Privacy Policy

Last Updated: January 2025

Your Data Protection Rights

At Metrisk AI, we are committed to protecting your privacy and ensuring the security of your personal information. This policy outlines how we collect, use, store, and protect your data in accordance with GDPR, CCPA, and other applicable data protection regulations.

We operate under the principle of privacy by design, ensuring that data protection is integrated into every aspect of our platform from the ground up. Your trust is paramount to us, and we take our responsibility to safeguard your information seriously.

Information We Collect and Process

Account and Identity Information

When you create an account with Metrisk AI, we collect basic information necessary for account creation and management, including your name, email address, company name, and contact details. This information is used solely for authentication, communication, and service delivery purposes.

Business Intelligence Data

Our platform processes key performance indicators, business metrics, and operational data that you choose to integrate with our risk management system. This data is encrypted both at rest and in transit using industry-standard AES-256 encryption protocols.

Technical and Usage Information

We collect technical data necessary for platform functionality, including IP addresses, browser type, device information, and usage patterns. This information helps us maintain security, optimize performance, and improve user experience.

Communication Records

When you contact our support team or communicate with us, we retain records of these interactions to provide better service and resolve issues effectively.

How We Use Your Information

Your data is used exclusively for legitimate business purposes directly related to providing and improving our risk management services:

  • Delivering core platform functionality and AI-driven risk analysis services
  • Authenticating users and maintaining account security
  • Processing transactions and managing subscriptions
  • Providing customer support and responding to inquiries
  • Sending important service updates and security notifications
  • Improving our algorithms and platform performance through anonymized analytics
  • Ensuring compliance with legal obligations and regulatory requirements
  • Detecting and preventing fraud, abuse, and security threats

Legal Basis for Data Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing is necessary to fulfill our service agreement with you
  • Legitimate Interest: We have legitimate business interests in improving our services and maintaining security
  • Legal Obligation: We must process certain data to comply with regulatory requirements
  • Consent: For optional features and communications, we obtain your explicit consent

Data Storage and Security Measures

We employ comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Our infrastructure is hosted in EU data centers that comply with ISO 27001, SOC 2, and other industry standards.

Encryption Protocols

All data is encrypted using AES-256 encryption at rest and TLS 1.3 for data in transit. Encryption keys are managed using hardware security modules and rotated regularly according to security best practices.

Access Controls

We implement strict role-based access controls ensuring that only authorized personnel can access your data, and only to the extent necessary for their job functions. All access is logged and audited.

Infrastructure Security

Our servers are protected by enterprise-grade firewalls, intrusion detection systems, and regular security audits conducted by independent third parties. We maintain comprehensive disaster recovery and business continuity plans.

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. Account information is retained while your account remains active. Upon account closure, personal data is deleted within 90 days unless retention is required for legal, regulatory, or legitimate business purposes.

Business metrics and operational data are retained according to your subscription plan specifications. You can request early deletion of your data at any time, subject to our legal obligations to maintain certain records.

International Data Transfers

While our primary infrastructure is located within the European Union, certain service providers may process data internationally. When we transfer data outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection standards
  • Binding Corporate Rules for intra-group transfers
  • Your explicit consent where required

Third-Party Service Providers

We work with carefully selected third-party service providers to deliver our services effectively. These partners include hosting providers, payment processors, and analytics services. All third parties are bound by strict contractual obligations to protect your data and use it only for specified purposes.

We conduct due diligence on all service providers to ensure they meet our security and privacy standards. We never sell your data to third parties for marketing purposes.

Your Privacy Rights and Choices

Access and Portability

You have the right to access your personal data and receive a copy in a structured, machine-readable format. You can export your data directly through your account dashboard or request a complete data package from our support team.

Correction and Updating

You can update your account information at any time through your profile settings. If you identify any inaccuracies in the data we hold, you have the right to request corrections.

Deletion and Erasure

You have the right to request deletion of your personal data, subject to certain legal exceptions. We will honor deletion requests within 30 days unless we have a legitimate reason to retain the data.

Restriction and Objection

You can request restriction of processing or object to certain types of data processing, particularly for direct marketing purposes or processing based on legitimate interests.

Withdrawal of Consent

Where processing is based on consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing conducted before withdrawal.

Marketing Communications

We send marketing communications only with your explicit consent. You can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing message or updating your communication preferences in your account settings.

Please note that even if you opt out of marketing communications, we will still send you essential service-related notifications, security alerts, and transactional emails necessary for account management.

Children's Privacy Protection

Our services are designed for business and enterprise use and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take immediate steps to delete that information.

Automated Decision-Making and Profiling

Our AI-driven risk analysis platform uses automated processing to generate risk scores and detect anomalies. However, these analyses are designed to support human decision-making, not replace it. You have the right to:

  • Receive information about the logic involved in automated decision-making
  • Request human review of automated decisions that significantly affect you
  • Challenge decisions made solely through automated processing
  • Express your point of view regarding automated decisions

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach, as required by GDPR. We will provide information about the nature of the breach, potential consequences, and measures taken to address it.

We maintain an incident response plan and conduct regular security drills to ensure rapid and effective response to any security incidents.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information we collect, use, disclose, and sell
  • Right to delete personal information we hold about you
  • Right to opt-out of the sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us at privacy@metrisk.ai or call +48 573 806 294.

Updates to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by email and by posting a notice on our platform at least 30 days before the changes take effect.

Your continued use of our services after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy regularly to stay informed about how we protect your data.

Contact Information and Data Protection Officer

If you have questions about this privacy policy, wish to exercise your privacy rights, or want to file a complaint, please contact us:

Email: privacy@metrisk.ai
Phone: +48 573 806 294
Address: Dereniowa 7, 02-776 Warszawa, Poland

You also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.