Raiana Website and Applications
Version 1.0 – January 2026

Raiana B.V. (“Raiana”, “we”, “us”) respects the privacy of its customers, users, and website visitors, and is committed to protecting personal data and confidential information in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable European data-protection laws.

This Privacy Policy explains how Raiana processes personal data when you visit the Raiana website or use Raiana’s applications and services, including but not limited to ChatMDR, ChatIVDR, ChatFDA, and ChatAIAct (collectively, the “Applications”).

If you require further information about personal data protection, you may consult the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
https://autoriteitpersoonsgegevens.nl

The version of this Privacy Policy available on the website at any given time is the only applicable version until replaced by a newer version.

---

Article 1 – Definitions

1. Website
   The Raiana website, including associated domains and subdomains, as well as the web-based Applications hosted by Raiana.
2. Raiana
   Raiana B.V., established in the Netherlands. Chamber of Commerce details are available upon request via the website contact form.
3. Personal Data
   Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
4. Customer Data
   All data, including Personal Data and proprietary information, submitted to or processed through the Applications by or on behalf of a customer.
5. Usage Data
   Technical and operational data relating to the use of the Website or Applications, such as logs, performance metrics, and aggregated usage statistics, which do not directly identify individuals.

---

Article 2 – Scope and Access

Access to and use of the Website and Applications are intended for professional and lawful use only. You shall not use data or information obtained from the Website or Applications for unauthorised commercial, political, or advertising purposes, including unsolicited electronic communications.

---

Article 3 – Roles Under GDPR

1. Website visitors and individual users
   Raiana acts as data controller for Personal Data processed in the context of website visits, account creation, subscriptions, billing, and customer communications.
2. Enterprise and organisational customers
   Where Raiana processes Personal Data on behalf of a customer in the provision of the Applications, Raiana acts as a data processor and the customer acts as the data controller within the meaning of the GDPR.
3. Data Processing Agreement (DPA)
   For such processor activities, Raiana enters into a Data Processing Agreement in accordance with Article 28 GDPR, forming an integral part of the applicable customer agreement.

---

Article 4 – Collection and Purpose of Personal Data

1. Raiana collects Personal Data solely for legitimate and specified purposes, including:
   • Providing access to the Website and Applications
   • Managing subscriptions and contractual relationships
   • Customer support and communication
   • Compliance with legal and regulatory obligations
   • Security, abuse prevention, and service integrity
2. Personal Data may include identification details, contact information, account credentials, billing information, and technical identifiers.
3. Raiana does not collect Personal Data beyond what is necessary for these purposes.

---

Article 5 – Customer Input and AI Processing

1. The Applications process user input and generate responses using large language models and supporting systems.
2. No Training or Model Improvement
   • Customer Data, including prompts, uploaded content, and generated outputs, is not used for training, fine-tuning, or improving AI or machine-learning models.
   • No Customer Data is used for benchmarking or evaluation of generative models without explicit, prior, written opt-in.
3. Purpose Limitation
   Customer Data is processed solely to provide the requested functionality of the Applications, to comply with applicable law, and to prevent misuse or abuse of the services.

---

Article 6 – Use of Aggregated and Anonymised Data

Raiana may collect and use aggregated, anonymised, and de-identified data derived from the use of the Applications for statistical analysis, service improvement, performance monitoring, and business analytics, provided such data cannot reasonably be used to identify any individual or customer. Such data does not constitute Personal Data or Customer Data.

---

Article 7 – Third-Party Processing and AI Providers

1. Where technically required, Customer Data may be transmitted to carefully selected service providers acting as sub-processors (e.g. infrastructure or AI API providers).
2. Such providers are contractually bound to:
   • Process data solely on Raiana’s instructions
   • Not use Customer Data for training or independent purposes
   • Implement appropriate technical and organisational security measures
3. Customer Data is not shared with third parties for commercial or advertising purposes.

---

Article 8 – Data Location and International Transfers

1. Raiana processes Personal Data exclusively within the European Union.
2. All hosting environments, infrastructure, and sub-processors used by Raiana are located in the EU and subject to European data-protection law.
3. No transfers of Personal Data to third countries take place.

---

Article 9 – Data Security

Raiana implements appropriate technical and organisational measures to protect Personal Data and Customer Data against unauthorised access, loss, alteration, or disclosure. These measures include, among others:

• Encryption in transit and at rest
• Logical access controls and role-based authorisation
• Segregation of customer environments
• Logging, monitoring, and incident detection
• Secure authentication mechanisms
• Incident response and recovery procedures

Security measures are periodically reviewed and updated in line with industry standards and risk assessments.

---

Article 10 – Data Breach Notification

In the event of a personal data breach, Raiana will notify affected customers without undue delay and provide all information required under the GDPR, including the nature of the incident, affected data, and mitigation measures. Raiana will cooperate with customers to enable compliance with regulatory and data-subject notification obligations.

---

Article 11 – Data Retention

Personal Data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Retention periods are periodically reviewed.

---

Article 12 – Data Subject Rights

In accordance with Articles 13–22 GDPR, data subjects have the right to:

• Access their Personal Data
• Rectify inaccurate data
• Request erasure or restriction of processing
• Object to processing
• Data portability, where applicable

Requests may be submitted via the website contact form. Raiana will respond within one month, extendable to two months where legally permitted.

---

Article 13 – Cookies

1. The Website uses functional and anonymised analytical cookies to ensure proper operation and to improve usability.
2. Cookies do not identify individual visitors and are not used for profiling or advertising.
3. Consent, where required, is obtained in accordance with applicable law and remains valid for thirteen (13) months.

---

Article 14 – Transparency and Limitations of AI Services

Raiana’s Applications are designed to support professional users and augment human expertise. They do not provide legal advice. Users remain responsible for verifying outputs against authoritative regulatory sources and for professional decision-making.

---

Article 15 – Applicable Law

This Privacy Policy is governed by Dutch law. Any disputes shall be submitted to the competent court in the Netherlands, unless mandatory law provides otherwise.

---

Article 16 – Contact

For questions regarding this Privacy Policy or the processing of Personal Data, please use the contact form available on the Raiana website.