Privacy Policy

1. Who We Are

Smultron Studio AB operates the GlennGPT AI chat service. We are the data controller for your personal data under GDPR.
Contact: privacy@aisamtal.se | aisamtal.se

2. What Data We Collect

Data Type	What We Collect	Why We Need It	Legal Basis
Account Data	Email, name, password (encrypted)	Create and manage your account	Contract
Conversations	Your prompts and AI responses	Provide the AI service	Contract
Usage Data	Message counts, quota tracking	Manage subscription limits	Contract
Technical Data	IP address, browser type, access logs	Security and service improvement	Legitimate Interest
Billing Data	Subscription info	Process payments	Contract + Legal Obligation
Website Analytics	Page views, referrer, country (anonymized, no personal identifiers)	Improve website and service	Legitimate Interest

What We Don't Collect: Marketing cookies, social media trackers, cross-site tracking data, or any data that identifies you personally through our website analytics.

3. How We Use Your Data

We use your personal data to:

Provide the Service: Process your conversations, maintain chat history, manage your account
Handle Payments: Process subscriptions and maintain billing records
Ensure Security: Detect fraud, prevent abuse, protect system integrity
Improve Quality: Analyze usage patterns, optimize performance (anonymized where possible)
Communicate: Send service updates, respond to support requests

Legal Basis: Contract performance (GDPR Art. 6(1)(b)), Legitimate interest (Art. 6(1)(f)), Legal obligation (Art. 6(1)(c)), Consent for marketing (Art. 6(1)(a)).

Cloud AI Models: When you select optional cloud AI models (OpenAI, Anthropic, Google) in Pro/Max plans, processing is based on contract performance (GDPR Art. 6(1)(b)) - necessary to deliver the advanced AI features you've subscribed to.

4. Who We Share Data With

Essential Service Providers (GDPR Data Processors)

Berget AI (Sweden): Primary AI inference that processes your prompts to generate responses. Data remains in Sweden, GDPR-compliant, never stored after processing, never used for training.
OpenAI (United States), Anthropic (United States), Google (United States): Optional cloud AI models available in Pro/Max plans. When you select these models, conversation data is processed outside Sweden under Standard Contractual Clauses. Limited retention (see Section 4.1 for details), never used for training.
Mollie (Netherlands/EU): Payment processing - handles subscriptions. PCI DSS and GDPR-compliant. May use Standard Contractual Clauses (SCCs) for sub-processors.

We Never: Sell your data, share with advertisers, use conversations for AI training, transfer data outside EU/EEA except via SCCs, or provide data to social media platforms.

4.1 Cloud AI Sub-Processors and Third-Party Integrations

If you want to access additional external models other than the Swedish hosted Open Source models provided as the primary service, GlennGPT offers two ways to access external cloud AI models, with different data processing relationships:

A. Platform-Provided Cloud AI Models (Sub-Processors)

When you select cloud AI models provided through our platform interface (available in Pro and Max subscription plans), these providers act as our sub-processors under GDPR Article 28. This means:

Your contractual relationship is with GlennGPT
We remain responsible as your data processor
The cloud AI provider processes data on our behalf according to our instructions
You authorize us to use these specific sub-processors by using the platform-provided models

Authorized Cloud AI Sub-Processors:

Provider	Models	Location	Transfer Safeguards	DPA Terms
OpenAI, L.L.C.	OpenAI GPT models	United States	Standard Contractual Clauses, Max 30-day retention, No training	OpenAI DPA
Anthropic PBC	Claude models	United States	Standard Contractual Clauses, No retention, No training	Anthropic DPA
Google LLC	Gemini models	United States	EU-US DPF Certified, SCCs, No retention, No training	Google Cloud DPA

What Data Is Shared with Cloud AI Sub-Processors:

Your conversation prompts (messages you send)
AI-generated responses
Conversation context (for multi-turn conversations)
Technical metadata (timestamps, model selection, API parameters)

What Data Is NOT Shared:

Your email address or account information
Payment information
Conversations with other AI models (Swedish models or BYOK integrations, unless you mix models in the same conversation)
Your subscription details or billing history

Data Retention by Sub-Processors: Cloud AI sub-processors have limited data retention periods as specified in their DPAs: OpenAI retains API data for up to 30 days before deletion; Anthropic and Google do not retain data after processing. All sub-processors are contractually prohibited from using your data to train their AI models.

Sub-Processor Authorization and Notification:

By subscribing to Pro or Max plans and selecting platform-provided cloud AI models, you provide general authorization (GDPR Article 28(2)) for us to engage the cloud AI sub-processors listed above.

