Privacy Policy

Introduction and Scope

Belto AI LLC (“Belto”, “we”, “our”, or “us”) is a Delaware-incorporated company operating an AI compliance intelligence platform. This Privacy Policy describes how we collect, use, store, share, and protect personal data when you visit our website at belto.ai, use our platform at app.belto.ai, or otherwise interact with our services.

This policy applies to all individuals who visit our website, create an account, use our platform, or communicate with us. It does not apply to our clients' end users or to any third-party websites or services that we may link to. Clients who use Belto to process data about their own users are subject to a separate Data Processing Agreement.

Belto is the data controller for personal data collected through our website and platform. For questions about this policy or to exercise your rights, contact us at privacy@belto.ai.

We comply with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

Data We Collect

2.1 Information you provide directly

When you use Belto, you may provide us with the following categories of personal data:

• Identity data — your full name, job title, and role within your organization
• Contact data — your work email address and company name
• Account data — login credentials, account preferences, and profile information
• AI system profile data— information about your organization's AI systems that you provide during onboarding, including system descriptions, deployment markets, user groups affected, and supporting documentation you choose to upload
• Communications data — the content of emails, support requests, and other communications you send us
• Payment data — billing information processed through our payment provider. We do not store full payment card details on our systems

2.2 Information we collect automatically

When you visit our website or use our platform, we automatically collect:

Usage data — pages visited, features used, time spent, click patterns, and navigation paths within our platform

Technical data — IP address, browser type and version, operating system, device type, screen resolution, and referring URL

Cookie data — see Section 7 for full details on our use of cookies and tracking technologies

Log data — server logs including access times, error logs, and system events. These logs are used for security monitoring and operational purposes

2.3 Information we do not collect

Belto does not collect or process special category data (also known as sensitive personal data) including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation. We do not collect data about children under 16. Our services are not directed at minors.

How We Collect Data

3.1 Direct collection

We collect data directly from you when you complete a form on our website, create an account, complete our onboarding sequence, upload documentation to your system profile, contact our support team, respond to surveys or research requests, or apply for early access.

3.2 Automated collection

We collect data automatically through cookies and similar tracking technologies when you visit our website or use our platform. See Section 7 for details. We also collect data through our platform's server infrastructure as part of normal system operation.

3.3 Third-party sources

We may receive limited information about you from third-party sources including LinkedIn when you contact us through that platform, referral partners who recommend Belto to you, and publicly available sources such as company websites when we research prospective clients.

Purpose and Legal Basis for Processing

We process your personal data only for specific, documented purposes. The table below sets out each purpose, the data categories used, and the legal basis under GDPR.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects about you. Our AI systems analyze regulatory frameworks and AI system profiles — they do not make decisions about individuals.

Third-Party Data Sharing

We do not sell your personal data. We do not share your personal data with third parties for advertising or marketing purposes. We share data only in the following circumstances:

5.1 Service providers

We share data with a limited number of trusted service providers who process data on our behalf under written data processing agreements. These include:

• Cloud infrastructure providers — for hosting and operating the Belto platform
• Payment processors — for processing subscription payments
• Email service providers — for delivering transactional and marketing emails
• Loops (loops.so) — name, email, company, and role are shared with Loops for the purpose of transactional email delivery, including checklist confirmation, checklist delivery, contact form notifications, and compliance scan request notifications
• Supabase — name, email, company, role, and a temporary confirmation token are stored with Supabase for up to 24 hours for the purpose of completing the checklist double opt-in confirmation flow. Data is deleted or marked confirmed after the token expires
• Analytics providers — for understanding how our website and platform are used
• Customer support tools — for managing support communications

All service providers are contractually required to process data only on our instructions, implement appropriate security measures, and comply with applicable data protection law.

5.2 Legal requirements

We may disclose your data to law enforcement agencies, courts, regulators, or other authorities when required to do so by law, when necessary to establish, exercise, or defend legal claims, or when necessary to protect the vital interests of any person.

