Skip to main content
Disclaimer: This document is provided for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

Legal

Privacy Policy

Last updated: 1 May 2026

1. Data Controller

MiCAReady operates as data controller for personal data collected through this platform. We process data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

2. Data We Collect

  • Account data: email address and Auth0 user identifier (sub). Authentication credentials are managed exclusively by Auth0 — MiCAReady never receives or stores passwords or passkeys.
  • Usage data: audit run metadata (timestamps, status, MiCA gap counts), request logs with correlation IDs.
  • Document data: whitepapers and compliance documents uploaded for analysis, retained for the duration of your subscription plus 30 days.

3. Data Residency — EU

All personal data and uploaded documents are stored exclusively within the European Union. Our infrastructure runs on Cloudflare's EU region. No data is transferred outside the EEA without an appropriate legal basis and safeguards (SCCs or adequacy decision).

Data residency: Cloudflare EU region — auditable on request.

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): account management and service delivery.
  • Legitimate interests (Art. 6(1)(f) GDPR): security logging, fraud prevention, service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR): retention of records required under applicable law.

5. Data Retention

  • Account data: retained for the duration of the account plus 2 years.
  • Uploaded documents and analysis outputs: retained for 90 days after account closure.
  • Security and access logs: 12 months.
  • Billing records: 7 years (legal obligation).

6. Your Rights (GDPR)

Under GDPR you have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure (“right to be forgotten”) (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Lodge a complaint with your national supervisory authority

Exercise your rights by contacting info@infinite-scape.com. We respond within 30 days.

7. Sub-processors

We use the following sub-processors, all operating under GDPR-compliant Data Processing Agreements:

  • Cloudflare (EU region): infrastructure, CDN, edge compute, D1 database, KV storage, R2 object storage.
  • Stripe: payment processing (PCI-DSS Level 1). No card data stored by MiCAReady.

8. Security

We implement appropriate technical and organisational measures including encryption in transit (TLS 1.3), encryption at rest, authentication delegated to Auth0 (OAuth 2.0 + OIDC with PKCE), and access controls. No passwords are stored by MiCAReady.

9. Cookies

MiCAReady distinguishes three cookie categories. Essential cookies (session, CSRF, authentication; httpOnly, Secure, SameSite=Strict) are always on — without them the service does not work. Analytics and Marketing cookies are off by default and only load after you accept them in the consent banner shown on your first visit. You can change or revoke your choice at any time from your browser's site data settings; clearing storage for this site re-shows the banner. We do not load any third-party tag before consent.

10. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified via email at least 30 days in advance. Continued use of the service after the effective date constitutes acceptance.

11. Contact & DPO

Data protection enquiries: info@infinite-scape.com
General legal enquiries: info@infinite-scape.com