Privacy Policy
Last updated: March 2026
Overview
Welcome to chAIr — a corporate governance and board management platform. We're committed to protecting your privacy and being transparent about how we handle your data. This policy explains what information we collect, how we use it, and your rights under GDPR and Icelandic data protection law.
chAIr is operated by Scaling Legal ehf., an Icelandic company. We comply with the General Data Protection Regulation (GDPR) as it applies in Iceland through our EEA membership.
Who We Are
Service Provider: Scaling Legal ehf.
Service Name: chAIr — Corporate Governance Suite
Domain: chair.is
Data Protection Authority: Persónuvernd (Icelandic Data Protection Authority)
Contact Information
What Data We Collect
We collect the minimum data needed to deliver chAIr effectively. Here's what we gather:
Account Information
- Name — your full name
- Email address — for login and account notifications
- Company affiliation — the organization you represent
- Phone number (optional) — if you provide it
- Role or title (optional) — board member, CEO, investor, etc.
Corporate Governance Data
When you use chAIr, you create and upload corporate documents and records:
- Meeting information — board meetings, shareholder meetings, agendas, minutes, attendees, decisions
- Cap table data — shareholder ownership, share classes, options, convertible notes, SAFEs, funding rounds
- Contracts — contract metadata, renewal dates, parties, status
- Newsletters — content you draft and send to investors or shareholders
- Company details — company name, incorporation date, jurisdiction, board members
- Fundraising information — pipeline, rounds, investor names, amounts
- Expense data — policy information and approval records
- Compliance records — governance checklists, filings, resolutions
Authentication Data
- Google account data (if you sign in via Google) — email, name, profile picture
- Session tokens — automatically generated to keep you logged in
Activity & Usage Data
- Analytics — page views, feature usage, time on site (collected by Plausible, a privacy-focused analytics tool)
- Logs — login times, actions taken, errors encountered
Communication Data
- Support messages — if you contact us with questions or feedback
- Email communications — we send account updates, notifications, and product improvements
Device & Technical Data
- Browser type and version
- Operating system
- IP address (Netlify hosting infrastructure)
- Referring website
What we do NOT collect: We do not use cookies for tracking. We do not collect biometric data, health information, or location data beyond what's needed to deliver the service.
How We Use Your Data
We use your data for these purposes:
Service Delivery
- Provide, maintain, and improve the chAIr platform
- Manage your account and subscriptions
- Process payments through Stripe
- Store and retrieve your corporate governance documents
Communication
- Send you important account notifications (login alerts, password resets, security updates)
- Notify you about service changes or maintenance
- Respond to your support requests
Product Improvement
- Analyze how you use chAIr to improve features and fix bugs
- Understand user behavior through privacy-focused analytics (Plausible)
- Plan new features and enhancements
Legal & Security
- Detect and prevent fraud, abuse, or unauthorized access
- Comply with legal obligations and regulations
- Enforce our Terms of Service
- Protect the rights, safety, and property of Scaling Legal, users, and the public
Marketing (with your consent)
- Send you product updates and feature announcements
- Invite you to user research or beta testing (opt-in)
We will never sell your personal data to third parties or use it for purposes outside of those listed above without your consent.
Legal Basis for Processing (GDPR)
Under GDPR, we only process your data when we have a lawful reason. Here's what applies to chAIr:
| Data Type | Legal Basis |
|---|---|
| Account information & corporate data | Contract: Processing is necessary to perform our service agreement with you |
| Payment information | Contract: Processing is necessary to process payments for your subscription |
| Analytics & usage data | Legitimate interest: We have a legitimate interest in understanding how our platform is used and improving it |
| Security logs & fraud detection | Legitimate interest: We have a legitimate interest in detecting and preventing abuse and protecting user accounts |
| Marketing communications | Consent: We only send marketing emails if you've opted in |
| Legal compliance | Legal obligation: We process data as required by law or court order |
If we process your data on the basis of legitimate interest, we have balanced our interests against your rights to determine that processing is fair and proportionate.
Who We Share Data With
We only share your data with trusted service providers who assist us in operating chAIr. All processors have contractual agreements in place to protect your data.
Third-Party Processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, user management | European Union (EU-hosted) |
| Netlify | Website hosting and CDN | United States (with EU data processing) |
| Stripe | Payment processing | United States (PCI-DSS compliant) |
| Google OAuth | Authentication (if you sign in with Google) | United States |
| Plausible Analytics | Privacy-focused web analytics (no cookies) | European Union (EU-hosted) |
| Claude API (Anthropic) | AI-powered features (meeting minutes, board packs, etc.) | United States (see AI Processing section) |
Other Situations
- Legal requirements: We may disclose data if required by law, court order, or government request. We will notify you whenever legally permissible.
- Business transfers: If Scaling Legal is acquired or merges with another company, your data may be transferred as part of that transaction. You will be notified of any such change.
- With your consent: We only share your data with other parties if you explicitly authorize it.
No third parties have access to your corporate governance data unless you explicitly share it with them through chAIr's sharing features.
How Long We Keep Your Data
Active Accounts
While your account is active, we retain all your account information and corporate data to deliver the chAIr service.
