Privacy Policy

Introduction and processing roles

The Alice GRC Portal ("the Service") is operated by AliceSolutionsGroup ("we", "Alice") for client organizations as part of mapping, risk management, compliance, and AI governance readiness services. While delivering the service, the client organization is usually the party that determines the purposes of personal-data processing relating to its employees and business data (the "controller" under EU Regulation 2016/679 — "GDPR"), and Alice acts as the "processor" on its behalf in accordance with the contract and the controller's instructions. Where the law applies differently or where the agreement provides otherwise, the agreement governs.

This document provides general transparency. Detailed obligations regarding data categories, retention periods, international transfers, sub-processors, and data-subject rights are typically set out in a Data Processing Agreement (DPA), the service agreement, and the regulatory annexes signed with your organization.

What information may be uploaded and processed

• Identity and sign-in details — for example, organizational email, user ID, and basic details required for authentication and role-based access control (RBAC).
• Operational content — questionnaire answers (including free-text fields), upload metadata, and files the organization chooses to upload as part of mapping and assessments.
• Data derived from product activity — for example, progress status, timestamps, technical audit logs, and minimal security data required for operations, fraud prevention, and support.

Uploading sensitive or special-category data (such as protected categories under GDPR or Israeli law) requires a matching arrangement in the agreement and in the organization's policies. The organization is responsible for confirming it is permitted to collect and enter the relevant data into the Service.

Legal bases and processing purposes (including GDPR)

Processing is generally based on performance of the contract with the client organization, our legitimate interest in operating the Service securely without undue impact on data-subject rights, and applicable legal orders. Where GDPR applies, data subjects' rights include — depending on circumstances — access, rectification, erasure ("the right to be forgotten"), restriction of processing, objection, data portability, and withdrawal of consent in cases that rely on consent (as described in GDPR and supervisory-authority guidance).

Requests to exercise rights from organization employees or other parties are typically routed through the organization's representative (the "controller") authorized under law and internal policy; you may also contact us at the address at the end of this document and we will route the request as required by law and the agreement.

Use of AI capabilities and compute providers (including OpenAI)

Alice does not independently run public AI models on the organization's content without an explicit arrangement.

Any use of language-model-based or similar capabilities in the Service — if and when available — will occur only after explicit approval and activation by the client organization (for example via project settings, the service agreement, or a system-administrator action), and subject to the security and privacy policies the organization sets.

Where the organization chooses to use services provided by an external vendor such as OpenAI, the contractual arrangement, processing terms, and obligations of that external vendor apply between the organization and that vendor ("between the organization and OpenAI") and between the organization and any additional vendors agreed — pursuant to Enterprise agreements or the terms of service applicable to that organization. Alice will act as a processor or supporting party as needed in accordance with documents signed with the customer, and will not bind the organization to terms with OpenAI that have not been approved by the organization.

• Automated outputs do not constitute legal or regulatory advice and are not a substitute for human judgment; errors ("hallucinations") or stale information may appear — any material decision should be verified with the organization's decision-makers and external experts as required.
• Organization content is not used for public marketing or to sell data to third parties through the Service; any sub-processor reporting is included in the agreement/DPA and in the customer project's standard transparency materials.

International transfers and sub-processors

Cloud, infrastructure, and backup services may involve data transfers outside the organization's country of establishment or outside the European Union. Where GDPR requires, transfers will be performed under an appropriate safeguard — for example EU Standard Contractual Clauses ("SCCs") or another compliant mechanism as defined in the agreement and processing documentation.

Retention and security

We implement reasonable organizational and technical measures to protect the confidentiality, integrity, and availability of information — proportionate to the risk and the terms of the agreement. Retention periods, backup policy, and environment separation are defined with the organization and documented in the DPA or a security annex.

Data-subject rights and supervisory authority

Data subjects may — subject to applicable law and its exceptions — contact the controller (usually the client organization) or us in order to exercise their rights. A complaint may be filed with the relevant privacy supervisory authority (in Israel or the EU, depending on applicable jurisdiction).

Email for general privacy inquiries: [email protected]