AI Act & GDPR Compliance | ReviewSignal

1. EU Artificial Intelligence Act Compliance

ReviewSignal fully acknowledges and complies with Regulation (EU) 2024/1689 — the European Artificial Intelligence Act (AI Act), which entered into force on August 1, 2024, with phased implementation through 2027.

We have conducted a thorough self-assessment of our AI systems against the risk-based classification framework established by the AI Act and determined that our platform falls within the minimal-risk category.

1.1 Scope of Our AI Systems

ReviewSignal deploys the following AI and machine learning components:

Component	Technology	Purpose
Neural Core	MiniLM-L6-v2 (sentence embeddings)	Semantic analysis of consumer review text
Anomaly Detection	Isolation Forest (scikit-learn)	Detecting unusual patterns in review sentiment
Echo Engine	Proprietary sentiment propagation	Modeling sentiment spread across geographic regions
NLP Pipeline	VADER + custom classifiers	Sentiment scoring of review text

1.2 What Our AI Does NOT Do

ReviewSignal’s AI systems never:

Profile, score, or categorize natural persons
Make decisions that affect individuals’ rights or freedoms
Process biometric data or perform facial/emotion recognition
Engage in social scoring or behavioral manipulation
Operate in law enforcement, migration, or democratic processes
Interact with end consumers or generate content directed at individuals

2. AI System Risk Classification

Under the AI Act’s four-tier risk framework, ReviewSignal’s AI systems are classified as follows:

Risk Level	Definition	ReviewSignal
Unacceptable	Social scoring, subliminal manipulation, real-time biometric surveillance	Not applicable
High-Risk	Creditworthiness, employment decisions, law enforcement, education, critical infrastructure	Not applicable
Limited Risk	Chatbots, emotion recognition, deepfakes (transparency obligations)	Not applicable
Minimal Risk	AI-powered analytics, recommendation systems, business intelligence tools	This is us

2.1 Rationale for Minimal-Risk Classification

Our AI systems are classified as minimal-risk because they:

Process only business data: Publicly posted consumer reviews about commercial establishments — not data about identifiable individuals
Serve B2B institutional clients: Output is consumed by professional investment analysts, not end consumers
Generate aggregate insights: Sentiment scores are computed at the location and brand level, never at the individual reviewer level
Do not make autonomous decisions: Our AI provides analytical signals; investment professionals make all trading decisions independently
Operate in an unregulated domain: Alternative data analytics for financial markets does not fall under any Annex III high-risk category

2.2 Voluntary Compliance Measures

Although not legally required for minimal-risk systems, we voluntarily implement the following best practices from the AI Act’s high-risk requirements:

Documentation: Maintained technical documentation of all AI models, training data, and evaluation metrics
Logging: Comprehensive telemetry system (Cortex Engine) tracking all AI inference events
Human oversight: All AI outputs are presented as signals for human decision-making, not automated actions
Accuracy monitoring: Weekly model refit cycle with performance evaluation

3. AI Transparency Obligations

In the spirit of full transparency required by Article 52 of the AI Act, we disclose the following:

3.1 AI-Generated Content Disclosure

ReviewSignal uses AI to generate:

Sentiment scores: Numerical values (-1.0 to +1.0) derived from NLP analysis of review text
Anomaly flags: Binary indicators when review patterns deviate significantly from historical baselines
Trading signals: Directional indicators (bullish/bearish) based on sentiment trend analysis

All outputs are clearly labeled as AI-generated analytical signals. We never present AI-generated content as human-authored analysis.

3.2 Model Limitations

We are transparent about the limitations of our AI systems:

Sentiment analysis accuracy depends on review text quality and language
Anomaly detection may produce false positives in low-data-volume scenarios
Historical correlation does not guarantee future predictive accuracy
Our models are trained on English-language reviews; accuracy for other languages may vary

3.3 Training Data Provenance

Our AI models are trained exclusively on:

Publicly posted consumer reviews from Google Maps (via authorized Apify actors)
Publicly posted employee reviews from Glassdoor (aggregate company-level sentiment only, no individual reviewer identification)
Publicly posted customer reviews from Trustpilot (company-level brand sentiment)
Open-source NLP models (MiniLM from Hugging Face, VADER from NLTK)
No proprietary datasets from individuals, no purchased personal data

4. GDPR Compliance Framework

ReviewSignal operates under the General Data Protection Regulation (EU) 2016/679 and the German Bundesdatenschutzgesetz (BDSG). Our compliance framework addresses two distinct categories of data processing:

Data Category	Legal Basis	GDPR Article
Consumer reviews (public)	Legitimate interest in data analysis	Art. 6(1)(f)
Client/subscriber data	Contract performance + consent	Art. 6(1)(b) + Art. 6(1)(a)
B2B prospect data (Apollo.io)	Legitimate interest in B2B marketing	Art. 6(1)(f) + Recital 47
Website visitor data	Legitimate interest + essential cookies only	Art. 6(1)(f)

4.1 Data Minimization (Art. 5(1)(c))

We collect only the minimum data necessary for each processing purpose:

Reviews: Text, rating, date, location — reviewer names are not stored in our analytics pipeline
B2B leads: Professional email, name, title, company — no private contact details
Clients: Account credentials, billing info (via Stripe), API usage logs

4.2 Purpose Limitation (Art. 5(1)(b))

Data collected for one purpose is never repurposed without additional legal basis. Consumer review data is used exclusively for sentiment analysis and signal generation — never for advertising, profiling individuals, or resale of personal information.

