Privacy Policy — RiskAI X

Last updated: April 13, 2026 · Diamond Properties Investments SRL · CUI 50535310 · Romania, EU
This policy applies to riskaix.com and all RiskAI X services.

Summary: We collect only what's necessary to run the service. We never sell your data. We never show you ads. You can request deletion of your data at any time. We are based in Romania (EU) and comply with GDPR.

1. Who We Are

RiskAI X is operated by Diamond Properties Investments SRL, a Romanian company (CUI 50535310) registered in Romania, European Union. We are the data controller for all personal data processed through riskaix.com.

For data protection questions: privacy@riskaix.com

2. What Data We Collect

Data Type	What	Why	Legal Basis
Account data	Email address, name (if provided)	Account creation, authentication	Contract
Payment data	Billing email, subscription status	Payment processing via Paddle	Contract
Property searches	Addresses you search	Deliver risk reports, caching	Contract
Usage data	Pages visited, features used, API calls	Platform improvement, rate limiting	Legitimate interest
Technical data	IP address, browser type, device	Security, fraud prevention	Legitimate interest
Communications	Emails you send us	Support, product feedback	Consent / legitimate interest

We do not collect: government IDs, financial account numbers, passwords in plain text, location tracking data, or any sensitive categories of personal data under GDPR Article 9.

3. How We Use Your Data

Providing property risk analysis reports and AI-powered assessments
Processing subscription payments and managing your account
Sending transactional emails (reports, alerts, account updates)
Sending product update emails if you have opted in
Improving our platform, fixing bugs, and developing new features
Detecting and preventing fraud, abuse and security threats
Complying with legal obligations under EU and Romanian law

4. Property Address Data

When you enter a property address, we process it to generate a risk report. Address data is:

Forwarded to geocoding services (OpenStreetMap Nominatim) to obtain coordinates
Cached in our Cloudflare KV store for up to 24 hours to reduce API costs and latency
Used to query official government databases (ANCPI Romania, Catastro Spain, CUZK Czech Republic, etc.)
Not linked to your personal identity — addresses are stored separately from account data
Not shared with third parties for marketing or profiling purposes

5. Third-Party Services

We use the following third-party services that may process your data:

Service	Purpose	Data Shared	Location
Paddle	Payment processing	Email, billing info	UK/EU
Cloudflare	CDN, Workers, KV storage	IP, request data	EU edge nodes
Resend / Brevo	Transactional email	Email address	EU
Anthropic Claude	AI analysis generation	Property address (anonymized)	US (SCCs)
OpenStreetMap Nominatim	Geocoding addresses	Address string	EU
USGS / EMSC	Seismic data	Coordinates only	US / EU

For transfers to the US (Anthropic), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Article 46.

6. Cookies and Tracking

We use minimal cookies:

Session cookie — keeps you logged in. Expires when you close the browser.
Plan/tier cookie — remembers your subscription plan for UI display.
Preference cookies — language, accessibility settings, UI preferences.

We do not use advertising cookies, third-party tracking pixels, or analytics services that identify individuals (such as Google Analytics with user IDs). We do not show advertisements.

7. Data Retention

Data Type	Retention Period
Account data	Duration of account + 2 years after deletion request
Property search cache	24 hours (Cloudflare KV)
Saved properties (Portfolio)	Until you delete them or close your account
Payment records	7 years (Romanian fiscal law requirement)
Usage/analytics data	90 days rolling
Support emails	2 years

8. Your Rights Under GDPR

As an EU resident, you have the following rights:

Right of access — request a copy of all personal data we hold about you
Right to rectification — correct inaccurate or incomplete data
Right to erasure — request deletion of your personal data ("right to be forgotten")
Right to restriction — request we limit processing of your data
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent

To exercise any of these rights, email privacy@riskaix.com or use our automated endpoints:

Data export: GET /gdpr/export?email=your@email.com&token=...
Data deletion: POST /gdpr/delete

We will respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with ANSPDCP (Romania's data protection authority) at dataprotection.ro.

9. Data Security

We implement industry-standard security measures including:

HTTPS/TLS encryption for all data in transit
All secrets stored as encrypted environment variables (Cloudflare Workers Secrets)
API keys hashed with SHA-256 before storage
Admin access protected by Cloudflare Zero Trust Access
HMAC-SHA256 signature verification for all payment webhooks
No credit card or payment details stored on our servers (processed entirely by Paddle)
Rate limiting and bot detection on all API endpoints

10. Children's Privacy

RiskAI X is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@riskaix.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify subscribers by email at least 14 days before the changes take effect. The "last updated" date at the top of this page always reflects the current version.

12. Contact

Diamond Properties Investments SRL
CUI 50535310 · Romania, EU

Data protection: privacy@riskaix.com
General: info@riskaix.com
GDPR requests: privacy@riskaix.com
Supervisory authority: ANSPDCP Romania