← Back to home

Privacy Policy

Last updated: 15 April 2026

This Privacy Policy explains how we process personal data when you visit our website, create an account, and use FileGPT.dev (the “Service”). It is designed to meet the transparency requirements of the EU General Data Protection Regulation (“GDPR”), including Article 13.

1. Controller

Damir Andrijanic c/o Postflex PFX-202-985 Emsdettener Str. 10 48268 Greven Germany

VAT ID (USt-IdNr.): DE461042625. For contact details see our Impressum.

Privacy contact

For all privacy-related and data protection inquiries (including exercising your rights under the GDPR), contact us at support@complianceradar.dev.

Data Protection Officer

We have not appointed a Data Protection Officer (“DPO”) under Article 37 GDPR, as our processing activities do not meet the statutory criteria for mandatory designation. You may still address all data protection matters to the privacy contact above.

2. Categories of personal data

Depending on how you use the Service, we may process:

  • Account and identity: e.g. email address, authentication identifiers, and profile data you provide.
  • Customer content: documents and files you upload, derived text chunks, embeddings, and chat messages needed to provide document intelligence and retrieval-augmented chat.
  • Usage and technical data: e.g. timestamps, session and security-related logs, and data needed to enforce rate limits and protect the Service.

3. Purposes and legal bases

We process personal data for the following purposes:

  • Providing the Service (contract, GDPR Art. 6(1)(b)): hosting your account, storing and indexing your content, answering questions with reference to your documents, and maintaining sessions.
  • Security and abuse prevention (legitimate interests, Art. 6(1)(f); where required, legal obligation): protecting accounts, detecting misuse, and rate limiting.
  • Compliance and legal claims (legal obligation or legitimate interests, Art. 6(1)(c)/(f)): retaining certain records where the law requires and defending legal claims.

Where we rely on legitimate interests, you may object under the conditions set out in the GDPR (see section 7).

4. Recipients and subprocessors

We use trusted infrastructure and service providers to run the Service. Depending on configuration, this may include:

  • Hosting and application platform (e.g. the environment where the application runs).
  • Database and authentication (e.g. cloud database and identity services for accounts and stored content).
  • AI and embeddings: language and embedding models process retrieved excerpts and queries as needed to generate answers and vector search—not full document archives sent wholesale to a model unless required for a specific feature you use.
  • Caching / rate limiting (e.g. infrastructure used to limit requests), where enabled.

Providers may process data in the EU/EEA or other countries subject to appropriate safeguards (e.g. standard contractual clauses) where applicable. You may contact us for more detail on categories of recipients relevant to your account.

5. Retention

We retain personal data only as long as necessary for the purposes above. Typically: account and content data for as long as your account exists and you store content in the Service; security and operational logs for a limited period required for security and troubleshooting; and longer retention where law requires. When you delete content or your account, we delete or anonymize data in line with our technical capabilities and legal obligations.

6. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the Service—for example, to keep you signed in and to protect your account. We do not use non-essential (e.g. marketing) cookies unless we inform you separately and obtain your consent where required. You can read more in our cookie notice when you first visit the site and in this policy.

7. Your rights (Articles 15–22 GDPR)

Subject to conditions in applicable law, you have the right to:

  • access your personal data (Art. 15);
  • rectification of inaccurate data (Art. 16);
  • erasure (“right to be forgotten”) in certain cases (Art. 17);
  • restriction of processing in certain cases (Art. 18);
  • data portability, where applicable (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw consent where processing is based on consent (Art. 7(3));
  • not be subject to solely automated decisions with legal or similarly significant effects in cases covered by Art. 22.

To exercise your rights, contact us at support@complianceradar.dev. We may need to verify your identity before fulfilling certain requests.

8. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The federal supervisory authority for Germany provides information at bfdi.bund.de.

9. Data Processing Agreement (business customers)

Where you act as a controller and use the Service to process personal data on behalf of your organization, we act as a processor in respect of that processing in line with GDPR Article 28. Business customers may request a GDPR-compliant Data Processing Agreement (DPA) by contacting us at support@complianceradar.dev.

10. AI-generated outputs

Chat answers in the Service are generated by artificial intelligence using your queries and retrieved excerpts from your content. Outputs may be incomplete or incorrect. You should verify important information against your sources; the Service may show citations to help you do so.

For purpose, capabilities, limitations, and EU AI Act–related transparency, see our AI transparency statement.

11. EU AI Act and high-risk use cases

Whether an AI system is considered “high-risk” under the EU AI Act depends on its intended purpose, deployment context, and how customers integrate it (including scenarios described in Annex III). Customers are responsible for assessing their own use cases and compliance obligations when they process personal data or deploy the Service in regulated environments. We continuously review our role and obligations as a provider; contact us for organizational or contractual questions.

12. Changes

We may update this Privacy Policy from time to time. The “Last updated” date at the top will change when we do. Material changes may be communicated through the Service or by email where appropriate.