GDPR Compliance — OnyorAI LLC

🇪🇺 Our GDPR Commitment

OnyorAI is fully committed to the EU General Data Protection Regulation. All client document processing occurs on EU-based servers. We maintain complete records of processing activities and respond to all data subject requests within 30 calendar days.

1. Data Controller Information

Under the GDPR, OnyorAI LLC acts as the Data Controller for personal data collected through our website and services. As Data Controller, we determine the purposes and means of processing your personal data.

For clients who engage OnyorAI to process documents containing personal data of their own customers or employees, OnyorAI acts as a Data Processor on their behalf, governed by our Data Processing Agreement (DPA).

Data Controller — OnyorAI LLC

3700 Grand Avenue, Des Moines, IA 50312, United States
✉ contact@onyorai.com • 📞 +1 (202) 992-4829
🌐 onyorai.com

2. GDPR Principles We Uphold

Article 5 of the GDPR sets out seven principles for lawful processing. We apply all seven to every processing activity:

Art. 5(1)(a)

Lawfulness, Fairness & Transparency

We process data only on lawful bases and are fully transparent about all processing activities.

Art. 5(1)(b)

Purpose Limitation

Personal data is collected for specified, explicit, legitimate purposes only — never repurposed incompatibly.

Art. 5(1)(c)

Data Minimisation

We collect only the minimum personal data strictly necessary for each specific processing purpose.

Art. 5(1)(d)

Accuracy

We keep personal data accurate and up to date, correcting or deleting inaccurate data promptly.

Art. 5(1)(e)

Storage Limitation

Personal data is retained only as long as necessary. Source documents are deleted within 72 hours of delivery.

Art. 5(1)(f)

Integrity & Confidentiality

We protect personal data with AES-256 encryption, TLS 1.3, access controls, and staff confidentiality obligations.

Art. 5(2) — Accountability

OnyorAI maintains a complete Record of Processing Activities (RoPA) under Article 30 GDPR and can demonstrate compliance with all six principles above upon request from a supervisory authority.

3. Lawful Bases for Processing

Under Article 6 GDPR, every processing activity requires a lawful basis. Here are the bases we rely on:

Legal Basis	Processing Activities
Art. 6(1)(b) — Contract	Document processing and delivery, account management, payment processing, order fulfilment
Art. 6(1)(c) — Legal Obligation	Financial record-keeping, tax obligations, responding to lawful regulatory requests
Art. 6(1)(f) — Legitimate Interests	Fraud prevention, network and information security, anonymized analytics to improve our services — subject to balancing test
Art. 6(1)(a) — Consent	Marketing emails and newsletters (optional; withdraw anytime via unsubscribe link)

For special categories of personal data (Art. 9 GDPR) that may appear in healthcare or HR documents, we process only on the explicit consent of the Data Controller client, under Article 9(2)(a), and apply enhanced security measures.

4. Data Subject Rights

All individuals located in the EU/EEA whose personal data we process have the following rights. Submit requests to contact@onyorai.com with subject “GDPR Rights Request.” We respond within 30 calendar days (extendable by 2 months for complex requests with written notice).

Right	What You Can Request	Timeframe
Art. 15 — Access	Complete copy of all personal data we hold, processing purposes, recipients, and retention periods	30 days
Art. 16 — Rectification	Correction of inaccurate or completion of incomplete personal data	30 days
Art. 17 — Erasure	Deletion of personal data where no legitimate retention ground exists (“right to be forgotten”)	30 days
Art. 18 — Restriction	Restriction of processing during disputes about accuracy or lawfulness	30 days
Art. 20 — Portability	Personal data in structured, machine-readable JSON or CSV format	30 days
Art. 21 — Object	Object to processing based on legitimate interests, including direct marketing	Immediate for marketing
Art. 22 — Automated Decisions	Not to be subject to solely automated decisions producing significant effects	N/A — we do not use automated decision-making

5. International Data Transfers

OnyorAI is incorporated in the United States. All client document processing occurs exclusively on AWS EU (Frankfurt) servers — your documents never leave the EU during processing. When personal data from EU/EEA residents must be transferred to US-based processors, we use:

EU Commission Standard Contractual Clauses (SCCs) — Decision 2021/914, Module 2 (Controller-to-Processor) for all EU-to-US transfers
GDPR Data Processing Agreements with all US-based sub-processors incorporating Chapter V safeguards
Technical safeguards: end-to-end encryption, data minimization, and access controls at all transfer points

A full list of our sub-processors and their transfer safeguards is available in our Data Processing Agreement.

6. Data Breach Notification

In the event of a personal data breach, OnyorAI will:

Notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach where it is likely to result in a risk to individuals’ rights and freedoms (Article 33 GDPR)
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR)
Document all breaches in our internal breach register, including those not required to be notified externally (Article 33(5) GDPR)
For clients for whom we act as Data Processor, notify the client (Data Controller) within 48 hours of becoming aware of the breach

7. Records of Processing Activities

In accordance with Article 30 GDPR, OnyorAI maintains a comprehensive internal Record of Processing Activities (RoPA) covering:

Name and contact details of the Data Controller and any joint controllers
Purposes of each processing activity and the categories of data subjects
Categories of personal data processed and categories of recipients
Transfers to third countries and the safeguards applied
Planned retention periods for each data category
General description of technical and organizational security measures

This RoPA is available to the relevant supervisory authority upon request.

8. Supervisory Authority & Complaints

If you are not satisfied with our response to a GDPR request or believe we are processing your data unlawfully, you have the right to lodge a complaint with your national Data Protection Authority (DPA).

🏛 Find Your National DPA

A complete list of EU/EEA Data Protection Authorities is available at the European Data Protection Board website: edpb.europa.eu. We always encourage you to contact us first — we are committed to resolving all concerns promptly and fairly.

9. Contact

OnyorAI LLC — GDPR & Data Protection

3700 Grand Avenue, Des Moines, IA 50312, United States
✉ contact@onyorai.com
📞 +1 (202) 992-4829

Last updated: March 1, 2026