4.3 Storage Limitation (Art. 5(1)(e))

Consumer reviews: Retained for the duration of our analytical services (time-series data requires historical depth)
B2B prospect data: Deleted within 24 months of collection if no business relationship established, reviewed annually
Client data: Retained for the duration of the contract + 10 years (German commercial law, HGB §257)
Server logs: Automatically rotated and deleted after 90 days

5. Public Data Processing Policy

Core Principle: ReviewSignal processes exclusively publicly available consumer reviews that individuals voluntarily posted on public platforms. We do not scrape personal data, social media profiles, private communications, or any non-public information about individuals.

5.1 What We Mean by “Public Data”

The data we process consists of consumer reviews that are:

Voluntarily published by consumers on public review platforms (Google Maps)
Publicly accessible to any internet user without authentication or special access
Intended for public consumption — review platforms exist specifically for sharing opinions publicly
Already indexed by search engines and visible in search results

5.2 What We Do NOT Collect

We explicitly do not collect or process:

Names or usernames of individual reviewers for our analytics
Profile photos, personal bios, or account details of reviewers
Private messages, emails, or non-public communications
Social media posts from private/restricted accounts
Location data or movement patterns of individuals
Financial, health, or other special category data of individuals
Data from behind paywalls, login walls, or restricted APIs

5.3 How We Process Review Data

Our pipeline transforms individual reviews into aggregate business intelligence:

Stage	Input	Output	Personal Data?
Collection	Public Google Maps reviews	Review text + rating + date + location	Minimal (reviewer display name)
NLP Processing	Review text	Sentiment score (-1.0 to +1.0)	None
Aggregation	Individual sentiment scores	Location-level + chain-level averages	None
Signal Generation	Aggregated sentiment trends	Trading signals for institutional clients	None

By the time data reaches our clients, it has been fully aggregated and anonymized. No individual reviewer can be identified from our output.

5.4 Legal Basis for Public Data Processing

Processing publicly available data is permitted under GDPR Article 6(1)(f) (legitimate interest) and is further supported by:

Recital 47: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Recital 49: Processing for network and information security purposes constitutes legitimate interest
Article 14(5)(a): Information obligations are relaxed when “the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for [...] statistical purposes”
German UWG §7: B2B communications about relevant professional services are permissible under German competition law

5.5 Proportionality Assessment

We have conducted a legitimate interest assessment (LIA) confirming that:

Our interest is legitimate: Providing financial market intelligence from public data serves a recognized commercial purpose
Processing is necessary: Aggregate sentiment analysis cannot be performed without processing individual reviews
Individual rights are not overridden: Reviews are already public, our output is anonymized, and we provide opt-out mechanisms

6. Data Sources & Legal Basis

Source	Data Type	Legal Basis	Volume
Google Maps	Public consumer reviews, ratings, location data	Publicly available data; Legitimate interest Art. 6(1)(f)	124,000+ reviews across 55,000+ locations
Glassdoor	Public employee reviews (company culture, compensation, management)	Publicly available data; Legitimate interest Art. 6(1)(f)	600+ company-level reviews (no individual reviewer identification)
Trustpilot	Public customer reviews (business-to-consumer experiences)	Publicly available data; Legitimate interest Art. 6(1)(f)	Company-level reviews across 205 brands
Apollo.io	B2B professional contact data (name, title, company email)	Licensed B2B database; Legitimate interest Art. 6(1)(f); Apollo.io’s own GDPR compliance	~1,400 professional contacts
Stripe	Payment processing (card details stored by Stripe)	Contract performance Art. 6(1)(b)	Subscriber billing only
FormSubmit.co	Contact form submissions	Consent Art. 6(1)(a)	Inbound inquiries

Important: We do not purchase personal data from data brokers. Apollo.io is a licensed B2B intelligence platform that aggregates publicly available professional information. All contacts can opt out at any time through Apollo.io or directly through us.

7. B2B Outreach & Legitimate Interest

Our B2B email outreach program targets professional contacts at institutional investment firms. This processing is conducted under GDPR Article 6(1)(f) — legitimate interest in B2B marketing — as further elaborated below.