5.3 Business transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 With your consent

We may share your data in other circumstances with your explicit consent.

International Data Transfers

Belto AI LLC is incorporated in Delaware, United States. Our platform is operated from Europe and the United States. Your data may be transferred to and processed in countries outside your country of residence, including the United States.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) as applicable.

We maintain data processing agreements with all service providers that include appropriate transfer mechanisms. You may request a copy of the relevant transfer safeguards by contacting privacy@belto.ai.

Our infrastructure is primarily hosted in European data centers. We select service providers and data center locations to minimize cross-border transfers where possible.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. A cookie is a small text file placed on your device when you visit a website.

7.1 Categories of cookies we use

7.2 Managing cookies

You can control non-essential cookies through our cookie preference banner, which appears when you first visit our website. You can change your preferences at any time by clicking the cookie settings link in our footer. You can also control cookies through your browser settings — note that disabling essential cookies will affect platform functionality.

Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. We respond to all rights requests within 30 days. Complex requests may take up to 90 days — we will notify you if this applies.

8.1 California residents (CCPA/CPRA)

California residents have additional rights under the CCPA as amended by the CPRA, including the right to know what personal information is collected and sold, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit use of sensitive personal information. Belto does not sell or share personal information as defined by the CCPA. To exercise your California privacy rights, contact privacy@belto.ai.

8.2 Brazilian residents (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD) including access, correction, anonymization, portability, deletion, and information about third-party sharing. To exercise your LGPD rights, contact privacy@belto.ai.

8.3 How to exercise your rights

Submit a rights request by emailing privacy@belto.ai with your name, email address, and a description of your request. We may need to verify your identity before processing your request. We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

Data Security and Retention

9.1 Security measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. Our security measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest
• Access controls limiting data access to authorized personnel only
• Regular security assessments and penetration testing
• Incident response procedures
• Staff training on data protection and security

No transmission over the internet is completely secure. While we implement industry-standard security measures, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

9.2 Retention periods

We retain personal data only for as long as necessary for the purposes described in this policy.

When data is no longer required, we securely delete or anonymize it. Anonymized data that cannot be used to identify you may be retained for longer periods for statistical and research purposes.

AI and Automated Processing

Belto is an AI compliance intelligence platform. We use AI and machine learning in the following ways:

10.1 How we use AI in our service

Our platform uses AI systems to monitor regulatory sources, classify regulatory changes, map obligations to client system profiles, and generate compliance risk events and policy guidance. These AI systems process the AI system profile information you provide during onboarding.

Our AI systems do not make decisions about you as an individual. They analyze regulatory frameworks and system profiles to produce compliance intelligence outputs. All outputs are delivered to you for your review. No compliance decision is made or implemented automatically.

10.2 AI systems we do not use

We do not use AI for automated hiring or employment decisions. We do not use AI to make decisions that produce legal or similarly significant effects about individual persons. We do not use facial recognition, biometric processing, or emotion detection.

10.3 Third-party AI services

We use third-party AI model providers to power certain features of our platform. These providers process the system profile data you provide. We have data processing agreements with all AI service providers. We do not share identifying personal data with AI model providers beyond what is necessary to deliver the service.

10.4 EU AI Act compliance

Belto's own AI systems are designed in compliance with applicable AI regulations including the EU AI Act. We maintain technical documentation of our AI systems and implement appropriate human oversight mechanisms. We do not deploy AI systems that fall within prohibited practice categories.

Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at privacy@belto.ai and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will notify you by email to the address associated with your account and by posting a notice on our website at least 14 days before the changes take effect.

The effective date at the top of this policy indicates when it was last updated. We maintain a version history below. Continued use of our services after the effective date of a revised policy constitutes acceptance of the updated policy.

Version history:

Version 1.0 — May 10, 2026 — Initial policy

Contact Information

For questions about this Privacy Policy, to exercise your data protection rights, or to report a privacy concern, contact us at:

We aim to respond to all privacy inquiries within 5 business days. For formal data subject access requests, our response time is 30 days as required by applicable law.