Last Updated: December 1, 2025 | Version 1.1
Privacy-First Architecture: GlennGPT is built from the ground up for GDPR compliance. Every design decision prioritizes your privacy, with 100% Swedish data residency, transparent data practices, and full user control. We don't just comply with GDPR—we exceed it.
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law that gives you control over your personal data. As a Swedish-based service under Swedish Authority for Privacy Protection (IMY) supervision, we're fully committed to GDPR compliance and Swedish data protection standards.
Clear, honest communication about what data we collect and why
Data used only for the specific purposes you agreed to
We collect only what's necessary to provide the service
Tools to keep your data accurate and up-to-date
Clear retention schedules; no data kept longer than needed
Strong encryption, access controls, and security measures
Why it matters: Unlike services storing data in the US or globally, GlennGPT keeps 100% of your data within Sweden under Swedish and EU jurisdiction.
Hosted entirely in Swedish data centers
Swedish AI infrastructure provider - your data never leaves Sweden
Third party providers may process chat data outside of Sweden when you actively choose to use external AI inference
EU-based payment processor (GDPR compliant)
Encrypted, stored on Swedish servers
GDPR grants you comprehensive rights over your personal data. Here's how to exercise them with GlennGPT:
| Right | What You Can Do | How to Exercise |
|---|---|---|
| Access | Request a copy of all your data | Account settings → "Export Data" or email privacy@aisamtal.se |
| Rectification | Correct inaccurate data | Update directly in account settings |
| Erasure | Request deletion of your data | Account settings → "Delete Account" or email privacy@aisamtal.se |
| Restriction | Limit how we process your data | Contact privacy@aisamtal.se with specific restrictions |
| Portability | Receive data in machine-readable format | Use "Export" feature (JSON format provided) |
| Object | Object to specific processing activities | Email privacy@aisamtal.se with objection details |
Response Time: We respond to all rights requests within 30 days. Most account-based actions take effect immediately.
Note on Erasure: When you delete your account, most data is removed without undue delay (typically within 30 days). Billing records are retained for 7 years as required by Swedish accounting law. Anonymized usage statistics may be retained for service improvement.
Every data processing activity requires a legal basis under GDPR. Here's ours:
Processing necessary to provide the service:
Processing necessary for business operations, balanced against your rights:
Processing required by Swedish or EU law:
Optional processing requiring explicit opt-in:
You can withdraw consent at any time through account settings or by contacting privacy@aisamtal.se.
Under GDPR Article 28, we maintain contracts with all processors and sub-processors who handle your personal data on our behalf. You have the right to request information about our processors—contact us at privacy@aisamtal.se. Key processor categories are also described in our Privacy Policy.
Our primary data processors handle your data exclusively within Sweden or the European Economic Area:
Legal Basis: GDPR Article 28 - These processors act on our behalf under written contracts that meet Article 28 requirements.
When Applicable: Only when you actively select a cloud AI model provided through the platform in Pro or Max subscription plans. If you only use Swedish-hosted models, this section does not apply to you.
Key Protections:
Article 28(2) Compliance: By subscribing to Pro or Max plans and selecting platform-provided cloud AI models, you provide general written authorization for us to engage cloud AI sub-processors as listed in our Privacy Policy.
Sub-Processor Change Notification:
In accordance with GDPR Article 28(2), if we plan to add, remove, or replace a cloud AI sub-processor:
When you connect your own API key from a third-party AI provider ("Bring Your Own Key"), these providers are NOT our sub-processors under GDPR Article 28 because you have a direct contractual relationship with the provider. The provider's own privacy policy and terms apply to their processing of your data.
We use self-hosted, cookie-free analytics on our own Swedish infrastructure. Because this is self-hosted and collects only anonymized, aggregate data (no personal identifiers), it does not involve any third-party data processor. We do not engage marketing platforms or other third-party processors that access your personal data. See our Privacy Policy for complete details.
Processor Oversight: We conduct regular reviews of processor compliance, monitor industry certifications, and maintain records of processing activities as required by GDPR Article 30.
We implement comprehensive technical and organizational measures per GDPR Article 32:
In accordance with GDPR Articles 33-34, we have established breach detection and notification procedures:
User Notification Includes: Description of breach, likely consequences, measures taken/proposed, and contact point for questions.
Detection Methods: Continuous automated monitoring, automated anomaly detection, and regular security assessments.
GDPR Article 25 requires privacy to be built into services from inception. We implement this through:
Primary Processing: All core data processing occurs in Sweden (application, database, AI inference) and the EU (payment processing). Both are EU/EEA jurisdictions requiring no additional safeguards.
Limited Third-Country Transfers: When sub-processors involve data transfers outside EU/EEA, these are protected by:
Optional Cloud AI Models: When you select third-party cloud AI providers in Pro/Max subscriptions, conversation data may be transferred outside the EU/EEA. We protect these transfers through: (1) Standard Contractual Clauses requiring providers to protect data to European standards, (2) Provider participation in adequacy frameworks where available (such as EU-US Data Privacy Framework), (3) Contractual guarantees that your data is never used for AI training. See our Privacy Policy for current provider details.
We do not use automated decision-making or profiling that produces legal effects or significantly affects you (GDPR Article 22). AI-generated content results from your direct prompts, not autonomous decisions about you.
As a Swedish company, our lead supervisory authority is:
Swedish Authority for Privacy Protection (IMY)
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm
Sweden
Website: www.imy.se
Email: imy@imy.se
Phone: +46 8 657 61 00
If you have concerns about our data practices that we haven't resolved, you have the right to lodge a complaint with IMY or your local data protection authority.
For GDPR Rights Requests or Privacy Questions:
Privacy Contact: privacy@aisamtal.se
General Support: support@aisamtal.se
Website: https://aisamtal.se
We respond to all GDPR-related inquiries within 30 days.
Related Documentation: For detailed information about data collection, processing, and retention, see our Privacy Policy. For service terms and user obligations, see our Terms of Service.