Privacy Policy
Last updated: April 18, 2026 · Version: 1.2.0
This Privacy Policy describes how Treyst ("we",
"us", or "our") collects, uses, and
protects your personal data when you access or use the Treyst legal
automation platform and the public website at treyst.ai (the
"Platform").
It is drafted in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) , Articles 12–14 (transparency obligations), and applicable national data protection laws. Document version: 1.2.0.
1. Data Controller
The data controller for personal data processed through the Platform is:
- Company Name: Vikonnekt ehf. (operating as Treyst)
- Address: Gróska, Bjargagata 1, 102 Reykjavík, Iceland
- Data Protection Officer: dpo@treyst.com
Where Treyst processes personal data on behalf of your organisation (as a B2B customer), Treyst acts as a data processor and your organisation is the data controller for that processing activity. This Policy covers both roles.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account & Identity Data
- First name, last name, email address, phone number
- Encrypted password (bcrypt-hashed; never stored in plain text)
- Role within your organisation (User / Admin)
- Profile picture (optional)
- Account status and verification data
2.2 Organisation Data
- Organisation name, slug, and status
- Organisation membership and role assignments
2.3 Document & Legal Content Data
The Platform processes legal documents you upload, including PDFs, Excel files, and national legislative texts. These documents may contain personal data if referenced in the legislation (e.g., named individuals in legal instruments). We process this content solely to provide the AI-assisted legal analysis services you request, including:
- EU directives and EFTA legal acts fetched from EUR-Lex and EFTA portals
- National transposition documents you upload
- Adaptation, amendment, auditing, and gold-plating analysis outputs
- Folder and file organisation metadata
2.4 Usage & Activity Data
- Features accessed and processing jobs created (job type, status, timestamps)
- Processing events and usage statistics per user and organisation
- Notification interactions
2.5 Technical & Security Data
- IP address (captured at consent recording for audit purposes)
- Authentication tokens (JWT, stored in your browser's localStorage)
- Error and crash reports (via Grafana)
- Server-side access logs
2.6 Consent Records
- Record of acceptance of Terms of Service and Privacy Policy (timestamp, version)
- Cookie notice acknowledgement (stored locally)
- Contact-form privacy consent (timestamp, version, hashed email and IP)
2.7 Website Lead Data (Contact Form)
When you submit the contact form on the public Treyst website
(/api/contact), we collect the data fields you provide
(name, email, optional phone, job title, organisation, country, subject,
message) plus the recorded privacy consent. This data is forwarded to
our CRM provider (HubSpot) for sales follow-up — see §5 and §6 for the
transfer mechanism.
3. Purposes of Processing and Legal Bases (GDPR Arts. 6 & 13)
In accordance with GDPR Art. 13(1)(c), the following table maps each processing purpose to the specific personal data categories involved and the legal basis relied upon:
| Purpose | Data Categories (see §2) | Legal Basis | GDPR Article |
|---|---|---|---|
| User authentication and account management | Account & Identity (2.1), Organisation (2.2) | Performance of a contract | Art. 6(1)(b) |
| AI-assisted legal analysis — EU directive parsing (EUR-Lex / EFTA), JCD adaptation, amendment application, national transposition evaluation, compliance auditing, gold-plating detection | Document & Legal Content (2.3), Usage & Activity (2.4) | Performance of a contract | Art. 6(1)(b) |
| Background processing jobs and output generation | Document & Legal Content (2.3), Usage & Activity (2.4) | Performance of a contract | Art. 6(1)(b) |
| Real-time notifications about job status and platform activity | Usage & Activity (2.4) | Performance of a contract | Art. 6(1)(b) |
| Organisation and team management for enterprise customers | Account & Identity (2.1), Organisation (2.2) | Performance of a contract | Art. 6(1)(b) |
| Platform security, fraud detection, and error monitoring | Technical & Security (2.5), Usage & Activity (2.4) | Legitimate interest | Art. 6(1)(f) |
| Recording and demonstrating GDPR consent for audit purposes | Consent Records (2.6), Technical & Security (2.5) | Legal obligation (GDPR Art. 7) | Art. 6(1)(c) |
| Sales follow-up on contact-form enquiries | Website Lead Data (2.7), Consent Records (2.6) | Consent + legitimate interest in responding to enquiries | Art. 6(1)(a) / Art. 6(1)(f) |
| Compliance with GDPR obligations and regulatory requests | All categories as required | Legal obligation | Art. 6(1)(c) |
Legitimate interest basis: We have conducted a legitimate interest assessment (LIA) for security logging. Our interest in maintaining platform security does not override your fundamental rights, given the limited nature of the data retained and the security safeguards applied.
