SPRINKLING ACT — LEGAL
Privacy Policy
Last updated: March 1, 2026
1. Data Controller
The data controller is:
Lamar B. Shucrani, operating under the trade name Sprinkling Act
BCE: BE 1034.962.482
Avenue des Arts 19 BT 2, 1210 Brussels, Belgium
Data protection contact: legal@sprinklingact.com
Sprinkling Act is an independent AI Act position assessment service. We are not affiliated with the European Commission or any regulatory authority.
Lamar B. Shucrani, operating under the trade name Sprinkling Act
BCE: BE 1034.962.482
Avenue des Arts 19 BT 2, 1210 Brussels, Belgium
Data protection contact: legal@sprinklingact.com
Sprinkling Act is an independent AI Act position assessment service. We are not affiliated with the European Commission or any regulatory authority.
2. Data We Collect
We collect the following categories of personal data:
Account data: email address, password (hashed), full name, company name, role/function.
Diagnostic data: your answers to the AI Act questionnaire.
Contact data: name, email, company, message content.
Waitlist data: first name, last name, email, company.
Newsletter data: email address, language preference.
Analytics data (with consent only): pages visited, device type, anonymous session ID — no IP addresses, no fingerprinting.
Payment data: processed entirely by Stripe. We never see or store your card details.
Account data: email address, password (hashed), full name, company name, role/function.
Diagnostic data: your answers to the AI Act questionnaire.
Contact data: name, email, company, message content.
Waitlist data: first name, last name, email, company.
Newsletter data: email address, language preference.
Analytics data (with consent only): pages visited, device type, anonymous session ID — no IP addresses, no fingerprinting.
Payment data: processed entirely by Stripe. We never see or store your card details.
3. Legal Bases
Under GDPR Article 6:
Contract (Art. 6(1)(b)): account, diagnostic, report.
Consent (Art. 6(1)(a)): newsletter, analytics cookies, waitlist.
Legitimate interest (Art. 6(1)(f)): issue reports, service improvement, fraud prevention.
Contract (Art. 6(1)(b)): account, diagnostic, report.
Consent (Art. 6(1)(a)): newsletter, analytics cookies, waitlist.
Legitimate interest (Art. 6(1)(f)): issue reports, service improvement, fraud prevention.
4. Sub-processors
Supabase (EU) — Database, authentication. Data in EU. DPA in place.
Vercel Inc. (US) — Hosting. DPA in place.
Resend (US) — Transactional emails. DPA in place.
Stripe Payments Europe Ltd (Ireland) — Payments. PCI-DSS.
Sentry (US) — Error monitoring. Processes request metadata (IP, user agent, error context). DPA in place.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker.
Vercel Inc. (US) — Hosting. DPA in place.
Resend (US) — Transactional emails. DPA in place.
Stripe Payments Europe Ltd (Ireland) — Payments. PCI-DSS.
Sentry (US) — Error monitoring. Processes request metadata (IP, user agent, error context). DPA in place.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker.
5. Data Retention
Account: while active. Deleted within 30 days of verified request (GDPR Art. 12(3)).
Diagnostic: while account active.
Contact: 24 months.
Waitlist: until delivery or 12 months.
Newsletter: until unsubscribe.
Analytics: anonymized, 12 months.
Payments: 10 years (Belgian tax law).
Diagnostic: while account active.
Contact: 24 months.
Waitlist: until delivery or 12 months.
Newsletter: until unsubscribe.
Analytics: anonymized, 12 months.
Payments: 10 years (Belgian tax law).
6. Your Rights
Under GDPR:
Access (Art. 15)
Rectify (Art. 16)
Erase — right to be forgotten (Art. 17)
Restrict (Art. 18)
Portability (Art. 20)
Object (Art. 21)
Withdraw consent (Art. 7(3))
Email legal@sprinklingact.com. Response within 30 days.
Access (Art. 15)
Rectify (Art. 16)
Erase — right to be forgotten (Art. 17)
Restrict (Art. 18)
Portability (Art. 20)
Object (Art. 21)
Withdraw consent (Art. 7(3))
Email legal@sprinklingact.com. Response within 30 days.
7. Security
Encryption in transit (TLS 1.3) and at rest. HSTS with preloading. CSP enforced. Passwords hashed. Production access limited to data controller.
8. International Transfers
Data primarily stored in EU (Supabase). Some sub-processors in US under EU-US Data Privacy Framework or SCCs.
9. Complaint
Lodge a complaint with the Belgian DPA:
Autorité de protection des données (APD)
Rue de la Presse 35, 1000 Bruxelles
www.autoriteprotectiondonnees.be
Email: contact@apd-gba.be
Autorité de protection des données (APD)
Rue de la Presse 35, 1000 Bruxelles
www.autoriteprotectiondonnees.be
Email: contact@apd-gba.be
10. Changes
We may update this policy. Material changes communicated via email or site notice.