Security & Data Privacy

Your Data Is Safe.
Here's exactly why.

Plain-English answers to the questions every business should ask before trusting an AI solution with their information.

GDPR Compliant EU Data Residency Your Data Is Never Sold Human-in-the-Loop

01 — Data Ownership

Your data belongs to you. Full stop.

When you work with Sprimal, your documents, your client information, and your business data remain entirely yours.

Your data is stored in a dedicated environment — no other Sprimal client can access it
Sprimal does not access your data without your explicit permission
Your data is never sold, shared, or used for any purpose other than delivering your service
You can request full deletion of your data at any time

GDPR: Who is responsible for what?

Under GDPR, you are the Data Controller — you decide what data is collected and why. Sprimal is your Data Processor — we handle data only on your instructions. A Data Processing Agreement (DPA) is signed at the start of every engagement. This is a legal requirement and standard practice for any reputable AI partner.

02 — Storage & Infrastructure

Enterprise-grade storage, built on proven infrastructure.

Sprimal uses Supabase — an enterprise database platform built on Amazon Web Services — to store and manage your data securely.

Security Feature	What This Means for You
Encryption at rest	All stored data is encrypted using AES-256 — the same standard used by banks
Encryption in transit	All data between your browser and our systems travels over TLS (HTTPS)
EU data residency	Your data is hosted on EU-based AWS infrastructure — it stays within the European Economic Area
Access controls	Row-level security ensures each client's data is completely isolated from all others
Authentication	User access is protected by secure login and authentication controls

03 — AI Processing

Who actually sees your data when AI is involved?

Sprimal uses large language model APIs — including Anthropic's Claude — to process queries and generate responses. Here is exactly what that means.

When you ask a question, only the relevant content from your documents is sent to the AI to generate an answer
Anthropic does not use data submitted via the API to train its models — confirmed in their enterprise data terms
Data sent to the AI is not retained by Anthropic beyond processing your request
Sprimal only sends what is necessary to answer your specific query — nothing more

Will AI companies train on my documents?

No. Sprimal uses enterprise API access, under which Anthropic confirms that data submitted via the API is not used for model training. Your documents are never used to improve AI models for other companies or users.

04 — Accuracy & Accountability

What if the AI gets something wrong?

This is the right question to ask — and we believe in giving an honest answer.

Sprimal systems are built using a technique called Retrieval Augmented Generation (RAG). In plain English: the AI answers questions based only on documents you have uploaded — not from general internet knowledge. This significantly reduces the risk of inaccurate or invented responses.

No AI system is perfect. That is why Sprimal builds a human-in-the-loop model into every deployment:

Staff use Sprimal to find information and draft responses quickly
A human reviews and approves before anything is acted on or sent to a client
The AI accelerates the work — the human remains accountable

Built-In Safeguard

Every Sprimal system includes a standard response note: "This answer is based on your uploaded documents. Please verify before acting." This is consistent with Central Bank of Ireland guidance on the use of technology in regulated financial services.

05 — GDPR Compliance

Built for Irish and EU businesses from the ground up.

GDPR compliance is not an afterthought at Sprimal — it is built into how we operate.

GDPR Requirement	How Sprimal Addresses It
Lawful basis for processing	Established in the Data Processing Agreement signed at the start of every engagement
Data minimisation	Only data necessary to deliver your service is collected and processed
Right to erasure	Your data can be fully deleted on request at any time
Data residency	EU-based infrastructure — your data does not leave the EEA
Data Processing Agreement	Provided as standard at the start of every engagement
Breach notification	Sprimal maintains an incident response process consistent with GDPR Article 33 requirements

06 — Common Questions

Quick answers to what businesses ask most.

QDoes Sprimal sell my data?

No. Never. Your data is used solely to deliver your service and for nothing else.

QWhere is my data stored?

On EU-based servers (AWS infrastructure). Your data stays within the European Economic Area and does not leave it.

QCan Sprimal see my documents?

Only with your explicit permission — for example, if you ask for support and share access to diagnose an issue. Sprimal does not routinely access client data.

QWill AI companies train on my business documents?

No. Sprimal uses enterprise API access where AI providers confirm that your data is not used to train their models.

QIs there a Data Processing Agreement?

Yes — a DPA is signed as standard at the start of every engagement. To request a copy in advance, email help@sprimal.com.

QIs Sprimal suitable for regulated businesses like credit unions or financial advisors?

Yes. Sprimal is designed with regulated Irish businesses in mind. We recommend starting with internal staff-facing tools — no member data required — so you see real value immediately while maintaining the caution your sector requires.

This page is provided for informational purposes. Sprimal is not a legal or compliance adviser. Organisations should seek independent legal advice regarding their specific GDPR obligations.