4. AI-Assisted Processing and EU-Hosted AI Sub-Processors
A core feature of the Platform is AI-assisted legal document analysis. When you submit documents or request analysis, relevant content (legal text, document excerpts) is sent to one or more EU-hosted Large Language Model (LLM) providers acting as data processors under GDPR Art. 28. All AI processing takes place on infrastructure located within the European Union; no document content is transferred to providers outside the EU/EEA.
| Provider | Service Used | Location | Transfer Mechanism |
|---|---|---|---|
| Microsoft — Azure OpenAI Service | GPT-class models hosted by Microsoft (legal analysis, JCD adaptation, amendments) | EU region (e.g., Sweden Central / West Europe) | No third-country transfer — data remains in the EEA |
| Google — Gemini (Vertex AI) | Gemini models (auditing, transposition) | EU region (e.g., europe-west) | No third-country transfer — data remains in the EEA |
| Mistral AI | Mistral models (optional) | EU (France) | GDPR-compliant (EU) |
We do not use OpenAI's public API (api.openai.com). Where OpenAI-developed models are used, they are accessed exclusively through Microsoft Azure OpenAI Service deployed in EU regions, which provides separate processor commitments, EU-data-residency and EU-only data processing under our Microsoft Online Services DPA.
We have entered into Data Processing Agreements (DPAs) with each provider under GDPR Art. 28. Providers process data only for the purpose of generating the analysis you request and are contractually prohibited from using your content to train their models.
Data persistence at AI providers: Document content transmitted via API is not permanently stored by the AI providers. Azure OpenAI Service is configured to disable abuse monitoring / human review where eligible, so input and output are not retained beyond the API request; Google Gemini (Vertex AI) and Mistral AI do not retain prompt content beyond the API request on the paid / enterprise tiers we use. Full details are provided in §7.4.
You should avoid uploading documents containing unnecessary personal data. If you process documents that include personal data of individuals (e.g., named parties in legislation), you are responsible as data controller for ensuring an appropriate legal basis exists for transmitting that content.
5. Data Sharing and Sub-Processors
We do not sell your personal data. We share data only with the following categories of recipients, each subject to appropriate data processing agreements:
| Recipient | Purpose | Location |
|---|---|---|
| Microsoft — Azure OpenAI Service | AI legal document analysis (GPT-class models, EU-hosted) | EU region (e.g., Sweden Central / West Europe) |
| Google — Gemini (Vertex AI) | AI auditing and transposition analysis | EU region (e.g., europe-west) |
| Mistral AI | AI analysis (optional LLM) | EU (France) |
| Amazon Web Services (AWS) | Document and file cloud storage (S3) | EU (eu-west-1) |
| Microsoft Azure | Alternative document storage (Blob) | EU (West Europe) |
| Cloudflare | CDN, DNS, frontend hosting (Cloudflare Pages); EU edge routing for EU/EEA visitors | Global edge network (DPA + SCCs); EU data-protection commitments via Cloudflare DPA |
| Grafana (self-managed) | Error monitoring, observability and performance logs | EU (self-hosted) |
| HubSpot, Inc. (Website lead capture only) | Receives contact-form submissions made through treyst.ai for sales follow-up | United States — EU SCCs (Commission Decision 2021/914) + EU-US Data Privacy Framework |
| Google Ireland Ltd. (reCAPTCHA) | Spam protection on the public contact form (loaded only when the form is in use) | EU (Ireland) with possible technical access from Google LLC (US) under SCCs |
| Legal authorities | When required by applicable law | Varies |
All sub-processors are evaluated for GDPR compliance before onboarding. A current list of sub-processors is available at /docs/sub-processors or upon request at dpo@treyst.com .
