	Billing management, usage analytics, security	Legitimate interest (Art. 6(1)(f) GDPR)
Payment data	Subscription management — processed by Stripe as independent controller	Performance of contract (Art. 6(1)(b) GDPR)

2.3 Use of Artificial Intelligence (Art. 13 EU AI Act)

EPR Specialist.AI is an AI-powered platform. The following information is provided pursuant to Article 13 of Regulation (EU) 2024/1689 (EU AI Act):

System identity: the AI system used is Claude, a large language model developed and operated by Anthropic PBC (San Francisco, USA). Anthropic acts as a data processor under Article 28 GDPR;
Intended purpose: the system provides informational support on Extended Producer Responsibility (EPR) regulations across EU member states and selected third countries, for use by compliance professionals;
Data flows: query text entered by the user is transmitted to Anthropic's API for response generation and stored in the platform database (Supabase, EU infrastructure) for service delivery and, in anonymised form, for knowledge base maintenance;
No special category data: no data falling under Article 9 GDPR is required or processed;
No solely automated decision-making: AI-generated responses do not constitute automated decisions with legal effects on users within the meaning of Article 22 GDPR; all outputs require human review and interpretation;
Accuracy and limitations: the system may generate inaccurate or outdated information. Users are encouraged to verify outputs against official sources;
Human oversight: users retain full control over their professional decisions; the AI system operates exclusively as a support tool.

2.4 International Data Transfers

Query text is processed by Anthropic PBC, a company based in the United States. The transfer is carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, as incorporated in the Data Processing Agreement entered into with Anthropic. Authentication and session data are stored on Supabase infrastructure located within the European Union.

As the data controller is established in Estonia (EU), no transfer to a third country is involved for the controller's own operations.

2.5 Data Retention

Account data: retained for the duration of the contract and for 7 years after termination (Estonian accounting law requirements);
Conversation content: retained for 24 months from the date of the query, then deleted or anonymised;
System and security logs: retained for 12 months;
Billing records: retained for 7 years pursuant to Estonian and EU tax regulations.

2.6 Rights of Data Subjects

Users have the right to access, rectify, erase, restrict processing of, and port their personal data, and to object to processing, pursuant to Articles 15–20 GDPR. Requests should be sent to [email protected]. The controller will respond within 30 days.

Users also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — www.aki.ee), the supervisory authority for the data controller's establishment, or with the supervisory authority of their country of residence.

2.7 Obligations of Professional Users (Art. 13 EU AI Act)

Users who employ EPR Specialist.AI in the context of professional services rendered to third parties are independently responsible, pursuant to Article 13 of Regulation (EU) 2024/1689, for informing their own clients of the use of AI systems as a support tool in the delivery of professional services, in clear, plain and comprehensive language. The data controller bears no responsibility for the disclosure obligations that professional users owe to their own clients.

2.8 Security of Processing (Art. 32 GDPR · Art. 9 EU AI Act)

The data controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk throughout the entire lifecycle of processing, in accordance with Article 32 GDPR and the security requirements of Article 9 EU AI Act. Measures in place include: secure user authentication, TLS encryption of data in transit, role-based access controls, and infrastructure protection via Cloudflare.

2.9 Knowledge Base Accuracy and Updates

The EPR regulatory knowledge base is updated on an ongoing basis following legislative changes in the countries covered, with the aim of ensuring accuracy and reliability of information, consistent with the obligations of providers under Article 13(3)(b) EU AI Act. The platform does not guarantee real-time updates; for time-sensitive compliance matters, users are advised to consult official sources directly.

2.10 Changes to This Policy

The data controller may update this Privacy Policy at any time. Users will be notified of material changes via the email address associated with their account at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the revised policy.