Does the EU AI Act apply to my company?

Yes, if you use any AI-powered tools such as ChatGPT, Copilot, AI features in your CRM, HR tools, or any other software with AI capabilities, you are a 'deployer' under the Act and Article 4 applies. This covers the vast majority of modern businesses.

What happens if we don't comply with the EU AI Act?

While Article 4 has no direct fine, non-compliance creates civil liability and is treated as an aggravating factor in any enforcement action under the broader AI Act. Fines under the Act can reach EUR 35 million or 7% of global annual turnover, whichever is higher.

Do we need certified training for EU AI Act compliance?

No. The regulation does not require training from a certified body. What matters is that training is reasonable, documented, and aligned with Article 4 requirements.

How long does EU AI Act compliance take?

Most companies get compliant quickly. The initial assessment takes just 2 minutes. The full training and documentation package is typically delivered within a few weeks.

What if we've already done some AI training?

We'll audit what you have, identify gaps, and only fill what's missing. You won't pay for what you don't need.

What is Article 4 of the EU AI Act?

Article 4 of the EU AI Act requires that providers and deployers of AI systems take measures to ensure a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf. This has been legally binding since February 2, 2025, with enforcement beginning August 2, 2026.

Who needs to comply with EU AI Act Article 4?

Every company in the EU that provides or deploys AI systems must comply. This includes any business using AI-powered tools like ChatGPT, GitHub Copilot, AI features in CRM or HR software, Microsoft 365 AI features, Google Workspace AI, and similar tools.

EU AI Act Compliance Made Simple

Last updated: 25 May 2026 Version: 2.0

This policy explains what Khairos AI Comply does with your personal data, why, and what control you have over it. Plain English. No tricks.

If you only have five minutes, read sections 7 (your rights) and 8 (employees of our customers). That's where most readers find what they need.

1. Who we are

This platform is operated by MLG Projects, trading as Khairos AI. We are the data controller for the personal data described in this policy, except where section 8 says otherwise.

Legal entity: MLG Projects
Trading name: Khairos AI
Address: Minckelersstraat 7B, 6211 GX Maastricht, Netherlands
KvK number: 94643342
VAT number: NL004552299B48
Privacy contact: mattia@khairos.ai
General contact: mattia@khairos.ai

We are not legally required to appoint a Data Protection Officer (the criteria in GDPR Art 37 do not apply to us — we are not a public authority, our core activities do not involve large-scale monitoring of individuals, and we do not process special categories of data at scale). The privacy contact above handles all requests.

2. What we collect

We collect only what we need to run the platform and deliver the training your employer signed you up for.

Category	What it actually is
Identity	First name, last name
Contact	Work email address
Account	Hashed password, last login timestamp, language preference, magic-link tokens (during sign-in), invite tokens (cleared after use)
Company affiliation	The customer company that invited you, your role inside the platform (employee / admin), assigned plan
Training	Modules started, modules completed, video watch progress, quiz answers, quiz scores, pass/fail status, certificate IDs, signed AI policy acknowledgements, audit questionnaire responses
Marketing	If you signed up through our public site (khairos.ai) for a download, a demo, or our newsletter: name, work email, company name, and the content you asked for
Technical	IP address (transient, used for rate-limiting and security logs), browser type, basic device info, server-side audit logs of authentication and admin events

We do not collect:

Special categories of data (Art 9) — no health, ethnicity, religion, political views, sexual orientation, biometrics, genetics
Payment card data — billing is handled offline via invoice
Data about children
Anything from third-party data brokers or enrichment tools

We do not use analytics, advertising, or behavioural tracking SDKs. None. There is no Google Analytics, no Meta Pixel, no Hotjar, no Mixpanel on this platform.

3. Why we process it

Every processing activity is tied to one of the lawful bases in GDPR Art 6.

