GDPR Compliance

GDPR Compliance Status

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union in 2018. It establishes strict requirements for how organizations collect, process, store, and protect personal data of EU residents.

GDPR applies to any company processing personal data of EU residents, regardless of where the company is located. As a Swedish-based service, we are fully committed to GDPR compliance and Swedish data protection law.

2. Key GDPR Principles We Follow

3. Swedish Data Residency

Unlike many AI services that store data in the US or distribute it globally, GlennGPT keeps 100% of your data within Sweden:

3.1 Where Your Data Lives

• Application Servers: Hosted in Swedish data centers
• Database Storage: PostgreSQL hosted in Sweden
• AI Inference: Berget AI processes all AI requests in Sweden (Kista data center)
• Backup Storage: Automated backups stored on Swedish servers

3.2 Why Swedish Data Residency Matters

• Outside US Cloud Act: Your data is not subject to US government surveillance laws (FISA, Cloud Act)
• Strong Swedish Privacy Laws: Sweden has some of Europe's strongest data protection standards
• No Third-Country Transfers: Your data never leaves the EU/EEA jurisdiction
• Predictable Legal Framework: Swedish and EU law govern all data processing

4. Your GDPR Rights Explained

GDPR grants you comprehensive rights over your personal data. Here's what each right means in practice with GlennGPT:

4.1 Right of Access

What it means: You can request a copy of all personal data we hold about you.

How to exercise: Email privacy@aisamtal.se or use the "Export Data" feature in your account settings.

Response time: Within 30 days, delivered in JSON or CSV format.

4.2 Right to Rectification

What it means: You can correct inaccurate or incomplete personal data.

How to exercise: Update directly in your account settings, or contact us for assistance.

Response time: Changes take effect immediately when made in your account.

4.3 Right to Erasure ("Right to be Forgotten")

What it means: You can request deletion of your personal data under certain conditions.

How to exercise: Use "Delete Account" in settings or email privacy@aisamtal.se.

What happens:

• Most data deleted within 30 days
• Some billing records retained for legal compliance (7 years for accounting)
• Anonymized usage statistics may be retained

4.4 Right to Restriction of Processing

What it means: You can limit how we process your data while resolving a dispute or verifying accuracy.

How to exercise: Contact privacy@aisamtal.se with specific restrictions requested.

Effect: We will mark your data as restricted and only process it with your consent or for legal claims.

4.5 Right to Data Portability

What it means: You can receive your data in a machine-readable format to transfer to another service.

How to exercise: Use the "Export" feature or email privacy@aisamtal.se.

What you get: JSON format containing account info, conversation history, settings, and usage data.

4.6 Right to Object

What it means: You can object to processing based on legitimate interests or for direct marketing.

How to exercise: Email privacy@aisamtal.se specifying what processing you object to.

Response: We will stop processing unless we demonstrate compelling legitimate grounds.

4.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. AI-generated content is always the result of your direct prompts, not autonomous decisions about you.

5. Legal Basis for Processing

Every processing activity must have a legal basis under GDPR. Here's our complete legal basis map:

5.1 Contract Performance

Processing necessary to provide the service you subscribed to:

• Creating and managing your account
• Processing AI chat requests
• Storing conversation history
• Billing and payment processing
• Customer support

5.2 Legitimate Interests

Processing necessary for our legitimate business interests, balanced against your rights:

• Service improvement and optimization
• Fraud detection and prevention
• System security and monitoring
• Anonymous usage analytics

5.3 Legal Obligations

Processing required by Swedish or EU law:

• Accounting and tax records (7 years retention)
• Responding to lawful requests from authorities
• Data breach notifications

5.4 Consent

Optional processing that requires your explicit consent:

• Marketing emails (opt-in only)
• Optional feature data collection
• Product research and surveys

6. Data Processing Agreements

Under GDPR Article 28, we maintain Data Processing Agreements (DPAs) with all third-party processors:

6.1 Berget AI (AI Inference)

• Location: Sweden (Kista data center)
• Processing: AI inference for chat responses
• Data: Conversation prompts and context
• Retention: No retention - data processed in real-time only
• Security: ISO 27001 certified, encrypted transmission

6.2 Mollie (Payment Processing)

• Location: Netherlands (EU)
• Processing: Payment transactions and subscription management
• Data: Billing information, payment details
• Compliance: PCI DSS Level 1, GDPR compliant
• DPA: Standard Mollie Data Processing Addendum

6.3 Sub-Processors

Our processors may use sub-processors. We maintain an updated list and ensure all sub-processors meet GDPR requirements through Standard Contractual Clauses or adequacy decisions.