6. International Data Transfers (GDPR Ch. V)
EU-only processing principle for platform data. All personal data, uploaded documents and AI processing are stored and processed on infrastructure located within the European Union. We do not rely on any third-country processor (such as OpenAI Inc. in the United States) for AI processing of customer content.
Limited US transfer for marketing leads. The single exception is the website contact form: when you submit it, the lead data is forwarded to HubSpot, Inc. in the United States so our sales team can reply to you. This transfer is governed by the EU Standard Contractual Clauses (Commission Decision 2021/914) signed with HubSpot and HubSpot's certification under the EU-US Data Privacy Framework. You are informed of this transfer and consent to it explicitly via the privacy checkbox on the form. If you prefer not to share data with HubSpot, you can email us directly at contact@treyst.com instead.
6.1 Data Locations
| Recipient | Country / Region | Transfer Mechanism | Safeguard Reference |
|---|---|---|---|
| Microsoft — Azure OpenAI Service | EU region (e.g., Sweden Central / West Europe) | No third-country transfer — EU data residency contractually committed | Microsoft Online Services DPA + EU Data Boundary commitments |
| Google — Gemini (Vertex AI) | EU region (e.g., europe-west) | No third-country transfer — EU data residency configured | Google Cloud DPA + EU data-residency settings |
| Mistral AI | EU (France) | No third-country transfer | N/A — data remains in the EEA |
| Amazon Web Services (S3) | EU (eu-west-1) | No third-country transfer (EU region) | AWS DPA + AWS EU Sovereign commitments |
| Microsoft Azure (Blob) | EU (West Europe) | No third-country transfer (EU region) | Microsoft Online Services DPA |
| Cloudflare (CDN/DNS/Pages) | Global edge network; EU/EEA visitors served from EU edge | Cloudflare DPA; SCCs apply to any incidental transfer of metadata outside the EEA | EU Commission Decision 2021/914 (where applicable) |
| HubSpot (CRM — website lead capture) | United States | EU SCCs (Commission Decision 2021/914) + EU-US Data Privacy Framework | HubSpot DPA + DPF certification |
Cloudflare is used solely as a CDN, DNS provider and frontend host. The content of uploaded documents and AI processing data is never routed to or stored on Cloudflare; only minimal connection metadata (IP, request headers) is processed at the edge.
6.2 Supplementary Measures
Even though almost all processing takes place in the EU, we apply the following safeguards aligned with EDPB Recommendations 01/2020:
- Encryption in transit — all API calls use TLS 1.2+ end-to-end.
- Encryption at rest — cloud storage and database backups are encrypted at rest in EU regions.
- Data minimisation — only the document content strictly necessary for the requested analysis is transmitted to AI providers; no account, identity or organisation data is sent. For contact-form leads, only the form fields you fill in are transmitted to HubSpot — no platform data, documents, or AI outputs.
- Contractual restrictions — providers are contractually prohibited from using transmitted content for model training, sub-licensing, or any purpose beyond fulfilling the API request or, in HubSpot's case, supporting our sales response.
- EU data-residency enforcement — Azure OpenAI, Google Vertex AI, AWS S3 and Azure Blob deployments are pinned to EU regions; we routinely audit configurations to detect drift.
6.3 Onward Transfers by Sub-Processors
Some EU-based sub-processors (notably Microsoft and Google) are ultimately part of US-headquartered groups. Where any incidental access from outside the EU/EEA could occur (e.g., for technical support), it is governed by the EU Standard Contractual Clauses (EU Commission Decision 2021/914) and the supplementary measures described above. A Transfer Impact Assessment (TIA) for these scenarios is available on request.
You may request a copy of any applicable DPA, SCCs or TIA summary by contacting dpo@treyst.com .
