1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It provides EU residents with strong rights over their personal data and places obligations on organizations that process such data.

At anmly.ai, we are committed to GDPR compliance and respect your data protection rights. This page explains how GDPR applies to our service and what rights you have.

2. Who We Are (Data Controller)

For the purposes of GDPR, anmly.ai acts as the data controller for personal data you provide when using our platform. This means we determine the purposes and means of processing your personal data.

Data Controller: anmly.ai

Contact: info@delta-ai.nl

Privacy Inquiries: info@delta-ai.nl

3. Legal Basis for Processing Your Data

Under GDPR Article 6, we must have a lawful basis for processing your personal data. We process your data based on:

3.1 Contract (Article 6(1)(b))

Processing is necessary to perform our contract with you (providing the anmly.ai service):

Creating and managing your account
Processing your uploaded datasets
Training machine learning models
Generating predictions and insights
Providing AI chat assistance
Managing your plan and billing

3.2 Consent (Article 6(1)(a))

You provide explicit consent for:

Analytics (Vercel Web Analytics and Speed Insights)
Marketing communications (if you opt in)
Non-essential data processing

Important: You can withdraw consent at any time through your settings or cookie preferences.

3.3 Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests for:

Platform security and fraud prevention
Service improvement and bug fixing
Customer support and communication
Business analytics (aggregated and anonymized)

We balance our legitimate interests against your rights and freedoms. You have the right to object to processing based on legitimate interests.

3.4 Legal Obligation (Article 6(1)(c))

We process data when required by law:

Tax and accounting records
Compliance with court orders or legal requests
Anti-money laundering (AML) obligations

4. Your Rights Under GDPR

GDPR grants you the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to know what personal data we hold about you and receive a copy of it.

How to exercise: View your data in your dashboard or contact us for a comprehensive report.

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data.

How to exercise: Update your profile in Settings → Profile & Account.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances.

How to exercise: Go to Settings → Privacy & Security → Delete Account. This will permanently delete all your data.

Note: We may retain certain data when required by law (e.g., financial records for tax purposes).

Right to Data Portability (Article 20)

You can receive your personal data in a structured, machine-readable format and transmit it to another service.

How to exercise: Go to Settings → Privacy & Security → Download Your Data. Choose JSON, CSV, or Excel format.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data in certain situations.

How to exercise: Contact us at info@delta-ai.nl with details of your request.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Adjust notification preferences in Settings or contact us to opt out of specific processing activities.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw that consent at any time.

How to exercise: Manage cookie preferences via the cookie banner, or adjust settings in your account.

Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to file a complaint with your national data protection authority if you believe we have violated GDPR.

We encourage you to contact us first: info@delta-ai.nl

Find your EU data protection authority: EDPB Members

5. How to Exercise Your Rights

To exercise any of your GDPR rights:

Self-Service: Many rights can be exercised directly through your account settings (access, rectification, erasure, data portability)
Contact Us: Email info@delta-ai.nl with your request
Verification: We may ask for identity verification to protect your data
Response Time: We will respond within 30 days (extendable to 60 days for complex requests)
Free of Charge: Exercising your rights is free, unless requests are excessive or unfounded

6. Data We Collect

We collect and process the following categories of personal data:

Identity Data: Name, email address, user ID
Account Data: Password (encrypted), authentication tokens, MFA settings
Profile Data: Company name, industry, user type, preferences
Content Data: Uploaded datasets, analyses, predictions, projects, chat messages
Financial Data: Subscription plan, Stripe customer ID (payment details stored by Stripe)
Usage Data: Page views, features used, IP address, device information
Technical Data: Browser type, time zone, cookies

For a complete list, see our Privacy Policy.

7. Data Processing Activities

We process your data for the following purposes:

Service Delivery: Account management, ML training, predictions, AI insights
Communication: Account notifications, support, service updates
Security: Fraud prevention, authentication, access control
Improvement: Platform analytics, bug fixes, feature development
Legal Compliance: Tax records, legal obligations

8. International Data Transfers

anmly.ai operates globally, and your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through:

8.1 Standard Contractual Clauses (SCCs)

We use Standard Contractual Clauses approved by the European Commission when transferring data to countries without an adequacy decision.

8.2 Our Data Processors

Supabase: Various global regions (DPA in place)
Railway.app (ML Backend): Amsterdam, Netherlands (EEA - no transfer)
OpenAI: United States (SCCs, DPA)
Stripe: United States and global (DPA, SCCs)
Vercel: United States and global CDN (DPA)

8.3 EU Data Residency

Your machine learning processing occurs in Amsterdam (EU), minimizing data transfers outside the EEA for core functionality.

9. Data Retention

We retain personal data for as long as necessary to provide our service and comply with legal obligations:

Active Accounts: Data retained while your account is active
Deleted Accounts: Most data deleted within 30 days; some records retained for legal compliance (e.g., financial records for 7 years)
Inactive Accounts: May be deleted after 2+ years of inactivity with advance notice

You can delete your data at any time through your account settings.

10. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Our machine learning models are trained on your data for your purposes, not to make decisions about you as an individual. You remain in full control of how to use the insights and predictions generated.

11. Data Protection by Design and Default

We implement technical and organizational measures to ensure GDPR compliance:

11.1 Technical Measures

Encryption in transit (HTTPS/TLS) and at rest
Row Level Security (RLS) to isolate user data
Secure authentication with JWT tokens
Multi-factor authentication (MFA) option
Signed URLs with expiry for file access
Regular security updates and patches

11.2 Organizational Measures

Privacy-first design principles
Data minimization (collect only necessary data)
Staff training on data protection
Data Processing Agreements (DPAs) with processors
Regular privacy impact assessments
Incident response procedures

11.3 Privacy by Default

Only essential cookies enabled by default
Marketing communications opt-in (not opt-out)
Private data storage (not publicly accessible)
User-specific data isolation from the start

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the relevant supervisory authority within 72 hours of becoming aware
We will notify affected users without undue delay if there is a high risk
Notifications will include the nature of the breach, likely consequences, and measures taken

13. Children's Data

Our service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly.

Parents or guardians who believe we have collected data from a child under 16 should contact us immediately at info@delta-ai.nl.

14. Data Protection Officer (DPO)

For GDPR compliance inquiries, data protection questions, or to exercise your rights, contact our data protection team:

Data Protection Contact

Email: info@delta-ai.nl

Subject: "GDPR Inquiry" or "Data Protection Request"

15. Updates to GDPR Information

We may update this GDPR information page to reflect changes in our practices or legal requirements. Material changes will be communicated to users via email or through the platform.

16. Additional Resources

Learn more about your rights and our practices:

Privacy Policy - Comprehensive data handling practices
Cookie Policy - Cookie usage details
Terms of Service - Platform terms
GDPR Official Information
European Data Protection Board

17. Contact Us

For any GDPR-related questions or to exercise your rights:

anmly.ai

Email: info@delta-ai.nl

Data Protection Inquiries: info@delta-ai.nl

We aim to respond to all GDPR-related requests within 30 days. Complex requests may take up to 60 days, and we will inform you if an extension is necessary.