Skip to content
Confir.
Free trial

Privacy Policy.

Effective: 23 May 2026

This Privacy Policy explains how Confir OÜ (“Confir”, “we”, “us”) collects, uses and protects personal data when you visit confir.eu, sign up for an account or use the Confir platform (the “Service”).

We are committed to processing personal data lawfully, fairly and transparently under Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the Estonian Personal Data Protection Act.

1. Controller

The controller for the personal data processed in connection with the Service is:

Confir OÜ
[Registered street address]
[Postal code, City], Estonia
Email: privacy@confir.eu

2. Data Protection Officer

You can reach our Data Protection Officer at dpo@confir.eu or by writing to the postal address above with “DPO” in the subject line.

3. Categories of personal data we process

3.1 Account & identity data

  • Full name, work email, job title, organisation
  • Authentication credentials (password hash, MFA secrets)
  • Profile preferences and language settings

3.2 Service data

  • Information you enter into the platform (AI system registrations, assessments, controls, findings, attachments)
  • Audit log entries (action, actor, timestamp, IP, user agent)
  • Comments, evidence files and any other content you upload

3.3 Billing data

  • Company name, VAT ID, billing address
  • Payment metadata processed by our payment provider (we do not store full card details — see Section 6)

3.4 Technical & usage data

  • IP address, browser type, operating system, device identifiers
  • Pages visited, features used, requests made, error logs, performance telemetry
  • Cookies and similar technologies — see our Cookie Policy

3.5 Communications

  • Support tickets and correspondence with our team
  • Marketing preferences and email engagement (open, click) data

4. Purposes and legal bases

PurposeLegal basis (GDPR)
Providing and operating the ServiceArt. 6(1)(b) — contract performance
Account creation, login, MFAArt. 6(1)(b) — contract performance
Billing and tax complianceArt. 6(1)(c) — legal obligation
Security monitoring and audit loggingArt. 6(1)(f) — legitimate interest
Product improvement and analyticsArt. 6(1)(f) — legitimate interest
Marketing communicationsArt. 6(1)(a) — consent (you can withdraw any time)
Responding to enquiriesArt. 6(1)(b) / (f) — pre-contract or legitimate interest

Where we rely on legitimate interest (Art. 6(1)(f) GDPR), we have carried out a balancing test in line with Recital 47 GDPR. Our interests in keeping the Service secure, detecting abuse and improving the product are balanced against the limited and predictable nature of the processing, the safeguards described in Section 10, and your right to object at any time under Section 9. You can request a summary of the balancing test at privacy@confir.eu.

5. How we use personal data

We use personal data to:

  • Authenticate you and protect your account
  • Operate the Service and store the data you submit (AI systems, assessments, controls, evidence)
  • Generate audit logs, conformity packages and compliance reports for your organisation
  • Bill you correctly and meet our tax obligations
  • Detect, investigate and respond to abuse, fraud and security incidents
  • Improve the Service and develop new features
  • Send you transactional emails (sign-in alerts, billing receipts) and, with your consent, marketing emails

6. Sharing personal data

We share personal data with the following categories of recipients:

  • Subprocessors we engage to host and operate the Service (AWS, Supabase, Stripe and others). See our Subprocessors list for a full current list.
  • Professional advisers such as auditors, lawyers and accountants, under confidentiality
  • Authorities where required by law (court order, regulator request, subpoena)
  • Successors in the event of merger, acquisition or sale, subject to confidentiality and equivalent privacy commitments

We do not sell personal data and we do not share personal data with third-party advertisers.

7. International transfers

The Service and customer data are hosted in the European Union (Frankfurt, Germany — AWS region eu-central-1). Most processing takes place within the EU/EEA. Where a transfer outside the EEA is necessary (for example, support tooling), we rely on:

  • Adequacy decisions issued by the European Commission, where applicable, or
  • EU Standard Contractual Clauses (SCCs) under Implementing Decision (EU) 2021/914, with supplementary measures where required

8. Retention

We retain personal data only for as long as necessary for the purposes set out above and to comply with our legal obligations:

  • Account data — for the duration of the subscription and 30 days after deletion of your account
  • Service data and audit logs — for the duration of the subscription plus the retention period applicable to your organisation under the EU AI Act (typically 10 years for Annex IV documentation)
  • Billing records — 7 years (Estonian Accounting Act)
  • Support tickets — 2 years
  • Marketing data — until you withdraw consent

9. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erasure (“right to be forgotten”) (Art. 17)
  • Restrict processing (Art. 18)
  • Portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interest, including profiling (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3))
  • Complain to a supervisory authority. The Estonian authority is the Andmekaitse Inspektsioon (aki.ee). You may also complain to the authority in your country of residence.

To exercise any of these rights, email privacy@confir.eu. We respond within 30 days.

10. Security

We protect personal data using industry-standard organisational and technical measures. Details are available in our Trust Hub. Key safeguards include: encryption in transit (TLS 1.2+) and at rest (AES-256), Row-Level Security on every database table, immutable audit logging, MFA, principle of least privilege and regular penetration testing.

11. Children

The Service is intended for use by businesses. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, please contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. We will publish the updated version on this page with a new “Effective” date. For material changes, we will notify you by email or via the Service before the change takes effect.

13. Contact

For any privacy question, please write to privacy@confir.eu or to our postal address (see Section 1).