Privacy Policy

Last updated: 13 March 2026

1. Who We Are

SettlDay is operated by amalics GmbH ("we", "us", "our"), a company registered in Germany, in collaboration with Kommalpha AG. amalics GmbH develops and operates the platform; amalics GmbH and Kommalpha AG are jointly responsible for its content. We provide a B2B SaaS platform that helps financial firms assess and achieve T+1 settlement readiness.

For the purposes of applicable data protection law, we are the data controller of the personal data collected through our website and platform at settlday.com.

2. Data We Collect

We may collect the following categories of personal data:

  • Account data — name, business email address, job title, company name, and password hash when you register for an account.
  • Assessment data — responses to the T+1 readiness questionnaire, firm type, firm size, and region. Assessment sessions may be anonymous.
  • Report request data — name, email, company, and job title submitted when you request a PDF report of your assessment results.
  • Usage data — IP address, browser type, pages visited, and timestamps collected automatically through server logs.
  • Payment data — billing details processed by our payment provider (Stripe). We do not store full card numbers on our servers.

3. How We Use Your Data

We process personal data for the following purposes:

  • To provide and maintain our platform, including delivering assessment results and reports.
  • To communicate with you about your account, assessment results, and service updates.
  • To generate anonymised, aggregated industry benchmarks (individual responses are never shared).
  • To process payments and manage subscriptions.
  • To comply with legal obligations, including financial services regulations.
  • With your explicit consent, to contact you about relevant T+1 advisory services.
  • To generate AI-powered deep analysis reports and research answers using your assessment data (see Section 4).

4. Artificial Intelligence and Automated Processing

SettlDay uses artificial intelligence (AI) to enhance certain features. This section explains how AI is used, what data is processed, and your rights in relation to AI-generated content.

  • AI-generated reports — When you purchase a deep analysis report, your assessment data (firm type, firm size, region, category scores, and questionnaire answers) is processed using Claude (by Anthropic), running on AWS Bedrock infrastructure in the EU (Ireland, Frankfurt, Paris, or Stockholm). Before any data is sent, personal names, email addresses, and phone numbers are replaced with anonymised placeholders, and your firm name is never transmitted. Uploaded documents are summarised locally — raw document text is never sent to the AI provider. Data never leaves the EU.
  • Research assistant — Our T+1 research library includes an AI-powered question-answering feature. Questions you submit are processed by the same AI service to generate answers based on our curated regulatory document library. Your questions may be sent to the AI provider.
  • AI sub-processor — AI processing is performed via AWS Bedrock, operated by Amazon Web Services EMEA SARL (Luxembourg), using EU regions only. AWS is the data processor; Anthropic provides the Claude model but never receives, accesses, or stores your data. AWS Bedrock inference logging is disabled — AWS retains zero data from API calls. All processing is covered by our Data Processing Addendum with AWS, which incorporates EU Standard Contractual Clauses. Anthropic does not use your data to train its AI models.

All AI-generated content is clearly labelled. AI outputs are advisory only and do not constitute financial, legal, or regulatory advice. No automated decisions with legal or similarly significant effects are made by the AI — all AI outputs are presented for your review and independent judgement.

We do not use AI or automated processing to make decisions that produce legal effects or similarly significantly affect you (GDPR Art. 22). Assessment scoring is based on deterministic rules, not AI.

5. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)) — processing necessary to provide the services you have requested.
  • Consent (Art. 6(1)(a)) — for report delivery and marketing communications. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)) — where required by law.

6. Data Sharing

We do not sell your personal data. We may share data with:

  • Service providers — hosting (DigitalOcean), email delivery, payment processing (Stripe), and authentication services, each bound by data processing agreements.
  • AI processing provider — Amazon Web Services EMEA SARL (Luxembourg) via AWS Bedrock, for AI-powered report generation and research question answering. Processing is confined to EU regions; Anthropic never receives your data. See Section 4 for details.
  • Legal authorities — when required by law or to protect our legal rights.

Aggregated, anonymised benchmark data may be shared in industry reports but will never identify individual users or firms.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described above:

  • Account data — retained while your account is active, and for up to 12 months after deletion.
  • Assessment data — retained for 24 months for benchmarking, then anonymised.
  • Payment records — retained for 7 years to comply with accounting obligations.
  • Server logs — retained for 90 days.
  • AI processing — AWS Bedrock inference logging is disabled; AWS retains zero data from AI API calls. Anthropic never receives your data.

8. Your Rights

Under applicable data protection law, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security assessments. However, no method of transmission or storage is 100% secure.

10. Cookies & Analytics

We use strictly necessary cookies to maintain your session and preferences. We do not use third-party advertising or tracking cookies. Analytics are powered by Matomo, self-hosted on our infrastructure, so no data is shared with third parties. Matomo runs cookieless by default; analytics cookies are only set if you opt in via the cookie banner. User identifiers are hashed before transmission to the analytics system.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email or a prominent notice on our platform. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

If you have questions about this policy or wish to exercise your data rights, please contact:

amalics GmbH (platform operator)
[email protected]

You also have the right to lodge a complaint with your local data protection authority.