Privacy Policy
Last updated: 20 March 2026
1. Who We Are
Delphian Ltd ("Delphian", "we", "us", or "our") is a company registered in Ireland. We operate the Delphian platform, an EU legislative monitoring service available at delphian.eu.
For the purposes of the EU General Data Protection Regulation (GDPR), Delphian Ltd is the data controller responsible for your personal data.
Contact: privacy@delphian.eu
2. Data We Collect
We collect and process the following categories of personal data:
| Category | Data Collected | Source |
|---|---|---|
| Account information | Email address, display name | Provided by you at registration |
| Authentication data | Firebase Auth UID, sign-in method, last sign-in timestamp | Firebase Authentication |
| User preferences | Watched dossiers, saved searches, committee preferences, notification settings | Your interactions with the platform |
| Usage data | Pages visited, features used, session duration | Automatically collected via cookies |
| Technical data | IP address, browser type, device information | Automatically collected |
We do not collect special category data (e.g. political opinions, health data) or data relating to criminal convictions.
3. How We Use Your Data
We use your personal data for the following purposes:
- To create and manage your account
- To provide the Delphian monitoring service, including personalised feeds, alerts, and briefings
- To send notifications about legislative developments matching your preferences
- To improve and maintain our platform
- To communicate service updates, security notices, and policy changes
- To comply with legal obligations
4. Lawful Basis for Processing
We process your personal data on the following legal bases under Article 6(1) GDPR:
- Contract (Art. 6(1)(b)): Processing necessary to provide you with the service you have registered for, including account management and delivering personalised monitoring features.
- Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests in improving the platform, ensuring security, and understanding usage patterns, provided these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): Where we rely on your consent (e.g. optional analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable laws.
5. Third-Party Processors
We use the following third-party services to operate our platform. Each acts as a data processor under GDPR:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud / Firebase | Authentication, database, cloud functions | EU (europe-west1, Belgium) | EU data residency; Google Cloud DPA |
| Vercel | Frontend hosting, serverless functions | EU (fra1, Frankfurt) | Vercel DPA; EU region deployment |
| Google Gemini API | AI-generated briefings and summaries | EU | Google Cloud DPA; no training on customer data |
| Deepgram | Audio transcription (committee/plenary sessions) | US | Standard Contractual Clauses (SCCs) |
We have Data Processing Agreements (DPAs) in place with all processors. We do not sell your personal data to any third party.
6. International Transfers
Our primary infrastructure is hosted within the European Union (Belgium and Frankfurt). Where data is transferred outside the EEA (e.g. Deepgram transcription services in the US), we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Technical measures such as encryption in transit and at rest
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after deletion | Contract performance |
| Signal feed items | 90 days (automatic TTL) | Legitimate interest |
| AI-generated briefings | Variable TTL (set per briefing type) | Legitimate interest |
| Authentication logs | 90 days | Security / legal obligation |
| Cookie consent preferences | 365 days | Consent record-keeping |
After the retention period, data is automatically deleted or anonymised.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): Request that we limit how we process your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@delphian.eu. We will respond within 30 days. You may also manage certain preferences directly from your account settings.
9. Cookies
We use a limited number of cookies that are strictly necessary for the operation of our service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Invite-only access control with email allowlisting
- Firebase Authentication with custom claims for authorisation
- Firestore Security Rules enforcing authenticated access
- Infrastructure hosted in EU data centres with SOC 2 and ISO 27001 certified providers
- Regular security reviews and dependency updates
11. Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Data Protection Commission (DPC) within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay where the breach poses a high risk
- Document all breaches, including facts, effects, and remedial actions taken
12. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission (DPC):
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Phone: +353 1 765 0100 / 1800 437 737
Website: www.dataprotection.ie
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.
Continued use of the service after changes take effect constitutes acceptance of the revised policy. We encourage you to review this page periodically.
See also: Terms of Service | Cookie Policy