7.1 Legitimate Interest Assessment (LIA)

LIA Element	Assessment
Purpose	Informing relevant investment professionals about our alternative data services
Necessity	Email is the standard channel for B2B SaaS outreach in financial services
Balancing test	We contact only professional email addresses at relevant firms; messages contain genuine business value; easy opt-out in every email; no more than 4 emails per sequence
Reasonable expectation	Investment professionals at hedge funds reasonably expect to receive relevant vendor communications about alternative data products
Safeguards	Immediate unsubscribe honored; data deletion on request within 30 days; no sharing with third parties

7.2 Outreach Safeguards

Opt-out in every email: Reply “UNSUBSCRIBE” or click the unsubscribe link
Volume limits: Maximum 4 emails per sequence, then communication stops
No deception: Sender identity, company name, and physical address clearly disclosed
Relevance filter: We only contact professionals whose job function is directly relevant to our services
Data source disclosed: Every email footer states: “You received this because your profile on Apollo.io matched our target audience for alternative data insights.”

7.3 German-Specific Compliance

Under German law (UWG §7 Abs. 2 Nr. 3), B2B email communication is generally permissible when:

The recipient’s email address was obtained in the context of a business relationship or from publicly accessible sources
The communication relates to the recipient’s professional activity
The recipient has not objected to receiving such communications
Each message includes a clear mechanism to opt out

ReviewSignal’s outreach program satisfies all four conditions.

8. Data Subject Rights

Under GDPR Articles 15–22, every data subject has the following rights. We respond to all requests within 30 days (Art. 12(3)).

Right	Article	How to Exercise
Access	Art. 15	Email team@reviewsignal.ai with subject “Data Subject Access Request”
Rectification	Art. 16	Email us with the data to be corrected
Erasure	Art. 17	Email with subject “Right to Erasure” — we will delete within 30 days
Restriction	Art. 18	Email us to restrict specific processing activities
Data Portability	Art. 20	Request a machine-readable export of your data
Objection	Art. 21	Reply “UNSUBSCRIBE” to any email, or email us directly
Supervisory Authority	Art. 77	File a complaint with the Hessischer Beauftragter für Datenschutz (HBDI), Postfach 3163, 65021 Wiesbaden

9. Technical & Organizational Measures

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

9.1 Technical Measures

Encryption in transit: TLS 1.3 on all endpoints (Let’s Encrypt certificates, auto-renewed)
Encryption at rest: PostgreSQL data stored on encrypted GCP persistent disks
Access control: SSH key-based authentication; no password-based SSH; firewall rules on GCP VPC
Credential management: All API keys and passwords stored in environment variables; zero hardcoded credentials in source code
Password hashing: bcrypt with adaptive cost factor for user accounts
API authentication: Bearer token authentication on all client-facing endpoints
DDoS protection: Cloudflare DNS proxy with rate limiting

9.2 Organizational Measures

Principle of least privilege: System accounts have minimal necessary permissions
Service monitoring: 24/7 automated health checks (service watchdog, every 5 minutes)
Telemetry: Cortex Engine tracks all data processing events for audit purposes
Incident response: Automated alerting for service failures; documented response procedures
Code review: All changes reviewed before deployment; 280+ automated unit tests

9.3 Data Location

All data is stored within the European Union.
Our infrastructure runs on Google Cloud Platform, region europe-west3 (Frankfurt, Germany). No personal data is transferred outside the EU/EEA.

10. Data Protection Impact Assessment

Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is required when processing is “likely to result in a high risk to the rights and freedoms of natural persons.”

10.1 DPIA Screening Result

We have conducted a DPIA screening and determined that a full DPIA is not required for our core processing activities because:

We process publicly available data that individuals chose to make public
Our output is aggregated at the business/location level, not the individual level
We do not engage in systematic monitoring of individuals
We do not process special categories of data (Art. 9)
Our processing does not involve automated decision-making with legal effects (Art. 22)

10.2 B2B Outreach DPIA Summary

For our B2B email outreach, we have completed a proportionality assessment:

Data volume: ~1,400 professional contacts (not large-scale surveillance)
Data sensitivity: Business contact information only (not special categories)
Impact on individuals: Minimal (professional email, easy opt-out, limited sequence)
Safeguards: Transparent data sourcing, unsubscribe in every email, 30-day deletion on request

11. Contact & Data Protection

ReviewSignal — Compliance & Data Protection

Operated by Szymon Daniel
Güntherstraße 19
60528 Frankfurt am Main, Germany

General inquiries: team@reviewsignal.ai
Data protection: team@reviewsignal.ai (subject: “Data Protection”)
AI Act inquiries: team@reviewsignal.ai (subject: “AI Compliance”)
Opt-out requests: team@reviewsignal.ai (subject: “Unsubscribe”)

Supervisory Authority:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Postfach 3163, 65021 Wiesbaden, Germany
https://datenschutz.hessen.de

We respond to all inquiries within 30 days in accordance with GDPR Article 12(3).

Regulatory Compliance