Legal
Privacy Policy
Last updated: 1 May 2026
1. Data Controller
MiCAReady operates as data controller for personal data collected through this platform. We process data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.
2. Data We Collect
- Account data: email address and Auth0 user identifier (
sub). Authentication credentials are managed exclusively by Auth0 — MiCAReady never receives or stores passwords or passkeys. - Usage data: audit run metadata (timestamps, status, MiCA gap counts), request logs with correlation IDs.
- Document data: whitepapers and compliance documents uploaded for analysis, retained for the duration of your subscription plus 30 days.
3. Data Residency — EU
All personal data and uploaded documents are stored exclusively within the European Union. Our infrastructure runs on Cloudflare's EU region. No data is transferred outside the EEA without an appropriate legal basis and safeguards (SCCs or adequacy decision).
Data residency: Cloudflare EU region — auditable on request.
4. Legal Basis for Processing
- Contract performance (Art. 6(1)(b) GDPR): account management and service delivery.
- Legitimate interests (Art. 6(1)(f) GDPR): security logging, fraud prevention, service improvement.
- Legal obligation (Art. 6(1)(c) GDPR): retention of records required under applicable law.
5. Data Retention
- Account data: retained for the duration of the account plus 2 years.
- Uploaded documents and analysis outputs: retained for 90 days after account closure.
- Security and access logs: 12 months.
- Billing records: 7 years (legal obligation).
6. Your Rights (GDPR)
Under GDPR you have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (“right to be forgotten”) (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Lodge a complaint with your national supervisory authority
Exercise your rights by contacting info@infinite-scape.com. We respond within 30 days.
7. Sub-processors
We use the following sub-processors, all operating under GDPR-compliant Data Processing Agreements:
- Cloudflare (EU region): infrastructure, CDN, edge compute, D1 database, KV storage, R2 object storage.
- Stripe: payment processing (PCI-DSS Level 1). No card data stored by MiCAReady.
8. Security
We implement appropriate technical and organisational measures including encryption in transit (TLS 1.3), encryption at rest, authentication delegated to Auth0 (OAuth 2.0 + OIDC with PKCE), and access controls. No passwords are stored by MiCAReady.
9. Cookies
MiCAReady distinguishes three cookie categories. Essential cookies (session, CSRF, authentication; httpOnly, Secure, SameSite=Strict) are always on — without them the service does not work. Analytics and Marketing cookies are off by default and only load after you accept them in the consent banner shown on your first visit. You can change or revoke your choice at any time from your browser's site data settings; clearing storage for this site re-shows the banner. We do not load any third-party tag before consent.
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be notified via email at least 30 days in advance. Continued use of the service after the effective date constitutes acceptance.
11. Contact & DPO
Data protection enquiries: info@infinite-scape.com
General legal enquiries: info@infinite-scape.com