7. Data Security Measures

GDPR Article 32 requires appropriate technical and organizational measures. Here's how we implement security:

7.1 Encryption

• In Transit: TLS 1.3 for all connections
• At Rest: Database encryption with AES-256
• Passwords: Bcrypt hashing with salt
• Backups: Encrypted backup storage

7.2 Access Controls

• Multi-factor authentication for administrators
• Role-based access control (RBAC)
• Principle of least privilege
• Regular access reviews

7.3 Network Security

• Firewalls and intrusion detection systems
• IP whitelisting for administrative access
• DDoS protection
• Regular security audits and penetration testing

7.4 Organizational Measures

• Staff training on data protection
• Confidentiality agreements for all personnel
• Incident response procedures
• Regular compliance reviews

8. Data Breach Procedures

In accordance with GDPR Article 33 and 34, we have established procedures for detecting, reporting, and investigating data breaches:

8.1 Detection

• 24/7 monitoring of system logs and alerts
• Automated anomaly detection
• Regular security audits

8.2 Response Timeline

• 0-24 hours: Immediate containment and investigation
• Within 72 hours: Notification to Swedish supervisory authority (IMY)
• Without undue delay: Notification to affected users if high risk

8.3 User Notification

If a breach poses a high risk to your rights and freedoms, we will notify you directly with:

• Description of the data breach
• Likely consequences
• Measures taken or proposed to address the breach
• Contact point for more information

9. Privacy by Design and Default

GDPR Article 25 requires privacy to be built into services from the ground up. Here's how we implement this:

9.1 Privacy by Design

• Data protection impact assessments for new features
• Privacy considerations in all technical design decisions
• Security reviews before deployment
• Regular privacy audits

9.2 Privacy by Default

• Minimal data collection by default
• Strictest privacy settings as default
• No marketing emails without opt-in
• Automatic session timeouts

10. International Data Transfers

While we prioritize European data processing, some limited transfers may occur:

10.1 Within EU/EEA

Primary processing occurs in Sweden and Netherlands (Mollie), both within the EU. No additional safeguards needed.

10.2 Outside EU/EEA

In rare cases, sub-processors may involve data transfers outside the EU/EEA. These are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions under GDPR Article 45 (where applicable)
• Additional security measures as required by Schrems II ruling

11. Supervisory Authority

As a Swedish company, our lead supervisory authority is:

Swedish Authority for Privacy Protection (IMY)
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm
Sweden

Website: www.imy.se
Email: imy@imy.se
Phone: +46 8 657 61 00

If you have concerns about our data practices that we haven't resolved, you have the right to lodge a complaint with IMY or your local data protection authority.

12. Documentation and Accountability

GDPR requires us to demonstrate compliance. We maintain:

• Records of Processing Activities (ROPA): Detailed documentation of all processing activities
• Data Protection Impact Assessments (DPIAs): For high-risk processing operations
• Data Processing Agreements: With all third-party processors
• Security Documentation: Policies, procedures, and audit logs
• Training Records: Staff data protection training completion
• Breach Log: Record of any data breaches and responses

13. Continuous Compliance

GDPR compliance is not a one-time effort. We maintain ongoing compliance through:

• Regular Audits: Quarterly internal privacy audits
• Policy Updates: Annual review of all privacy policies
• Staff Training: Bi-annual data protection training for all staff
• Vendor Reviews: Annual assessment of all data processors
• Technical Updates: Continuous security patches and improvements
• Legal Monitoring: Tracking changes in GDPR guidance and enforcement

14. Contact & Questions

For any questions about our GDPR compliance or to exercise your data rights:

Data Protection Officer: privacy@aisamtal.se
General Support: support@aisamtal.se
Website: https://aisamtal.se

We aim to respond to all GDPR-related inquiries within 30 days.

For more details about how we handle your data, please see our Privacy Policy and Terms of Service.