Free diagnostic. The AI Act Position Assessment (questionnaire + score) is permanently free of charge, without registration.

Full report — delivery. Order confirmation within 1–3 business days of intake completion. Full reports are then delivered within 3–7 business days after confirmation.

Full report — quality. Every report undergoes human review by a qualified analyst before delivery. No fully automated reports are issued.

Completeness. Reports cover all six compliance gates defined in the Sprinkling Act engine (Art. 5, Art. 6 + Annex III, Art. 6(3) exception, transparency, GPAI, GPAI systemic risk).

Format. Full reports are delivered as a structured PDF of 15–20 pages, including a classification summary, applicable obligations, and actionable recommendations.

Legal basis. All analyses are based on the EU AI Act (Regulation (EU) 2024/1689) as published in the Official Journal of the European Union on 12 July 2024.

Engine updates. The assessment engine is updated whenever the European Commission publishes binding implementing acts, delegated acts, or guidance that materially affects classification outcomes. Updates are applied within 30 business days of publication.

Disclaimer. Sprinkling Act provides compliance positioning analysis, not legal advice. Users should consult qualified legal counsel for regulated decisions. This limitation is prominently disclosed throughout the platform.

Minimisation. We collect only the data strictly necessary to deliver the service. No data is sold or shared with third parties for commercial purposes.

Encryption. All data is encrypted in transit (TLS 1.3) and at rest (AES-256) via Supabase (EU region).

Retention. Diagnostic session data is retained for 24 months. Full report data (including intake answers, report content, methodology version used, and supporting evidence) is retained for the duration of the contractual relationship plus 10 years, aligning with the statutory limitation period for contractual claims under Belgian civil law.

Your rights. You have the right to access, rectify, port, and erase your personal data. Requests are processed within 30 calendar days. Contact: legal@sprinklingact.com.

GDPR basis. Processing is based on contract performance (Art. 6(1)(b) GDPR) for paid services and legitimate interest (Art. 6(1)(f) GDPR) for product improvement, with opt-in consent for marketing communications.

Sub-processors. We use Supabase (database, EU region), Vercel (hosting, EU region), Stripe (payments, PCI-DSS compliant), and Resend (transactional email). A current list of sub-processors is available on request.

Responsible disclosure. Security vulnerabilities can be reported to security@sprinklingact.com. We acknowledge security reports as soon as possible during EU business hours and aim to remediate critical issues within 72 hours.

Session security. User sessions use HTTP-only, Secure, SameSite=Strict cookies. Passwords are hashed using bcrypt via Supabase Auth. We do not store plaintext credentials.

Rate limiting. All public API endpoints are rate-limited to prevent abuse. Authentication endpoints enforce exponential back-off after repeated failures.

Access control. Admin interfaces are protected by a secret path and are not publicly discoverable. Row-level security is enforced at the database layer for all user data.

Response time — general. All contact form messages and issue reports receive an automated acknowledgment and are reviewed within 3 business days by a human.

Response time — security. Security reports are prioritized and reviewed as soon as possible during EU business hours.

Response time — legal. Classification disputes and legal objections are reviewed within 3 business days.

Escalation. If you are not satisfied with a response, you may escalate to contact@sprinklingact.com. We commit to a final position within 5 business days.

Payment processor. All payments are processed by Stripe (PCI-DSS Level 1). We do not store payment card data.

Pricing. Prices are displayed inclusive of VAT where applicable. The price at the time of order is the price charged — no hidden fees.

Refund policy. If a full report is not delivered within 10 business days of intake completion, or if the report does not address the system described in the intake, a full refund is issued automatically. Refund requests outside these conditions are assessed case-by-case within 5 business days.

Invoicing. A VAT invoice is issued automatically for every payment. BCE: BE 1034.962.482.

Uptime target. We target 99.5% monthly uptime for the assessment tool and dashboard. Planned maintenance is announced at least 24 hours in advance.

Data portability. Users may export their full diagnostic history and report data at any time via the dashboard. Export is available in JSON and PDF formats.

Service changes. Material changes to the service (pricing, scope, data handling) are communicated to registered users at least 30 days before taking effect.

Business continuity. In the event that Sprinkling Act ceases operations, registered users will be notified 60 days in advance and will retain access to all previously delivered reports.