Anyrow
Log InGet Started

Privacy Policy

Last updated: 2026-04-13

Privacy Policy

This policy describes how Anyrow collects, uses, and protects your personal data. It is written to comply with the EU General Data Protection Regulation (GDPR), the Croatian Data Protection Act (Zakon o provedbi Opće uredbe o zaštiti podataka), and applicable sector rules.

1. Controller

Controller for your personal data:

Lovro Žagar, operating as Anyrow (obrt) Händelova ul. 21, 10090 Zagreb, Croatia OIB: placeholder Contact: privacy@anyrow.ai

2. What We Collect and Why

2.1 Account data

When you create an account we collect:

  • Email address
  • Name (optional)
  • Password (stored as a bcrypt-family hash; we cannot recover it)

Legal basis: performance of contract (Art. 6(1)(b) GDPR).

2.2 Uploaded documents

You upload documents (PDFs, emails, scans, images) for AI extraction. We process these to:

  • Extract structured data for your tables
  • Return the extracted data to your account
  • Store both original files and extracted rows in your workspace until you delete them

Legal basis: performance of contract (Art. 6(1)(b) GDPR). If uploaded documents contain personal data of third parties, you are the controller of that data and we act as a processor (see our Data Processing Agreement).

Retention: until you delete the file or terminate your account, then 30 days in backups before full deletion.

2.3 Billing data

When you subscribe, Stripe processes your payment. We store only:

  • Stripe customer ID
  • Subscription state
  • Last 4 digits + brand of your card (for display)
  • Invoice history

We do not store full card numbers; Stripe holds PCI-DSS compliance for card data.

Legal basis: performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — tax/accounting records retained for 11 years per Croatian General Tax Act).

2.4 Usage analytics

We run first-party, cookieless analytics. We collect:

  • Page URLs visited
  • Referrer
  • Browser + OS (coarse, via User-Agent)
  • Country (coarse, from IP — IP itself not stored)

We do not set cookies for analytics. We do not assign persistent identifiers to visitors. We do not fingerprint devices.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — understanding which pages work. Impact on users is minimal; we do not profile individuals.

2.5 Transactional email

When you take account actions (signup, password reset, invoice), we send email through Cloudflare's email service.

Legal basis: performance of contract (Art. 6(1)(b)).

2.6 Cookies

We set session cookies only (strictly necessary under Art. 5(3) of the ePrivacy Directive, exempt from consent):

  • Authentication session cookie (required for login)
  • CSRF token (required for form security)

We do not set third-party tracking cookies. No marketing pixels. No remarketing.

3. AI Extraction and Subprocessors

Your uploaded documents are processed through AI models to extract structured data. Each model provider is a subprocessor of Anyrow.

The authoritative, up-to-date subprocessor list — with each entity, purpose, location, and transfer mechanism — is maintained at https://anyrow.ai/legal/subprocessors. We announce changes there with at least 30 days' prior notice before any new subprocessor begins processing your data.

All transfers outside the EEA rely on Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

4. Your Rights

Under GDPR you can:

  • Access your data (Art. 15) — request a copy of what we hold
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17) — we delete within 30 days, except where retention is required by law
  • Restrict processing (Art. 18)
  • Object to processing on legitimate-interest grounds (Art. 21)
  • Portability — receive your data in a machine-readable format (Art. 20)
  • Withdraw consent at any time for consent-based processing (Art. 7(3))

To exercise any right, email privacy@anyrow.ai. We respond within 30 days.

You may also lodge a complaint with the Croatian Data Protection Agency (AZOP — https://azop.hr) or your local supervisory authority.

5. Data Security

We apply appropriate technical and organizational measures per Art. 32 GDPR:

  • TLS 1.3 for all transport
  • Encryption at rest (Cloudflare D1/R2 default encryption)
  • Minimum-privilege access controls
  • Regular security reviews against web-check.xyz and OWASP ASVS
  • Incident response plan with 72-hour breach notification commitment

6. Children and Content Safety

Anyrow is not directed at minors. You must be at least 18 (or the age of legal majority in your jurisdiction if higher) to create an account. We do not knowingly collect data from children. If you believe we have, contact privacy@anyrow.ai for deletion.

If we become aware of child sexual abuse material (CSAM) on the service — for example through a report, an abuse referral, or a law-enforcement notice — we will report it to the Croatian Police, the National Centre for Missing & Exploited Children (NCMEC), and any other competent authority as required by applicable child-protection law, and preserve evidence for their use.

7. Changes

Material changes to this policy will be notified by email at least 30 days before they take effect.

8. Effective Date

This policy is effective from publication date. The most recent update is shown at the top.