If we plan to change how and which data is being processed by our cloud AI sub-processors we will:

Email you at least 30 days in advance with details of the proposed change
Provide you with the opportunity to object to the change
If you object and we cannot accommodate your objection, you may terminate your subscription without penalty

B. Bring Your Own Key (BYOK) Third-Party Integrations

Basic, Pro and Max subscribers can also connect their own cloud AI API keys through account settings ("BYOK" integrations). In this scenario:

You have a separate, direct contractual relationship with the AI provider
The AI provider is NOT our sub-processor - they are an independent data controller
GlennGPT acts only as a technical intermediary, securely passing your prompts to the provider's API
The provider's own privacy policy, DPA, and terms of service apply
You are responsible for compliance with the provider's terms

Your Responsibilities for BYOK:

Review and accept the third-party provider's privacy policy and terms
Ensure your API key is authorized for the intended use
Understand that the provider processes your data under their policies, not ours
Monitor your usage and costs directly with the provider
Revoke API access through your provider account if you no longer wish to use the integration

BYOK Data Flow:

GlennGPT securely encrypts and transmits your prompt using your API key
The AI provider processes your request under their own data processing terms
GlennGPT receives and displays the response
GlennGPT stores the conversation in your account (in Sweden) for your chat history
The third-party provider's data retention and usage policies apply to their processing

Supported BYOK Providers:

You may connect API keys from OpenAI, Anthropic, Google, and other OpenAI-compatible providers. Each provider has different terms - review their documentation:

Legal Basis for Cloud AI Processing:

Platform-Provided: Contract performance (GDPR Article 6(1)(b)) - necessary to deliver the Pro/Max subscription features you've purchased
BYOK: Contract performance (GDPR Article 6(1)(b)) - necessary to provide the technical integration feature you've subscribed to

Switching Between Models: You can switch between Swedish models, platform-provided cloud models, and BYOK integrations at any time through your account settings. Each conversation is processed only by the model you select for that specific conversation.

5. How Long We Keep Your Data

Active Account: Conversations and account data retained until you delete them or close your account
Cloud AI Processing: When using optional cloud models, retention varies by provider: OpenAI up to 30 days, Anthropic and Google no retention after processing
Access Logs: 90 days (security and performance)
After Account Closure: Most data deleted within 30 days
Billing Records: 7 years (Swedish accounting law requirement)
Support Communications: 2 years (quality assurance)

6. Your GDPR Rights

You have the right to:

Access (Art. 15): Get a copy of your data in structured format
Rectification (Art. 16): Correct inaccurate data via account settings
Erasure (Art. 17): Delete your data (except legal obligations like billing records)
Restriction (Art. 18): Limit processing during disputes
Portability (Art. 20): Export your data in machine-readable format
Object (Art. 21): Object to processing based on legitimate interests
Withdraw Consent: For marketing or optional features

Exercise Your Rights: Email privacy@aisamtal.se - we respond within 30 days, free of charge unless requests are excessive.

File a Complaint: Swedish Authority for Privacy Protection (IMY) - www.imy.se | imy@imy.se

7. Security Measures

We protect your data with:

Encryption: TLS 1.3 in transit, encrypted database at rest
Access Controls: Role-based access
Network Security: Firewalls, intrusion detection, regular security audits
Incident Response: Data breach notification to supervisory authority within 72 hours (GDPR Art. 33); notification to affected users without undue delay when breach poses high risk to rights and freedoms (GDPR Art. 34)

8. International Data Transfers

Swedish Processing (Default)

All GlennGPT platform infrastructure—databases, servers, user accounts, and billing—is hosted exclusively in Swedish data centers. When using Swedish-hosted AI models (indicated by "(Sweden)" in the model name), your data never leaves Sweden.

Privacy-Conscious Users: To ensure your data never leaves Sweden, use only models marked with "(Sweden)" and avoid selecting cloud AI models marked "(External)".

Optional Cloud AI Processing

When you select cloud AI models marked "(External)" in Pro/Max plans, conversation data is transferred to the United States. See Section 4.1 for detailed sub-processor information.

Transfer Safeguards:

EU Commission-approved Standard Contractual Clauses (SCCs)
Limited data retention (varies by provider: up to 30 days for OpenAI, no retention for Anthropic/Google)
Contractual prohibition on using your data for AI training

BYOK Integrations: When using your own API keys, you are responsible for the international transfer as you have a direct relationship with the provider. See Section 4.1 for details.

No Other Transfers: All account data, billing, and logs remain in Sweden. Mollie payment processing occurs within the EU (Netherlands). Our analytics are self-hosted in Sweden. We do not use US-based CDNs or marketing tools.

9. Cookies and Analytics

We use only essential cookies required for the service to function:

Session Cookies: Keep you logged in
Security Cookies: Authentication and fraud protection

No advertising or third-party tracking cookies.

Privacy-Focused Analytics

We use self-hosted, cookie-free analytics to understand how our website is used. This analytics solution:

Does not use cookies or local storage
Does not collect personal identifiers
Does not track users across websites
Is hosted on our own Swedish infrastructure
Collects only anonymized, aggregate data (page views, referrer, country, device type)

Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)) - we have a legitimate interest in understanding website usage to improve our service. Because no personal data is collected, this processing poses minimal risk to your privacy.

10. Age Restriction

The Service is not intended for users under 18. If we discover data from a minor, we will delete it promptly. Parents should contact privacy@aisamtal.se if concerned.

11. Policy Updates

We may update this policy to reflect legal or operational changes. We will provide reasonable notice of significant changes via email or service notification. Continued use after updates constitutes acceptance.

12. Contact Us

Privacy Inquiries: privacy@aisamtal.se
General Support: support@aisamtal.se
Website: aisamtal.se

For detailed GDPR compliance information, see our GDPR Compliance page.

Our Privacy Commitment