Effective date: 2026-03-01
Euregas is built for compliance — and that starts with how we handle your data. EU-only infrastructure, no US sub-processors, PII scrubbing before AI processing.
Euregas ("we", "us", "our") is the data controller for the personal data processed through the Euregas platform (euregas.eu).
Contact: privacy@euregas.eu Country: Finland (FI)
We collect and process the following categories of personal data:
Account Data — Name, email address, password (hashed), organization name, role within organization, MFA secrets (encrypted).
Organization Data — Company name, industry sector, size, regulatory selections (GDPR, AI Act, NIS2, CRA, EHDS), team member invitations.
Compliance Documents — Documents you upload for compliance analysis, including DPIAs, incident reports, risk assessments, and policy documents. These may contain personal data of third parties.
Usage Data — Pages visited, features used, timestamps. Collected via Plausible Analytics, which is cookie-free and does not track individual users. No IP addresses are stored.
AI Interaction Data — Prompts and compliance queries submitted to AI features. All personally identifiable information (PII) is scrubbed before processing (see Section 6).
Payment Data — Processed directly by Stripe. We store only subscription tier and status — never card numbers or bank details.
We process personal data under the following legal bases (GDPR Art. 6):
Contract Performance (Art. 6(1)(b)) — Processing necessary to provide the Euregas platform services you subscribed to: account management, compliance analysis, document processing, team collaboration.
Legitimate Interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, service improvement, and platform stability. We conduct balancing tests and document our legitimate interest assessments.
Consent (Art. 6(1)(a)) — Where applicable, for optional features such as marketing communications. You can withdraw consent at any time.
Legal Obligation (Art. 6(1)(c)) — Retention of audit logs and security event records as required by NIS2 and applicable law.
Your data is used exclusively for:
We do not sell, rent, or share your personal data with third parties for marketing purposes.
We minimize sub-processor usage and keep data within the EU wherever possible:
| Sub-Processor | Purpose | Location | Data sent |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, backup storage | Germany (EU) | All data (encrypted) |
| Stripe, Inc. | Payment processing | EU entity (Ireland) | Payment data only |
| Mistral AI | AI inference (summaries, classification) | France (EU) | Anonymized compliance prompts |
| Anthropic | AI inference (legal analysis, consultation) | United States | Anonymized compliance prompts only |
Anthropic (US): For complex legal analysis, we use Anthropic's Claude models. All data is fully anonymized before leaving our EU servers — organization names, member names, system names, and all personal identifiers are replaced with generic tokens. A Transfer Impact Assessment (TIA) is maintained. Anthropic participates in the EU-US Data Privacy Framework and is bound by Standard Contractual Clauses. Data is not stored or used for training.
No personal data leaves the EU. Only anonymized compliance prompts (with no identifying information) are processed by US-based Anthropic.
We maintain a sub-processor register and will notify you of any changes 30 days in advance.
When you use AI features (compliance analysis, document review, gap assessment), the following safeguards apply:
Two-Layer Anonymization — Before any data reaches an AI model, two layers of protection are applied:
1. Organization-aware pseudonymization — Your organization's name is replaced with a generic sector label (e.g., "a healthcare organization"). System names, member names, and email addresses are replaced with anonymous tokens (SYSTEM_1, PERSON_1). The AI reasons about your compliance scenario without knowing who you are.
2. PII scrubbing — Microsoft Presidio (self-hosted on our EU servers) removes any remaining personally identifiable information: names, email addresses, phone numbers, Finnish personal identity code (henkilötunnus), IBAN numbers, and other identifiers.
After the AI responds, anonymous tokens are mapped back to the real names — this happens locally on our EU servers, never at the AI provider.
No Training on Your Data — Your documents and compliance data are never used to train AI models. Processing is strictly for generating your requested analysis.
EU-First Model Routing — Simpler tasks (summaries, translations, classifications) are routed to Mistral AI, an EU-based provider (France), eliminating international data transfers entirely. Complex legal analysis uses Anthropic (US) with full anonymization and Transfer Impact Assessment (TIA) safeguards.
Encryption in Transit — All AI API calls use TLS 1.3 encryption.
Fail-Closed Protection — If the anonymization service is unavailable, AI requests are blocked rather than sent with unprotected data.
Opt-Out — You can use the platform without AI features. AI-powered analysis is always clearly labeled and optional.
All personal data is stored and processed within the European Union / European Economic Area (EU/EEA).
Our servers run on Hetzner dedicated hardware in Germany. Stripe processes payment data through their EU entity in Ireland. Mistral AI processes anonymized prompts in France.
Anthropic (US) transfers: For complex AI analysis, anonymized prompts (containing no personal data, no organization names, no identifying information) are sent to Anthropic in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF). A Transfer Impact Assessment confirms the residual risk is acceptable given the multi-layer anonymization applied before any data leaves our EU infrastructure.
No raw personal data is ever transferred outside the EU/EEA.
We retain data only as long as necessary for its purpose:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of contract + 12 months |
| Compliance documents | Configurable per organization; deleted on request or account termination |
| Audit logs | 5 years (NIS2 Art. 21 requirement) |
| Security event logs | 2 years |
| Usage analytics | 24 months (aggregated, no PII) |
| Payment records | As required by Finnish Accounting Act (kirjanpitolaki, 6 years) |
After termination, you have 30 days to export your data. After this period, all personal data is permanently deleted from active systems. Encrypted backups are purged within 90 days.
Under GDPR, you have the right to:
Access (Art. 15) — Request a copy of all personal data we hold about you.
Rectification (Art. 16) — Correct inaccurate or incomplete personal data.
Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
Data Portability (Art. 20) — Receive your data in a structured, machine-readable format. We support JSON and CSV export.
Restriction (Art. 18) — Request restricted processing while a complaint is being resolved.
Objection (Art. 21) — Object to processing based on legitimate interest.
Withdraw Consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing.
Lodge a Complaint — You have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuojavaltuutettu) at tietosuoja.fi, or your local supervisory authority.
To exercise your rights, email privacy@euregas.eu. We respond within 30 days.
We implement comprehensive technical and organizational measures to protect your data:
For full details, see our Security page.
We may update this privacy policy to reflect changes in our practices or legal requirements.
For material changes, we will notify you by email at least 30 days before the changes take effect. Non-material changes (clarifications, formatting) may be made without notice.
The "Effective date" at the top of this page indicates the date of the most recent revision.
For privacy-related questions, data subject requests, or DPA inquiries:
Email: privacy@euregas.eu General inquiries: info@euregas.eu Security issues: security@euregas.eu
We aim to respond to all privacy requests within 30 days.
Contact us at privacy@euregas.eu for privacy inquiries, data subject requests, or DPA negotiations.