Privacy Policy

GDPR Articles 13 & 14 — information provided at collection.

Last updated:

AM8 SASU (“AM8”, “we”, “us”) is the data controller for personal data processed through am8-ai-governance.tech and the AM8 platform. We are a French société par actions simplifiée unipersonnelle (SASU), registered in France. This policy explains what we collect, the purposes of processing, our lawful basis, how long we keep data, and your rights.

Who we are and how to contact us

You can reach our Data Protection Officer (DPO) at dpo@am8-ai-governance.tech or our privacy team at privacy@am8-ai-governance.tech for any question about this policy or to exercise your rights.

What we process and the purposes of processing

We process account and profile details, organisation information, usage and security logs, support correspondence, and billing data. The purposes of processing are: to provide and secure the service, to administer your subscription, to provide support, and — only with your consent — to send product marketing. We do not sell personal data.

Lawful basis

Our lawful basis for processing is: performance of a contract (to deliver the service you have signed up for); our legitimate interests in operating, improving and securing the platform (balanced against your rights); consent for non-essential cookies and marketing; and legal obligation for tax and accounting records.

Recipients and sub-processors

We share data with vetted sub-processors and other third parties strictly to deliver the service. Each is bound by a Data Processing Agreement. See the current sub-processor list. Our AI assistant is powered by Anthropic's Claude under a Zero Data Retention (ZDR) addendum, so your prompts and outputs are not retained by Anthropic for training.

International transfers

Some sub-processors are located outside the European Economic Area. Where we transfer personal data to a third country that is not covered by an adequacy decision, we rely on the EU Standard Contractual Clauses and additional safeguards.

Retention periods

We retain personal data only as long as necessary for the purposes above. Account data is kept for the life of your account and deleted (or anonymised) within 90 days of closure; billing and tax records are retained for 7 years to meet legal obligations; security logs are kept for up to 90 days.

Automated decision-making

ARIA produces AI-generated drafts and suggestions, but AM8 does not make decisions producing legal or similarly significant effects about you solely by automated decision-making or profiling within the meaning of Article 22. A qualified human reviews outputs before they are relied upon.

Your rights

You have the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction, data portability and objection. To exercise any of these, contact dpo@am8-ai-governance.tech or use the tools in your account's privacy settings.

Complaints and supervisory authority

You have the right to lodge a complaint with your supervisory authority. AM8 is established in France, so our lead supervisory authority is the French CNIL (cnil.fr); you may also complain to the authority in your own country. As an EU-established controller, AM8 is not required to appoint an Article 27 EU representative.