Privacy Policy
Last updated: February 2026
Haffa.ai ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Haffa.ai website and platform (collectively, the "Service").
1. Data Controller
The data controller for the processing of your personal data is:
Haffa.ai GmbH[Address]
[City], [Country]
Email: privacy@haffa.ai
2. Data We Collect
2.1 Data You Provide
- Account information: name, email address, company name, job title, and phone number when you register or fill out a contact form.
- Compliance data: information about your AI systems that you enter into the platform for compliance assessment purposes.
- Communication data: content of messages you send us via contact forms, email, or support requests.
2.2 Data We Collect Automatically
- Usage data: pages visited, features used, session duration, and interaction patterns (collected via privacy-friendly analytics).
- Technical data: browser type, operating system, device type, IP address (anonymised), and referring URL.
- Cookie data: essential cookies for site functionality and optional analytics cookies (see Section 10).
3. Legal Bases for Processing
We process your personal data based on the following legal grounds under Article 6(1) GDPR:
- Consent (Art. 6(1)(a)): for optional analytics cookies and marketing communications. You may withdraw consent at any time.
- Contractual necessity (Art. 6(1)(b)): to provide the Service, manage your account, and process payments.
- Legitimate interest (Art. 6(1)(f)): to improve our Service, ensure security, prevent fraud, and conduct privacy-friendly analytics.
- Legal obligation (Art. 6(1)(c)): to comply with applicable laws, such as tax and accounting requirements.
4. How We Use Your Data
- Service delivery: to provide, maintain, and improve the Haffa.ai platform.
- Communication: to respond to your enquiries, send service updates, and (with your consent) share relevant compliance news.
- Analytics: to understand how the Service is used and to improve user experience.
- Security: to detect, prevent, and respond to security incidents.
- Legal compliance: to fulfil our legal and regulatory obligations.
5. Data Retention
We retain your personal data for as long as your account is active and for 12 months after account closure, unless a longer retention period is required by law (e.g., tax records). Anonymised analytics data may be retained indefinitely.
You may request deletion of your data at any time (see Section 8).
6. Third-Party Processors
We share your data only with trusted third-party processors who act on our behalf and are contractually obligated to protect your data:
| Processor | Purpose | Data Location |
|---|---|---|
| Vercel | Website and application hosting | EU (Frankfurt) |
| Resend | Transactional and marketing email | EU |
| Plausible Analytics | Privacy-friendly website analytics | EU |
All processors are bound by Data Processing Agreements (DPAs) in accordance with Article 28 GDPR. We do not sell your personal data to any third party.
7. EU Data Residency
All personal data is stored and processed exclusively within the European Union. Our infrastructure is hosted in EU data centres (Frankfurt and Dublin). We do not transfer personal data outside the EU/EEA unless required by law and with appropriate safeguards in place (e.g., Standard Contractual Clauses).
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your data ("right to be forgotten").
- Right to restriction (Art. 18): restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent: withdraw any previously given consent at any time, without affecting the lawfulness of processing prior to withdrawal.
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@haffa.ai. We will respond within 30 days as required by the GDPR. You may also lodge a complaint with your local data protection supervisory authority.
9. Data Protection Officer
You can reach our Data Protection Officer at dpo@haffa.ai.
10. Cookies
Our website uses the following types of cookies:
- Essential cookies: required for the website to function correctly (e.g., session management, security). These do not require consent.
- Analytics cookies: used to understand how visitors interact with the website. We use Plausible Analytics, which is privacy-friendly and does not use cookies by default. If additional analytics tools are introduced, we will request your consent.
You can manage your cookie preferences at any time through your browser settings.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security audits, and incident response procedures.
12. Children's Privacy
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account) and by posting a notice on our website. The "Last updated" date at the top indicates the most recent revision.
14. Contact
If you have questions about this Privacy Policy or our data practices, please contact us:
Haffa.ai GmbHEmail: privacy@haffa.ai
DPO: dpo@haffa.ai