Last updated: 30/04/2026
TestML is built on the principle that mission-critical AI deployments require rigorous, full-spectrum evidence. That same standard governs our data practices. This policy explains exactly what personal data we collect, why we collect it, the lawful grounds for doing so, and the rights you hold under the General Data Protection Regulation (GDPR).
1. Who Controls Your Data
TestML, a limited company based in Dublin, is the data controller for all personal data processed through testml.org, our evaluation platform, and any related professional services (collectively, the "Services").
You can reach us at any time: hello@testml.org
Requests relating to data subject rights, data processing agreements, and formal complaints should be addressed to the same contact.
2. What Data We Collect
2.1 Data You Provide Directly
When you engage with the Services, you may provide:
- Contact and account data: name, business email address, job title, and company name. Collected when you book a technical review, register an account, or contact our support team.
- Onboarding and scoping data: information about your LLM infrastructure, evaluation requirements, and deployment context. We need this to scope and deliver our evaluation services accurately.
- Communications: the content of emails, support tickets, or messages you send us, including any personal data contained within them.
- Payment and billing data: billing address and payment method details, processed directly by our payment provider. TestML does not store full card numbers or CVV codes.
2.2 Data Collected Automatically
When you visit testml.org or use the evaluation platform, we collect:
- Usage data: pages visited, features accessed, session duration, and interaction events recorded within the platform.
- Device and technical data: IP address, browser type and version, operating system, screen resolution, and referring URL.
- Performance and diagnostic data: error logs, API call metadata, and latency measurements used to maintain platform reliability.
We collect this data through cookies and similar technologies. For the full breakdown of cookies we use and how to manage your preferences, see our Cookie Policy.
2.3 Data Received from Third Parties
In limited cases we receive personal data from outside your direct interaction with us:
- Professional networks: if you engage with TestML content on LinkedIn or similar platforms, those platforms may share basic profile data with us under their own terms.
- Customer-provided evaluation data: where an enterprise customer has engaged TestML to evaluate their AI systems and your personal data appears in evaluation datasets, that customer is the data controller. TestML acts as a data processor under a separate data processing agreement with that customer, and this policy does not govern that processing.
3. Lawful Basis for Processing
We process personal data in accordance with Article 6 of the GDPR. The table below maps each processing purpose to its lawful basis.
| Processing purpose | Lawful basis |
|---|---|
| Responding to enquiries and booking technical reviews | Art. 6(1)(b): steps necessary prior to entering a contract |
| Delivering platform services under a signed agreement | Art. 6(1)(b): performance of a contract |
| Service-critical notifications, including security alerts and policy updates | Art. 6(1)(f): legitimate interests in maintaining service integrity |
| Platform analytics and product improvement | Art. 6(1)(f): legitimate interests in improving service quality |
| Marketing communications to opted-in recipients | Art. 6(1)(a): consent |
| Fraud prevention, access control, and security monitoring | Art. 6(1)(f): legitimate interests in protecting the platform and users |
| Financial, tax, and audit compliance | Art. 6(1)(c): legal obligation |
Where we rely on legitimate interests under Article 6(1)(f), we have conducted a balancing test. Our interests in providing secure and continuously improving services do not override your fundamental rights and freedoms. You may request a copy of that assessment at hello@testml.org.
4. How We Use Your Data
We use collected data to:
- Operate and deliver the TestML evaluation platform and associated professional services
- Scope and execute evaluation projects, red-team engagements, and continuous production monitoring programmes
- Send transactional communications: onboarding confirmations, project reports, security notices, and support responses
- Monitor platform performance, detect anomalies, and investigate security incidents before they affect production AI systems
- Improve our proprietary evaluation methodology and evaluation dimensions, based on aggregate and pseudonymised usage signals
- Send marketing and product updates where you have given explicit consent, or where GDPR Recital 47 permits contact with existing customers regarding similar services
- Meet audit, financial, and regulatory obligations under applicable EU law
5. Sharing with Third Parties
TestML does not sell personal data. We do not share data for advertising purposes. We share data only in the circumstances described below.
5.1 Service Providers Acting as Processors
We engage third-party processors to support our operations. These fall into the following categories:
- Cloud infrastructure and hosting providers: for running the platform and storing data, both at rest and in transit, with encryption in place
- CDN providers: for delivering web assets with availability and geographic reach
- Analytics providers: for aggregated, pseudonymised usage data that helps us understand how the platform is used
- Email delivery providers: for transactional and opted-in marketing communications
- Payment processors: for subscription billing, invoicing, and refund management
Each processor has signed a data processing agreement that satisfies the requirements of Article 28 GDPR, including appropriate technical and organisational security measures.