Purpose	Lawful basis
Giving you access to the platform and running your training	Performance of a contract — Art 6(1)(b) (the contract is between us and your employer; your participation is necessary to perform it)
Recording your training progress, quiz scores and issuing your certificate	Performance of a contract — Art 6(1)(b)
Producing the compliance evidence file your employer needs under EU AI Act Art 4	Performance of a contract — Art 6(1)(b), and our legitimate interest in operating an auditable training platform — Art 6(1)(f)
Authentication and account security (sign-in, password reset, MFA, rate-limiting)	Performance of a contract — Art 6(1)(b), and legal obligation under GDPR Art 32
Sending you the welcome email and essential service notifications (password reset, certificate ready, etc.)	Performance of a contract — Art 6(1)(b)
Marketing emails, newsletters, gated downloads on khairos.ai	Consent — Art 6(1)(a). You can withdraw at any time using the unsubscribe link or by emailing us
Customer support, troubleshooting, security investigations	Legitimate interest — Art 6(1)(f)
Meeting our own legal and tax obligations	Legal obligation — Art 6(1)(c) (e.g. Dutch tax law — Algemene wet inzake rijksbelastingen Art 52)

Special categories (Art 9): We do not process any. Not applicable.

Automated decision-making: Quiz scoring and certificate eligibility are automated. They do not produce legal or similarly significant effects within the meaning of Art 22 — failing a quiz means you retake it, not that you lose a job, a service, or a right. See section 11.

4. Where the data lives

The platform is built on a small, deliberately chosen set of sub-processors. We host inside the EU by default.

Sub-processor	What they do	Region
Supabase	Database, authentication, edge functions	Frankfurt (EU)
Vercel	Application hosting	EU region
Vimeo	Embedded training video player	United States
n8n (self-hosted) at kukkin8n.khairos.ai	Internal workflow automation	EU (Netherlands)
Calendly	Admin / sales call booking	United States
Anthropic Claude (accessed via Vercel AI Gateway)	Powers blog topic drafting and certain internal admin tools	United States
Google Fonts	Web font delivery — transitioning to self-hosted, will be removed from this list	United States
Telegram Bot API	Internal admin notifications only — no end-user personal data is sent	International

The current and authoritative list lives at https://khairos.ai/subprocessors. We update that page before adding a new sub-processor and give customers reasonable notice.

5. International transfers

Some of the sub-processors above are based outside the European Economic Area. Where data leaves the EEA, we rely on the following safeguards under GDPR Chapter V:

Vimeo (US): Standard Contractual Clauses (SCCs) per the European Commission's 2021 modules. Vimeo is also self-certified under the EU-U.S. Data Privacy Framework.
Calendly (US): Standard Contractual Clauses and EU-U.S. Data Privacy Framework certification.
Anthropic (US): Standard Contractual Clauses. Data sent to Anthropic via the Vercel AI Gateway does not include end-user training data — only content we explicitly generate (blog topics, admin tooling prompts).
Google Fonts (US): Will be removed by self-hosting fonts. Until then, your browser fetches font files directly from Google's CDN. No personal data is sent beyond what your browser includes in any HTTP request (IP, user agent).
Telegram (international): Used only for internal admin notifications. No personal data about end users is transmitted.

For each non-EEA processor we have a Transfer Impact Assessment on file documenting why we consider the transfer adequately protected. You can request a summary at mattia@khairos.ai.

6. How long we keep it

Data	Retention
Marketing leads (newsletter signups, gated downloads)	24 months from last meaningful interaction, then deleted
Customer (company) account data	Contract duration + 7 years, per Dutch tax law (Algemene wet inzake rijksbelastingen Art 52)
Training records and certificates	Contract duration + 5 years (customer-configurable; this default exists because Art 4 evidence may be requested years after the training itself)
Quiz attempts and answers	Contract duration only; deleted when the account is closed
Invite tokens	7 days (technically enforced)
Server-side audit logs	12 months
Authentication session tokens	Until you log out or the token expires (Supabase default)

When retention ends, data is deleted from production systems within 30 days. Backups follow our standard rotation and are overwritten within 35 days.

7. Your rights

Under GDPR Art 15-22, you have the right to:

Access — ask for a copy of the personal data we hold about you (Art 15)
Rectification — correct anything inaccurate (Art 16)
Erasure — ask us to delete your data, where the lawful basis allows (Art 17)
Restriction — ask us to pause processing while a dispute is resolved (Art 18)
Portability — receive your data in a machine-readable format (Art 20)
Object — object to processing based on legitimate interest (Art 21)
Withdraw consent — for anything based on consent, such as marketing emails (Art 7(3))

How to exercise these rights:

Email: mattia@khairos.ai
In-product: Self-service flows for data export and account deletion are being rolled out. Until they ship, email is the route.
Response time: We respond within 30 days. If a request is genuinely complex we may extend by another 60 days and tell you why.