7. Data Retention (GDPR Art. 5(1)(e) — Storage Limitation)
In accordance with the storage limitation principle (GDPR Art. 5(1)(e)), we retain personal data only for as long as strictly necessary to fulfil the purpose for which it was collected, or as required by applicable law. This section defines retention periods, deletion triggers, and procedures for every data category.
7.1 Retention Schedule
| Data Category (see §2) | Retention Period | Deletion / Anonymisation Method | Legal Basis for Retention |
|---|---|---|---|
| Account & Identity Data (2.1) | Duration of account + 30 days after deletion request | Irreversible anonymisation (name, email, phone replaced with non-reversible placeholders); profile picture permanently deleted from storage | Art. 6(1)(b) — Contract |
| Organisation Data (2.2) | Duration of organisation subscription + 30 days | Membership records anonymised; organisation metadata retained for billing audit | Art. 6(1)(b) — Contract |
| Uploaded documents and files (2.3) | 12 months from date of upload | Permanent deletion from cloud storage (S3 / Azure Blob); file references removed from database | Art. 6(1)(b) — Contract |
| AI processing outputs (2.3 / 2.4) | Duration of account; deletable earlier on request | Permanent deletion from database | Art. 6(1)(b) — Contract |
| Usage & Activity Data (2.4) | 24 months from creation | Irreversible anonymisation (user identifiers removed) | Art. 6(1)(f) — Legitimate interest |
| Technical & Security logs (2.5) | 12 months | Automatic log rotation and secure deletion | Art. 6(1)(f) — Legitimate interest |
| Error and performance logs — Grafana (2.5) | Governed by Grafana instance retention policy (configured by Treyst) | Automatic log rotation and deletion within Grafana infrastructure | Art. 6(1)(f) — Legitimate interest |
| Consent Records (2.6) — platform + contact form | 5 years from creation | Secure deletion after retention period; raw email/IP never stored — only SHA-256 hashes | Art. 6(1)(c) — Legal obligation (GDPR Art. 7) |
| Website Lead Data (2.7) at HubSpot | Until you request deletion, or 24 months after last interaction (whichever is sooner) | Deletion request honoured by HubSpot per their DPA; can also be triggered via dpo@treyst.com | Art. 6(1)(a) — Consent / Art. 6(1)(f) — Legitimate interest |
| Redis cache / queue data | Ephemeral — cleared on job completion or failure | Automatic eviction from memory | Technical necessity |
7.2 Deletion Triggers
In addition to the time-based retention periods above, data is deleted or anonymised upon any of the following events:
| Trigger Event | Data Affected | Timing |
|---|---|---|
| User requests account deletion | All Account & Identity Data (2.1), uploaded documents, AI outputs, usage data associated with the user | Within 30 days of request (GDPR Art. 17) |
| Organisation subscription terminates | All Organisation Data (2.2), documents uploaded by any member, AI outputs, membership records | Within 30 days of termination date |
| User deletes a specific document | The uploaded file and its cloud storage object | Immediate deletion from storage; database reference removed within 24 hours |
| User deletes a specific AI processing job | Job metadata and all generated outputs | Immediate deletion from database |
| Automatic expiry (12-month document limit) | Uploaded documents that have exceeded the 12-month retention window | Automatic daily purge job |
| Account inactivity (no login for 24 months) | All user data — treated as an implicit deletion request | User notified 30 days before deletion; data deleted if no response |
| Website lead deletion request | Contact-form submission records held by HubSpot | Within 30 days of request to dpo@treyst.com |
7.3 Uploaded Document Lifecycle
Because uploaded documents are a core processing activity, the following lifecycle applies:
- Upload: Documents are stored in cloud storage (AWS S3 or Azure Blob) within an EU region. Each file is associated with the uploading user and organisation.
- Processing: When an AI analysis job is initiated, relevant document content is extracted and transmitted to the AI provider via API. Content is held in the provider's memory only for the duration of the API request (see §7.4 below).
- Retention: The original file is retained in cloud storage for 12 months from the upload date.
- Early deletion: Users may delete any document at any time via the Platform interface. Organisation administrators may delete all documents within their organisation.
