← Back to Conformis

Privacy Policy

Last updated: July 2026

1. Who we are

Conformis is an automated EU AI Act compliance platform operated by Reza Kermanian. Our service is available at conformis.tech. For any privacy-related questions, contact us at hello@conformis.tech.

2. What data we collect

Account data: Name and email address collected via Clerk authentication when you sign up.

Scan data: Source code you upload (ZIP files) or grant access to via GitHub OAuth. This data is processed to generate your compliance report and is retained alongside your scan record — for example, to power the Auto-Fix feature, which needs your actual source to generate a real patch. It is permanently deleted when you delete the scan. If you'd rather your source code never reach our servers at all, use the conformis CLI's local-scan mode: it runs entirely on your machine and only ever transmits findings (a file path, line number, library name, and a short snippet) — never full source files.

Usage data: Anonymous analytics via PostHog (EU region) including pages visited, features used, and scan events. No personally identifiable information is included in analytics.

3. How we use your data

We use your data exclusively to provide the Conformis service — generating EU AI Act compliance reports from your codebase. We do not sell your data, train AI models on your code, or share your information with third parties except as described below.

4. Third-party processors

Clerk — Authentication and user management (US/EU infrastructure)

Anthropic — AI analysis of your codebase via Claude API. Code is processed transiently and not retained by Anthropic for training.

Railway — Backend infrastructure hosted in the EU.

Vercel — Frontend hosting.

PostHog — Analytics, EU region only.

Resend — Transactional email delivery.

5. Your code and IP

Your source code is cloned or uploaded into isolated EU-based infrastructure and analyzed there. Unlike a purely transient scan, we retain it as part of your scan record (see Section 6) so that features like Auto-Fix can operate on your real code later — we do not silently discard it after the first pass. We do not use your code to train models, benchmark competitors, or for any purpose other than generating your compliance report and the features you use on top of it. Deleting a scan permanently deletes the source code stored with it.

6. Data retention

Scan results, compliance reports, and — for ZIP-upload and GitHub scans — the source code itself are retained in your account until you delete the individual scan or close your account; deleting a scan permanently deletes its stored source code along with it. Account data is deleted within 30 days of account closure upon request. Scans submitted via the CLI's local-scan mode never include source code in the first place, so there is nothing beyond findings metadata to retain.

7. Your rights (GDPR)

As a user in the EU, you have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, email hello@conformis.tech. We will respond within 30 days.

8. Changes to this policy

We may update this policy as the service evolves. We will notify registered users of material changes via email. Continued use of Conformis after changes constitutes acceptance of the updated policy.

Questions? Email us at hello@conformis.tech