Privacy Policy | GlennGPT

1. Data Controller

The data controller responsible for your personal data is:

aisamtal
Sweden
Email: privacy@aisamtal.se
Website: https://aisamtal.se

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the GlennGPT service ("Service"). It applies to all users of our website and services accessed through glenngpt.se and glenngpt.aisamtal.se.

2. Data Collection

We collect different types of information depending on how you interact with our Service:

2.1 Information You Provide Directly

Account Information: Name, email address, password (encrypted)
Billing Information: Payment details processed through our payment provider Mollie (we do not store credit card numbers)
Conversation Content: Text prompts you submit and AI-generated responses
Support Communications: Correspondence when you contact our support team
Profile Settings: Preferences and configuration choices you make in your account

2.2 Information Collected Automatically

Usage Data: Features used, actions taken, time and frequency of use
Device Information: Browser type, operating system, IP address, device identifiers
Log Data: Access times, pages viewed, error logs, referral URLs
Performance Data: Response times, system performance metrics

2.3 What We Don't Collect

We do not use:

Third-party analytics tools like Google Analytics
Marketing cookies or tracking pixels
Cross-site tracking technologies
Social media tracking plugins

3. Legal Basis and Purpose of Processing

We process your personal data based on the following legal grounds under GDPR:

3.1 Contract Performance (GDPR Article 6(1)(b))

Providing the AI chat service you subscribed to
Processing your conversations and maintaining chat history
Managing your account and subscription
Delivering customer support

3.2 Legitimate Interest (GDPR Article 6(1)(f))

Improving service quality and user experience
Detecting and preventing fraud and abuse
Ensuring system security and stability
Analyzing usage patterns to optimize performance

We balance these legitimate interests against your data protection rights and ensure processing is not excessive or intrusive.

3.3 Legal Obligation (GDPR Article 6(1)(c))

Maintaining accounting records as required by Swedish law
Complying with tax and financial reporting requirements
Responding to lawful requests from authorities

3.4 Consent (GDPR Article 6(1)(a))

Marketing communications (opt-in only)
Optional features that require additional data processing

You may withdraw consent at any time through your account settings.

4. Data Sharing and Third-Party Processors

We share your data with carefully selected third-party processors who help us deliver the Service. All processors are bound by data processing agreements and operate under GDPR requirements.

4.1 Essential Service Providers

Berget AI (Sweden): AI inference provider - processes your conversation prompts to generate responses. Data remains in Sweden.
Mollie (Netherlands/EU): Payment processing - handles subscription payments and billing. Complies with PCI DSS and GDPR.

4.2 Infrastructure Providers

Swedish Hosting Provider: Server infrastructure and data storage located in Sweden
PostgreSQL Database: Self-hosted on Swedish servers, not a third-party cloud service

4.3 What We Don't Share

We never:

Sell your personal data to third parties
Share your data with advertising networks
Use your conversations to train AI models (yours or others)
Provide your data to social media platforms
Transfer data outside the EU/EEA except as noted below

4.4 International Data Transfers

While we prioritize Swedish and European data processing, some services may involve limited data transfers outside the EU/EEA:

Mollie: May use sub-processors with Standard Contractual Clauses (SCCs) for payment security

All international transfers comply with GDPR Chapter V requirements through SCCs or adequacy decisions.

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

5.1 Active Accounts

Account Information: Retained for the duration of your account
Conversation History: Stored until you delete it or close your account
Usage Logs: Retained for 90 days for security and performance analysis

5.2 After Account Closure

Most Data: Deleted within 30 days of account closure
Billing Records: Retained for 7 years to comply with Swedish accounting law
Support Communications: Retained for 2 years for quality assurance and legal purposes

5.3 Legal Holds

We may retain data longer if required by law, regulation, legal process, or to establish, exercise, or defend legal claims.

6. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

6.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We provide this in a structured, commonly used format.

6.2 Right to Rectification (Article 16)

You can correct inaccurate personal data or complete incomplete data through your account settings or by contacting us.

6.3 Right to Erasure (Article 17)

You can request deletion of your personal data when:

It's no longer necessary for the purposes it was collected
You withdraw consent and there's no other legal basis for processing
You object to processing based on legitimate interests
Your data was processed unlawfully

Note: We may retain certain data to comply with legal obligations (e.g., accounting records).

6.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data while we investigate a dispute or verify data accuracy.

6.5 Right to Data Portability (Article 20)

You can receive your data in a machine-readable format and transmit it to another controller. We provide export functionality for conversation history and account data.

6.6 Right to Object (Article 21)

You can object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.

6.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, specifically:

Swedish Authority for Privacy Protection (IMY)
Website: www.imy.se
Email: imy@imy.se

6.9 Exercising Your Rights

To exercise any of these rights, contact us at: privacy@aisamtal.se

We will respond to your request within 30 days. If we need more time, we'll let you know why and when you can expect a response. We don't charge fees for most requests unless they're excessive or repetitive.

7. Data Security

We implement comprehensive technical and organizational measures to protect your personal data:

7.1 Technical Measures

Encryption: TLS 1.3 for data in transit, encrypted database storage for data at rest
Access Controls: Role-based access with multi-factor authentication for administrators
Network Security: Firewalls, intrusion detection, regular security audits
Secure Development: Code reviews, security testing, regular updates and patches

7.2 Organizational Measures

Staff Training: Regular data protection and security training for all personnel
Access Limitation: Only authorized personnel can access personal data, on a need-to-know basis
Incident Response: Documented procedures for detecting and responding to data breaches
Vendor Management: Data processing agreements with all third-party processors

7.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the supervisory authority within 72 hours of becoming aware
Notify affected users without undue delay if the breach poses a high risk
Provide clear information about the breach, its likely consequences, and measures taken

8. Cookies and Tracking

8.1 Our Cookie Policy

We take a minimal approach to cookies and tracking:

8.2 Essential Cookies Only

We use only essential cookies necessary for the Service to function:

Session Cookies: To keep you logged in and maintain your session
Security Cookies: For authentication and protection against fraud

These cookies are required for the Service to work and cannot be disabled.

8.3 What We Don't Use

Analytics cookies
Advertising cookies
Social media cookies
Third-party tracking cookies

8.4 Browser Settings

You can control cookie settings through your browser. However, disabling essential cookies may prevent you from using certain features of the Service.

9. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@aisamtal.se.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

We'll update the "Last Updated" date at the top of this page
For significant changes, we'll notify you via email or through a prominent notice on the Service
Your continued use of the Service after changes constitute acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Inquiries: privacy@aisamtal.se
General Support: support@aisamtal.se
Website: https://aisamtal.se

We aim to respond to all privacy inquiries within 30 days.

For more information about our GDPR compliance practices, please visit our GDPR Compliance page.