- Automatic purge: Documents exceeding the 12-month retention window are permanently deleted by an automated daily process. Deletion is irreversible.
- Account or subscription termination: All documents are permanently deleted within 30 days of account deletion or subscription termination.
7.4 Data Retention by Third-Party AI Processors
Document content transmitted to AI providers for analysis is subject to the following retention commitments, as established by our Data Processing Agreements (DPAs):
| Provider (EU-hosted) | Data Persistence After API Call | Training Use |
|---|---|---|
| Microsoft — Azure OpenAI Service (EU region) | Configured with abuse-monitoring / human-review disabled where eligible; input and output not retained beyond the API request. Otherwise, transient retention of up to 30 days for abuse monitoring within the EU region, then permanently deleted. | Not used for model training (Microsoft Online Services DPA + Azure OpenAI product terms) |
| Google — Gemini (Vertex AI, EU region) | Input and output data not retained beyond the API request on Vertex AI enterprise/paid tier | Not used for model training (Google Cloud DPA + Vertex AI terms) |
| Mistral AI (France) | Input and output data not retained beyond the API request | Not used for model training (Mistral API Terms) |
We select API configurations that minimise data retention at the provider level. No account, identity, or organisation data is transmitted to AI providers — only the document content required for the requested analysis.
7.5 Backup and Disaster Recovery Retention
Database backups are retained for a maximum of 30 days on a rolling basis for disaster recovery purposes. Backups are encrypted at rest and stored in EU-region infrastructure. When data is deleted from the live database (e.g., following an account deletion request), the deletion propagates to backups as they rotate out within the 30-day window. No data is restored from backups except in the event of a system failure.
7.6 Post-Retention Procedures
After the applicable retention period, data is securely deleted or irreversibly anonymised using methods appropriate to the storage medium. Account deletion requests are processed within 30 days in accordance with GDPR Art. 17.
When you delete your account, all personal identifiers (name, email, phone number, profile picture) are irreversibly replaced with non-reversible placeholders and your uploaded documents are permanently removed from storage. The anonymised account record is retained solely to preserve referential integrity of audit and consent logs, but cannot be linked back to any identifiable person.
8. Your Rights Under GDPR (Arts. 15–22)
You have the following rights regarding your personal data. To exercise any right, contact dpo@treyst.com . We will respond within 30 calendar days (extendable by 2 months for complex requests, with notice).
| Right | Description | GDPR Article |
|---|---|---|
| Right of access | Request a copy of personal data we hold about you | Art. 15 |
| Right to rectification | Correct inaccurate or incomplete data | Art. 16 |
| Right to erasure | Request deletion of your data ("right to be forgotten"), subject to legal retention obligations | Art. 17 |
| Right to restriction | Restrict processing while a dispute is resolved | Art. 18 |
| Right to data portability | Receive your account data in a structured, machine-readable format (JSON/CSV) | Art. 20 |
| Right to object | Object to processing based on legitimate interest (e.g., security logging) | Art. 21 |
| Right to withdraw consent | Where processing is based on consent, withdraw it at any time; withdrawal does not affect prior lawful processing | Art. 7(3) |
| Rights related to automated decisions | The Platform does not make solely automated decisions with legal or similarly significant effects | Art. 22 |
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your national supervisory authority. Find your authority at edpb.europa.eu.
9. Cookie Policy and Browser Storage
This section constitutes our Cookie Policy in accordance with the ePrivacy Directive (2002/58/EC) and GDPR. It describes all cookies, local storage items, and similar technologies used by the website and Platform. We use only strictly necessary cookies and browser storage — no analytics, marketing, or tracking technologies are deployed.
9.1 What Are Cookies?
Cookies are small text files stored on your device by your browser. We
also use browser localStorage
for certain technical purposes. Both are described below.
