Legal · Version 1.2
Privacy Notice
Pursuant to Art. 13 and Art. 14 GDPR, the Austrian Data Protection Act (DSG), and taking into account the obligations of a deployer under Art. 26 EU AI Act. As of April 2026.
Controller
The controller within the meaning of the GDPR (EU) 2016/679 and the Austrian Data Protection Act (DSG, as amended) is:
Schlachthammerstraße 83 C, 1220 Vienna, Austria
Email: privacy@horizon-scanner.com
Legal basis: Art. 13 GDPR (information obligation on direct collection); § 1 DSG (Austrian constitutional right to data protection).
Principles of processing
We process personal data exclusively in accordance with the GDPR and the DSG. The principle of data minimisation applies (Art. 5(1)(c) GDPR): we collect only the data strictly necessary to operate the service.
Horizon Scanner processes no personal data of the end-customers of the insurance undertakings we serve. The platform is aimed exclusively at B2B users (compliance, legal and regulatory teams).
Data processed
| Account data | First name, last name, email address, password (hashed) | Provision of the user account |
| Company data | Company name, function / role | Personal reference within the meaning of Art. 4(1) GDPR when combined with the name |
| Technical data | IP address, browser type, login timestamps | IT security, abuse prevention |
| Usage data | Findings viewed, acknowledgements, status changes, reports | Part of the immutable audit trail (accountability under Art. 5(2) GDPR) |
| Communications | Email address for alerting | Sending notifications per subscription |
Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provision and operation of the platform, user-account administration | Art. 6(1)(b) — performance of contract |
| Sending regulatory alerts by email | Art. 6(1)(b) — performance of contract |
| Audit trail (who acknowledged which finding, when) | Art. 6(1)(b)+(c) — performance of contract + legal obligation (Art. 5(2), Art. 32 GDPR) |
| IP addresses, login logs | Art. 6(1)(f) — legitimate interest (IT security) |
| Invoicing, bookkeeping | Art. 6(1)(c) — legal obligation (§ 132 BAO, § 212 UGB, Austrian law) |
Use of AI services
Horizon Scanner uses external AI models to process regulatory documents. Since we deploy but do not develop these models, we qualify as a deployer under the EU AI Act (Regulation (EU) 2024/1689).
| Service | Provider | Purpose | Personal data sent |
|---|---|---|---|
| Google Gemini | Google LLC, USA | Primary scoring and summarisation | No |
| MiniMax | MiniMax AI | Independent second-pass verification at Impact ≥ 3 | No |
| Groq | Groq Inc., USA | Fallback on provider unavailability | No |
All AI models process exclusively publicly available regulatory texts — no personal data of users is transmitted to any AI API.
Risk classification under the EU AI Act
Deployer obligations (Art. 26 EU AI Act)
- Use exclusively in accordance with the AI providers' terms of service
- No transmission of personal data to AI APIs
- Human-in-the-loop: AI scores are decision support, not binding determinations
- AI-generated content is labelled as such in the dashboard (Art. 50(4) EU AI Act)
- Users are informed during onboarding about how the AI works and its limits (Art. 4 EU AI Act)
Processors and third-party recipients
The following service providers are engaged as processors under Art. 28 GDPR. A data-processing agreement (DPA) is in place — or will be concluded before production use — with each.
| Provider | Purpose | Region | Transfer basis |
|---|---|---|---|
| Hosting (EU cloud) | Cloud hosting, database | EU / EEA | DPA |
| Vercel Inc. | Landing-page hosting, cookieless analytics | USA (HQ) · EU region Frankfurt | EU-US Data Privacy Framework (Art. 45 GDPR) + DPA |
| Email service | Delivery of alert emails | EU | DPA |
| Google LLC (Gemini API) | AI scoring | USA | SCCs under Art. 46(2)(c) GDPR |
| Groq Inc. | AI fallback | USA | SCCs |
| MiniMax AI | AI verification | — | SCCs + TIA |
We do not disclose data to third parties for marketing purposes, nor do we sell data.
Retention periods
| Data category | Period | Reasoning |
|---|---|---|
| Account and user data | Subscription term + 30 days | Contract performance; grace period for data export |
| Audit trail | 5 years | Accountability (Art. 5(2) GDPR); supervisory expectations of regulated customers |
| IP addresses / login logs | 90 days | IT security; no necessity beyond that |
| Invoices, accounting | 7 years | § 132 BAO, § 212 UGB (Austrian law) |
| Email correspondence | 3 years | Legitimate interest; § 1489 ABGB |
Cookies and analytics
Horizon Scanner uses exclusively functional cookies and a cookieless analytics solution. There are no tracking cookies, no third-party advertising, and no personal profiling.
| Name | Purpose | Duration | Legal basis |
|---|---|---|---|
| hs_lang | Language preference (DE / EN); set only when you actively use the language toggle | 1 year | § 165(3)(1) TKG · functional |
| Session cookie | Authentication in the signed-in area | End of session | § 165(3)(1) TKG · technically necessary |
| CSRF token | Protection against cross-site request forgery | End of session | Art. 32 GDPR · security |
Analytics (Vercel Web Analytics): On the public landing page we use Vercel Web Analytics in its cookieless configuration. No cookies are set and no browser fingerprint is generated. Only aggregated, non-identifying data is processed: URL visited, referrer, device type and an imprecise location (country) derived from the IP address before the IP is discarded. Processing under Art. 28 GDPR; Vercel Inc. is certified under the EU-US Data Privacy Framework pursuant to Art. 45 GDPR.
Functionally necessary cookies and cookieless analytics without personal reference are permitted without consent under § 165(3)(1) TKG 2021 in conjunction with Art. 5(3) ePrivacy Directive — no cookie banner is displayed.
Rights of data subjects
| Right | Article | Content |
|---|---|---|
| Access | Art. 15 | Which data we process about you |
| Rectification | Art. 16 | Correction of inaccurate data |
| Erasure | Art. 17 | Unless a statutory retention obligation applies |
| Restriction | Art. 18 | Restriction of processing |
| Portability | Art. 20 | Receipt of data in machine-readable format |
| Objection | Art. 21 | In particular against processing on the basis of lit. (f) |
| Withdrawal | Art. 7(3) | Withdrawal of consent, at any time |
Requests to privacy@horizon-scanner.com. Response window: 30 days (Art. 12(3) GDPR).
Right to lodge a complaint: Austrian Data Protection Authority (DSB), Barichgasse 40–42, 1030 Vienna · dsb.gv.at
Data security
We apply the following technical and organisational measures (TOMs):
- Encrypted transport via TLS 1.2 / 1.3 (HTTPS) for all endpoints
- Encrypted storage at rest (at-rest encryption)
- Role-based access controls (RBAC)
- Hosting exclusively on European cloud infrastructure
- Regular backups with versioning
- Strict tenant separation — no shared database access between customer accounts
Processing on behalf of our customers
To the extent that our customers (insurance undertakings) transmit user data to us for the operation of the platform, we act as a processor within the meaning of Art. 28 GDPR — the customer is the controller. The legal basis is the data-processing agreement (DPA) to be concluded with the customer.
Automated decision-making / profiling
No profiling and no automated decision-making under Art. 22 GDPR with legal or similarly significant effects on users takes place. The AI scoring function evaluates only public regulatory documents — not user behaviour or personal characteristics.
Changes to this Notice
We reserve the right to update this Privacy Notice. The current version is available at horizon-scanner.com/datenschutz. For material changes we inform registered users by email at least 14 days before the change takes effect.