Legal
Privacy Policy
Last updated: July 8, 2026
1. Data controller
Growthlab Ventures ApS, Copenhagen, Denmark, operating the Ravna service. Contact: info@bragiandco.com.
2. What data we collect
- Account data — your email address, provided when you create an account with email and password or sign in with Google. Used for authentication, account access, and transactional communications.
- Organisation data — the organisation you belong to, your role in it, and members you invite. Used to provide team features.
- Stack selections — which vendors and findings you track, deployment context you record, and remediation notes you enter. Stored in your organisation’s account to provide your exposure view.
- Correction submissions — name, email, role, and the content of corrections you submit via the public corrections form. Used to review and act on the correction.
- Payment data — when paid subscriptions launch, payments will be processed by Paddle as Merchant of Record. We will not store payment card details or billing addresses.
3. Legal basis for processing (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — processing account, organisation, and stack data, and sending service and transactional email, to provide the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — processing correction submissions to maintain data accuracy, and sending account holders occasional product and EU AI Act updates that relate directly to the service. You can object or unsubscribe at any time.
- Consent (Art. 6(1)(a)) — sending broader marketing communications beyond service-related updates, only where you have opted in. You can withdraw consent at any time.
4. How we use your email
We use your email address in three distinct ways, each on its own legal basis:
- Service and transactional email (contract). Authentication, security notices, team invitations, billing, and the findings or alerts you configure. These are necessary to operate the service and cannot be unsubscribed from while your account is active.
- Product-relevant updates (legitimate interest). Occasional emails about changes to findings, new EU AI Act developments, and product features relevant to the service you use. We send these to account holders by default because they relate directly to why you signed up. Every such email carries a one-click unsubscribe, and you can opt out at any time without affecting your account.
- Broader marketing (consent). Anything beyond service-related updates, such as wider announcements, events, or offers, is sent only if you opted in, and you can withdraw that consent at any time.
We do not sell, share, or trade personal data with third parties for their own marketing purposes. For traffic measurement we use Vercel Web Analytics, a cookieless, privacy-preserving service that records aggregate page views and visit metrics without cookies, without storing personal data, and without tracking you across other sites. We run no advertising trackers.
5. Data processors
- Supabase — database, authentication, and transactional auth-email hosting (sign-in, password reset). Stores account, organisation, and stack data.
- Vercel — website hosting, and cookieless Web Analytics that measures aggregate traffic without personal data.
- Google — if you choose Google sign-in, authentication is processed by Google under their privacy policy.
- Paddle — payment processing as Merchant of Record, once paid subscriptions launch.
6. Data retention
- Account and organisation data — retained while your account is active; deleted within 30 days of a deletion request.
- Correction submissions — retained as part of the research audit trail; submitter contact details can be removed on request.
7. Your rights (GDPR)
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. To exercise any right, email info@bragiandco.com. We respond within 30 days.
8. Cookies
We use functional authentication cookies only (Supabase session cookies, prefixed sb-). They identify your signed-in session and are required for the service to function. No tracking, analytics, or advertising cookies are set.
9. International transfers
Primary data storage is in EU-region infrastructure. Vercel and Google may process data in the United States under Standard Contractual Clauses.
10. Supervisory authority
You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.
11. Changes
We may update this policy. Material changes will be communicated by email to account holders. The date at the top reflects the most recent version.