EU AI Act Compliance

Last updated: April 2026

This page describes how Vistaly, Inc. addresses the requirements of the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689, the “EU AI Act”). The EU AI Act establishes a risk-based regulatory framework for AI systems used within the European Union, with obligations that vary based on the risk classification of each AI system.

If you have questions about our AI compliance posture, please contact us at dpo@vistaly.com.

1. Vistaly’s Use of AI

Vistaly is a product discovery platform that uses AI to help product teams synthesize customer conversations into structured insights. Vistaly’s AI features include:

• Call and interview processing — transcribing and analyzing recorded customer interviews to extract key themes and insights
• Opportunity space generation — organizing extracted insights into structured opportunity trees for product decision-making
• Text analysis and summarization — summarizing interview content and identifying patterns across multiple conversations

These features are powered by Anthropic’s Claude API. Vistaly does not develop or train its own AI models. Vistaly acts as a deployer of AI systems under the EU AI Act framework, using third-party general-purpose AI models via API to deliver product features.

2. Risk Classification

The EU AI Act classifies AI systems into four risk tiers: unacceptable risk, high risk, limited risk, and minimal risk. Vistaly has assessed its AI features against these categories.

Vistaly’s AI features are classified as minimal/limited risk.

Vistaly’s AI is used for business productivity purposes — specifically, helping product teams analyze customer interviews and organize insights. The AI features:

• Do not make autonomous decisions affecting individuals’ rights, access to services, or employment
• Do not perform biometric identification, emotion recognition, or social scoring
• Do not operate in any domain listed as high-risk in Annex III of the EU AI Act (e.g., law enforcement, education, employment, critical infrastructure)
• Do not interact directly with end consumers or the general public — they are used by product teams in an internal business context
• Serve as a productivity tool where humans review and act on AI-generated outputs

3. Transparency

In line with the EU AI Act’s transparency requirements (Article 50), Vistaly provides the following disclosures:

3.1 AI-Generated Content Disclosure

Users interact with AI features through clearly labeled controls within the Vistaly platform. AI-powered actions such as opportunity space synthesis and interview analysis are invoked through visually distinct buttons and workflows, and key AI outputs — such as synthesis overviews and AI-generated reasoning — are marked with dedicated AI indicators in the interface.

Because users explicitly initiate AI features and review their results within a dedicated workflow, the context in which AI-generated content appears makes its origin clear. AI outputs are presented as suggestions intended to support, not replace, human judgment.

3.2 Underlying AI Models

3.3 Human Oversight

All AI-generated outputs in Vistaly are presented to users as suggestions. Product team members review, edit, accept, or reject AI outputs before incorporating them into their workflows. No AI feature in Vistaly takes autonomous action without user initiation and review.

4. Data Processing & Location

For detailed information on how data is processed by AI subprocessors, including data locations, retention policies, and cross-border transfer safeguards, see our AI Subprocessors & Data Processing page.

Key points:

• Customer data at rest is stored on AWS in the customer’s selected region (US or EU), with the exception of authentication (AWS Cognito), payment processing (Stripe), and the account directory, which always operate in the United States
• AI processing via Anthropic’s Claude API currently occurs in the United States
• Certain platform services (authentication via AWS Cognito, payment processing via Stripe, account directory) always operate in the United States regardless of data residency selection
• Cross-border transfers are protected by Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs)
• Anthropic does not use customer data submitted via the API for model training

5. Data Protection & GDPR Alignment

Vistaly’s AI compliance measures complement our existing data protection framework under the GDPR. Key measures include:

• Data Processing Agreements (DPAs) with all AI subprocessors
• Standard Contractual Clauses (SCCs) for international data transfers
• Encryption in transit (TLS) for all data sent to AI subprocessors
• Encryption at rest for all stored customer data
• Data minimization — only the content necessary for the requested AI feature is transmitted to the AI provider
• Purpose limitation — AI subprocessors may only process data for the specific purposes described in our agreements

For more information, see our GDPR Compliance Statement and Data Processing Addendum.

6. Ongoing Compliance

The EU AI Act is being implemented in phases through 2027. Vistaly is committed to maintaining compliance as new requirements take effect:

• We monitor regulatory guidance from the European AI Office and relevant national authorities
• We review our risk classification when AI features are added or significantly changed
• We maintain documentation of our AI systems and their intended purposes
• We evaluate AI subprocessors for their own compliance obligations as general-purpose AI model providers under the Act

7. Contact

For questions about Vistaly’s AI practices or EU AI Act compliance, please contact:

• Data Protection Officer: dpo@vistaly.com
• General inquiries: support@vistaly.com