LicitAI

Privacy Policy

Our privacy policy and how we use your data

Last updated: February 8, 2026

1. Who We Are

Licit AI is operated by Bdub.digital, registered in Belgium. References to "we", "us", or "our" refer to Bdub.digital.

For any privacy-related inquiries, contact us at privacy@bdub.digital.

2. Data We Collect

2.1 Use Case Form Inputs

When you use our AI Act risk classification tool, we collect the information you provide in the form: use case name, description, sector, application type, affected persons, data types, safety component status, and rights impact.

2.2 Email Address (Waitlist)

If you choose to join our waitlist, we collect your email address. This is entirely optional and requires your explicit action.

2.3 IP Address

We process your IP address for rate limiting purposes (preventing abuse of the free scoring tool). IP addresses are used transiently and are not stored persistently in our database.

2.4 Cookies

We set a licit_scored cookie containing your use case UUID. See our Cookie Policy for details.

3. Purpose of Processing

  • Risk classification: Processing your form inputs to provide an EU AI Act risk assessment
  • Waitlist notification: Using your email to notify you when Licit AI launches with full features
  • Abuse prevention: Rate limiting via IP address to ensure fair access to the free tool
  • Analytics: Anonymous usage analytics to improve the service (risk level distribution, sector usage)

4. Legal Basis

  • Classification service: Legitimate interest (Article 6(1)(f) GDPR) — providing the service you requested
  • Email capture: Consent (Article 6(1)(a) GDPR) — you actively submit your email
  • Rate limiting: Legitimate interest — preventing abuse of the service

5. Data Retention

  • Use case data: Retained indefinitely as a snapshot of your classification. You may request deletion at any time.
  • Waitlist emails: Retained until account migration (when you create a full account) or until you request deletion.
  • IP addresses: Not stored persistently. Used only in-memory for rate limiting during your session.

6. Your Rights

Under the GDPR, you have the right to:

  • Access: Request a copy of the data we hold about you
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Withdraw your consent for email processing at any time

To exercise any of these rights, contact privacy@bdub.digital. We will respond within 30 days.

7. Third Parties

We use the following third-party service providers:

  • Supabase: Database hosting (EU region) — stores use case data and waitlist emails
  • Vercel: Application hosting — serves the website
  • PostHog: Analytics (EU hosted) — tracks usage patterns only after cookie consent is accepted

We do not sell, rent, or share your personal data with third parties for advertising purposes.

8. International Transfers

Our database is hosted in the EU (Supabase EU region). Application hosting via Vercel may involve processing in the US under Standard Contractual Clauses (SCCs).

9. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS), row-level security on our database, and access controls.

10. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. In Belgium, this is the Data Protection Authority (APD/GBA): www.dataprotectionauthority.be.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a new "Last updated" date.

12. Contact

For questions about this privacy policy or our data practices, contact us at privacy@bdub.digital.

Powered byBdubdigital