9.2 Strictly Necessary Cookies and Storage
These are essential for the Platform to function. They do not require consent under the ePrivacy Directive.
| Name / Key | Type | Purpose | Duration | Provider |
|---|---|---|---|---|
| refresh_token | HttpOnly cookie | Secure refresh token to maintain your platform session (access token stored in memory only) | 30 days | Treyst (first party) |
| treyst_consent | localStorage | Records that you have acknowledged the cookie information notice and the version of that notice | Persistent until cleared | Treyst (first party) |
| __cf_bm | Cookie | Cloudflare bot management — distinguishes humans from bots | 30 minutes | Cloudflare (third party) |
| cf_clearance | Cookie | Cloudflare security challenge clearance | Session / up to 24 hours | Cloudflare (third party) |
| _GRECAPTCHA | Cookie | Google reCAPTCHA spam detection on the public contact form (loaded only when the form is in use) | 6 months | Google Ireland Ltd. (third party) |
| NID | Cookie | Google session identifier set when reCAPTCHA loads on the contact form | 6 months | Google Ireland Ltd. (third party) |
Google reCAPTCHA cookies (_GRECAPTCHA, NID)
are only set if you focus or interact with the public contact form. The
reCAPTCHA script is not loaded on any other page or section.
9.3 Managing Your Preferences
This platform does not use analytics, marketing, or tracking cookies. You can view cookie details at any time via the link in the footer, or by adjusting cookie settings in your browser. Disabling necessary cookies may impair Platform functionality.
For more information about cookies in general, visit allaboutcookies.org.
10. Security Measures
We implement appropriate technical and organisational measures (TOMs) in accordance with GDPR Art. 25 (data protection by design and by default) and Art. 32:
- TLS/HTTPS encryption in transit for all communications
- Password hashing using bcrypt with salt rounds
- JWT-based stateless authentication with expiry
- Role-based access control (RBAC) at API level (Admin / User roles)
- Organisation-level data isolation (multi-tenancy)
- Error monitoring and observability with Grafana (no sensitive personal data included in logs)
- Cloud storage with access control policies (AWS S3 / Azure Blob)
- Redis in-memory queue — data not persisted beyond job lifecycle
- Contact-form consent records use one-way SHA-256 hashes for email and IP — raw values are never stored at the consent log layer
In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Arts. 33–34.
11. Business Customers — Data Processing Agreement
The Platform is designed as a business-to-business (B2B) tool. When your organisation subscribes to Treyst:
- Your organisation is the data controller for the personal data of its employees and the documents it uploads.
- Treyst acts as a data processor on your behalf for the purpose of providing the Platform services.
- A Data Processing Agreement (DPA) under GDPR Art. 28 is available and incorporated into our subscription terms. Contact legal@treyst.com to request a copy.
11.1 Processor Data Retention and Deletion Obligations
In its capacity as data processor, Treyst commits to the following under GDPR Art. 28(3)(g):
- Retention during subscription: Uploaded documents and AI processing outputs are retained only for the duration specified in §7.1, or until earlier deletion by the controller.
- Data return on termination: Upon subscription termination, the controller may request an export of all data (documents, AI outputs, account data) in a structured, machine-readable format (JSON) within the 30-day post-termination window.
- Data deletion on termination: After the 30-day post-termination window (or immediately upon written instruction from the controller), all personal data processed on behalf of the controller is permanently deleted from live systems. Database backups containing such data rotate out within 30 days (see §7.5).
- Sub-processor retention: Treyst ensures that all sub-processors (including AI providers) delete or return personal data upon termination of the sub-processing relationship, as required by the DPA chain. AI provider data persistence is described in §7.4.
- Certification of deletion: Upon request, Treyst will provide written confirmation that all data processed on behalf of the controller has been deleted, unless retention is required by EU or member state law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent in-platform notice at least 14 days before changes take effect. The "Last updated" date at the top of this page will always reflect the most recent version. Previous versions are available upon request.
13. Contact & Complaints
For any privacy-related question, request, or complaint:
- Email: dpo@treyst.com
- Post: Vikonnekt ehf., Attn: Data Protection, Gróska, Bjargagata 1, 102 Reykjavík, Iceland
You also have the right to lodge a complaint with your local supervisory authority (e.g., Persónuvernd in Iceland, CNIL in France, ICO in the UK, BfDI in Germany) at any time.