5.2 Legal and Regulatory Disclosures
We may disclose personal data to law enforcement agencies, regulators, or courts where we are subject to a binding legal obligation, or where disclosure is necessary to establish, exercise, or defend legal rights.
5.3 Business Transfers
If TestML undergoes a merger, acquisition, or asset transfer, personal data held by us may transfer to the acquiring entity as part of that transaction. We will notify affected users by email and by posting a notice on testml.org at least 30 days before your data becomes subject to materially different privacy terms.
6. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Account and contact data | Duration of account, plus 3 years after account closure |
| Evaluation project data (processor role) | As specified in the applicable data processing agreement; typically 12 months after project completion |
| Marketing consent records | Until withdrawal of consent, plus 3 years for compliance audit purposes |
| Support communications and ticket history | 3 years from the date of last interaction |
| Server logs and security event data | 12 months |
| Pseudonymised analytics data | 26 months |
| Financial and billing records | 7 years, as required by EU accounting and tax rules |
At the end of each retention period, data is securely deleted or irreversibly anonymised. Anonymised data is no longer personal data under the GDPR and may be retained for statistical purposes.
7. Your Rights Under the GDPR
Articles 15 to 22 of the GDPR grant you the following rights in relation to your personal data:
- Right of access (Art. 15): You may request confirmation of whether we hold data about you and obtain a copy, along with details of how it is processed, where it originated, and with whom it has been shared.
- Right to rectification (Art. 16): You may ask us to correct inaccurate personal data or complete incomplete data without undue delay.
- Right to erasure (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent and no other lawful basis applies, or where processing was unlawful.
- Right to restriction of processing (Art. 18): In certain circumstances, including where you contest the accuracy of data or object to processing, you may ask us to suspend active use of it while the matter is resolved.
- Right to data portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format and have it transmitted directly to another controller where technically feasible.
- Right to object (Art. 21): You may object at any time to processing based on our legitimate interests, including direct marketing. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Rights related to automated decision-making (Art. 22): TestML does not make solely automated decisions that produce legal or similarly significant effects on individuals.
To exercise any of these rights, contact hello@testml.org with your name, email address, and a clear description of your request. We will respond within one calendar month, as required by Article 12 GDPR. Where a request is complex or you have submitted multiple requests simultaneously, we may extend this period by up to two further months, with prior written notice explaining the reason.
You also have the right to lodge a complaint with the competent data protection authority in your country of residence, place of work, or where an alleged infringement occurred. In Ireland, that authority is the Data Protection Commission (DPC).
8. International Data Transfers
TestML is headquartered in Dublin, within the European Economic Area. Some of our third-party processors operate outside the EEA, including in countries not covered by a European Commission adequacy decision under Article 45 GDPR. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the appropriate safeguard under Article 46 GDPR, supplemented by a transfer impact assessment where required.
You may request a copy of the relevant SCCs by writing to hello@testml.org.
9. Cookies and Tracking Technologies
This privacy policy does not detail individual cookie types or their technical parameters. That information sits in our dedicated Cookie Policy, which explains every cookie category we set, its purpose, its lifespan, and how you can manage or withdraw consent at any time through our consent management tool.
10. Children
The TestML platform is designed for ML engineers, AI architects, and enterprise technology leaders making production deployment decisions. We do not direct our Services at children, and we do not knowingly collect personal data from any person under 16 years of age. This threshold aligns with Article 8 GDPR as transposed into Irish law.
If we discover that we have inadvertently collected personal data from a child under 16 without verifiable parental or guardian consent, we will delete that data promptly. If you believe this has occurred, contact us at hello@testml.org.
11. Changes to This Policy
We review this policy at least once per calendar year, and whenever there are material changes to our data practices, product architecture, or applicable law. For significant changes, registered users will receive email notification at least 14 days before the new terms take effect. A notice will also appear on testml.org during that window.
The updated date in the frontmatter reflects the date of the most recent revision. Earlier versions of this policy are available on request.
12. Contact Us About Privacy
Privacy questions, data subject access requests, data processing agreement enquiries, and formal complaints should be sent to:
TestML hello@testml.org testml.org
We aim to acknowledge all privacy enquiries within 2 business days and to resolve them within the statutory timeframes set out above.