We will ask for proof of identity before acting on a request, to make sure we are not handing your data to someone else.

8. For employees of our customers

If you got an invite from your employer, this section is for you.

Your employer is the controller of your data on this platform. They decided to use Khairos AI Comply, they uploaded your name and work email, and they decide who in their organisation sees your training progress. We are the processor acting on their instructions — we run the system, store the data securely, and don't use it for our own purposes.

What that means in practice:

For access, correction or deletion requests, go to your employer first. They are responsible for responding. We will help them respond and, if they instruct us to delete your data, we will do so.
For questions about why you have to do this training, ask your employer. Short version: under EU AI Act Art 4, organisations using AI tools must ensure staff have an appropriate level of AI literacy. Your employer is fulfilling that obligation.
If you cannot reach your employer or believe they are not acting on your request, you can contact us directly at mattia@khairos.ai and we will escalate it.

We will never use your data for our own marketing. We will never sell it. We will never share it with anyone outside the sub-processor list in section 4.

9. Cookies and similar technologies

We do not use marketing or analytics cookies. There is no cookie banner because there is nothing for you to consent to under the ePrivacy Directive.

We do use functional browser localStorage, which lives only on your device and is not transmitted across sites:

Your Supabase authentication session token (so you stay logged in)
Your invite token (cleared immediately after the invite is consumed)
Your interface language preference
Your video language preference

These are strictly necessary for the platform to work and fall outside the scope of consent requirements.

Vimeo video player: When you play a training video, the embedded Vimeo iframe sets its own cookies according to Vimeo's privacy notice. We use Vimeo in "do-not-track" mode where available, but you should review Vimeo's notice for the full picture: https://vimeo.com/privacy.

10. Security

We take security seriously because the whole point of this product is helping companies prove they are doing things properly.

In transit: TLS 1.3 for all connections
At rest: AES-256 encryption on Supabase-managed storage
Access control: Row-Level Security policies on every table; users can only see data their role and company entitle them to see
Authentication: Supabase Auth with email + password, magic links, password reset flows; multi-factor authentication available
Audit logging: All authentication and sensitive admin events are logged server-side
Vulnerability management: Dependencies are monitored; security patches applied promptly
Hosting: EU-only by default (Frankfurt / Vercel EU)
Backups: Encrypted, rotated, restoration tested quarterly

If we ever suffer a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and notify affected users without undue delay.

11. Automated decision-making

Two things on the platform are automated:

Quiz scoring — your answers are compared against the correct answer; you either pass (≥80%) or retake
Certificate eligibility — issued automatically once you complete all required modules with passing scores

Neither produces "legal or similarly significant effects" within the meaning of GDPR Art 22. Failing a quiz means you take it again. There is no profiling, no ranking against colleagues, no AI deciding anything about your employment. Your employer sees your aggregate progress in the same way they would see a checklist; what they do with that information is governed by their own employment law obligations, not ours.

12. Complaints

If you think we have got something wrong:

Talk to us first — email mattia@khairos.ai. Most issues can be sorted quickly.
Complain to the supervisory authority — the Dutch Data Protection Authority is Autoriteit Persoonsgegevens.
- Website: autoriteitpersoonsgegevens.nl
- Phone: +31 70 888 8500

You have the right to lodge a complaint with the AP at any time. You do not have to come to us first, although we would rather you did.

13. Changes to this policy

We update this policy when the platform changes or when the law does. For material changes, we give at least 30 days' notice via:

An in-app banner the next time you log in
An email to the address on your account

Minor wording or clarifications get a new "last updated" date and that's it. The version history is kept on file and available on request.

14. Contact

For anything in this policy:

Email: mattia@khairos.ai
Post: MLG Projects, Minckelersstraat 7B, 6211 GX Maastricht, Netherlands

We aim to reply within 5 working days, faster for anything urgent.

Privacy Policy