Account Deletion
When you delete your account:
- Account data (name, email, login history) is deleted immediately or within 30 days
- Corporate governance data (meetings, cap tables, contracts, etc.) is deleted immediately unless you request a data export first
- Backups may retain data for up to 30 additional days for system integrity
Specific Data Types
- Payment records: Retained for 7 years for tax and accounting compliance (Icelandic law requirement)
- Activity logs: Retained for up to 12 months for security and troubleshooting
- Analytics data: Retained for up to 12 months before anonymization
- Support tickets: Retained for 3 years unless you request deletion
Company-Level Deletion
If your company requests deletion of all data associated with it (across all users), we will:
- Delete all corporate governance data associated with that company
- Notify all company users of the deletion
- Retain only what's legally required (payment records for tax purposes)
We delete data that is no longer necessary for the purpose it was collected, unless we have a legal obligation to retain it.
Your Rights Under GDPR
You have rights over your personal data. Here's what you can do:
Right to Access
You have the right to request a copy of the personal data we hold about you. Contact us at privacy@chair.is and we'll provide it within 30 days.
Right to Rectification
If your data is inaccurate, you can request we correct it. Many corrections (name, email, company) can be made directly in your account settings.
Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in most cases. We will delete it within 30 days unless we have a legal reason to retain it (e.g., tax records).
Right to Data Portability
You can request your data in a structured, portable format (JSON, CSV) so you can move it to another service. We'll provide this within 30 days.
Right to Restrict Processing
You can ask us to limit how we use your data while we resolve a dispute or verify accuracy. We'll honor this request while maintaining the service.
Right to Object
You can object to processing your data for legitimate interest reasons (e.g., analytics, marketing). We will honor your request unless we have a compelling legal reason to continue.
Right to Withdraw Consent
If we process data based on your consent (e.g., marketing emails), you can withdraw consent at any time. You can unsubscribe from marketing emails using the link in every email.
Rights Related to Automated Decision-Making
We do not use your data for automated decision-making that has legal or similarly significant effects without human review.
How to Exercise Your Rights
To exercise any of these rights, contact us:
- Email: privacy@chair.is
- Include "Data Subject Access Request" or the specific right in the subject line
- Provide enough information to identify you (email, name, company)
- We'll respond within 30 days (or 60 days for complex requests)
Right to Lodge a Complaint
If you believe we've violated your data protection rights, you can lodge a complaint with the Icelandic Data Protection Authority:
- Persónuvernd (Icelandic DPA)
- Website: www.personuvernd.is
- Email: postur@personuvernd.is
AI-Powered Features
chAIr includes AI-powered features like automated meeting minutes generation, board pack assembly, and briefing generation. Here's how we handle your data with AI:
How It Works
- When you use an AI feature, your input (meeting details, documents, prompts) is sent to Claude API by Anthropic
- Claude processes your request and returns the generated content (minutes, board pack, etc.)
- The result is stored in chAIr for your use
Data Handling by Anthropic
- No training: Anthropic does not use your data to train Claude. Your corporate data is not used to improve the model.
- No storage: Anthropic does not permanently store your prompts or data after processing the request
- Limited retention: Anthropic retains API data for up to 30 days for abuse monitoring and may share limited context with trusted customers for improvement (you can opt out)
- Legal agreement: Scaling Legal has a Data Processing Agreement with Anthropic that protects your data
Your Control
- You can disable AI features in your account settings
- You can opt out of Anthropic's limited data sharing for model improvement
- Generated content is not automatically shared unless you choose to send it
Sensitive Data
Be cautious about including highly sensitive information (specific financial amounts, private cap table details, attorney-client privileged communications) in AI-powered features. While protected by contract, network transmission carries inherent risks.
International Data Transfers
chAIr uses processors located in the United States (Netlify, Stripe, Anthropic, Google) and the European Union (Supabase, Plausible). Transfers to the US are governed by:
Data Privacy Framework (DPF)
For processors with valid DPF certifications, data transfers are protected under the EU-US Data Privacy Framework, which provides adequate safeguards.
Standard Contractual Clauses (SCCs)
For other transfers, we use Standard Contractual Clauses approved by the European Commission to protect your data in transit and at rest.
Your Rights
You have the same GDPR rights even when your data is processed outside the EEA. If you have concerns about international transfers, contact us at privacy@chair.is.
Data Security
We take data security seriously and implement industry-standard protections:
Technical Measures
- Encryption in transit: All data sent to/from chAIr uses TLS/SSL encryption
- Encryption at rest: Sensitive data is encrypted in our database
- Authentication: Secure password hashing, optional two-factor authentication (2FA), OAuth integration
- Access controls: Role-based access — users can only see data they own or have been granted access to
- Regular backups: Data is backed up automatically and tested for integrity
Organizational Measures
- Limited internal access — only authorized staff can access user data
- Non-disclosure agreements — all team members sign confidentiality agreements
- Incident response plan — we have procedures to detect, respond to, and report security breaches
- Regular security reviews — we audit our systems and processes for vulnerabilities
Limitations
While we use robust security measures, no system is 100% secure. If you're concerned about specific security measures, please contact us for details.
Security Incident Notification
If we discover a breach that puts your personal data at risk, we will notify you and relevant authorities within 72 hours as required by GDPR.
Children's Privacy
chAIr is not intended for users under 18 years old. We do not knowingly collect data from children. If we become aware that a child has provided us with personal data, we will delete it immediately and notify the child's parent or guardian.
If you believe we have collected data from a child, please contact us immediately at privacy@chair.is.
Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes:
- Email notification: We'll send you an email at the address associated with your account
- In-app notice: A notice will appear when you next log in
- Website announcement: Changes will be posted on this page
Your continued use of chAIr after changes become effective constitutes your acceptance of the updated policy. If you disagree with any changes, you can delete your account.
Contact Us
If you have questions about this privacy policy, your data, or our data practices, please reach out:
General Inquiries & Support
Data Protection Authority
Related Documents: