Privacy Notice

GRCTrail AI (Early-Access Wait-list)

Last updated: June 28, 2025

1. Who we are

GRCTrail AI is a pre-launch project run by Serhii Vats (“we”, “us”).

We are not yet incorporated. Until the legal entity is formed you can reach the controller at:

Serhii Vats (GRCTrail AI)

[Valencia], [Spain]

We will update this notice with the new company name and registered address once incorporation is complete.

Category	Purpose	Required?
Email address	Confirm your spot and send onboarding updates.	Yes
Job title	Tailor the product demo to your role.	Yes
Company name	Identify unique organisations.	Yes
Company size	Prioritise features (SMB vs enterprise).	Yes
Industry	Customise compliance examples.	Yes
Current compliance framework	Match you with relevant beta features.	Optional
Biggest compliance challenge	Refine roadmap.	Optional
How you heard about us	Evaluate marketing channels.	Optional

We store form entries in an encrypted database hosted in the EU and US on AWS.

Early-access coordination – send confirmation, onboarding material, and beta invitations.
Product research – analyse aggregate trends (e.g., % of visitors already using ISO 27001).

Legal basis – Article 6(1)(b) GDPR (pre-contractual steps) and Article 6(1)(f) (legitimate interest in building our product).

Processor	Purpose	Safeguards
AWS (Ireland / Virginia)	Data hosting	Standard contractual clauses
SendGrid (USA)	Transactional email	DPA in place

We never sell or rent your information.

Under GDPR you may access, correct, delete, or export your personal data at any time.

Email sergey.vatz@gmail.com with your request and we will respond within 30 days.

We keep wait-list data for 12 months after the public launch or until you ask us to delete it, whichever comes first.

We'll post any changes here and update the "Last updated" date. Significant changes will be emailed to all wait-list members.