GDPR Compliance

How CircuCity AI protects personal data and meets EU regulatory requirements.

Our Commitment to GDPR

CircuCity AI is fully committed to compliance with the General Data Protection Regulation (EU 2016/679). We have implemented comprehensive technical and organizational measures to protect personal data and uphold data subject rights. This page details our GDPR compliance framework, data processing practices, and your rights as a data controller or data subject.

Data Processing Roles

Processor & Controller
  • Data Controller: You (our customer) determine the purposes and means of processing personal data collected through your AI chatbot.
  • Data Processor: CircuCity AI processes personal data on your behalf according to your documented instructions.
  • Sub-Processors: We engage trusted sub-processors (Hetzner, AWS, OpenAI, Resend, Stripe) who have been vetted for GDPR compliance and are bound by data processing agreements.
  • Joint Controllership: In limited contexts (anonymized analytics), we act as a joint controller with aggregated, non-personal data.

Data Processing Agreement (DPA)

A Data Processing Agreement is available to all customers upon request. The DPA covers:

  • Scope and purpose of data processing.
  • Duration of processing (term of subscription plus 30 days).
  • Categories of data subjects (your customers, your team members).
  • Types of personal data (names, emails, chat messages, order data).
  • Security measures (encryption, access control, audits).
  • Sub-processor list and notification of changes.
  • International transfer safeguards (Standard Contractual Clauses).
  • Assistance with data subject requests and breach notifications.
  • To request a signed DPA, email privacy@circucity.se.

Data Subject Rights → How We Support Them

As a data processor, we provide tools and processes to help you fulfill data subject requests:

Right to Access

Export a subject's data via dashboard or API. We respond within 30 days.

Right to Rectification

Update inaccurate data through dashboard settings or via support.

Right to Erasure

Delete conversations, knowledge base documents, or entire workspaces. Permanently removed within 30 days.

Right to Restrict

Suspend processing of a specific data subject while a request is verified.

Right to Portability

Export data in JSON format for transfer to another service.

Right to Object

Opt out of analytics processing. Contact privacy@circucity.se.

Technical & Organizational Measures

We maintain the following measures to ensure data security:

  • Encryption: AES-256 at rest for databases, file storage, and backups. TLS 1.3 for all data in transit.
  • Access Control: Role-based access control (RBAC) for dashboard users. Multi-factor authentication available.
  • Network Security: VPC isolation, firewall rules, intrusion detection, and DDoS protection.
  • Personnel: All employees undergo annual GDPR and security training. Access is granted on a least-privilege basis with audit logging.
  • Incident Response: Documented breach notification procedure. We notify affected customers within 48 hours of confirmed breach.
  • Vendor Management: Annual security reviews of all sub-processors. DPAs in place with all vendors.

International Data Transfers

All personal data is stored within the European Union (Hetzner, Falkenstein; AWS eu-central-1, Frankfurt). Where data transfers outside the EU are necessary (e.g., OpenAI inference in the US for chat response generation), we rely on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Data Protection Impact Assessments (DPIA) for each transfer mechanism.
  • Transfer Impact Assessments (TIA) evaluating the legal framework of the destination country.
  • We do not transfer personal data to countries without an adequate level of protection as determined by the European Commission.

Data Retention & Deletion

  • Active Accounts: Data retained for the duration of your subscription.
  • Post-Termination: Data retained for 30 days, then permanently deleted.
  • Chat Logs: Retained for 12 months, then anonymized (PII removed, aggregate statistics retained).
  • Backups: Retained for 30 days. Deleted data is removed from backups within 90 days.
  • Billing Records: Retained for 7 years per Swedish tax law. Only minimal billing data is kept (name, email, transaction amount).
  • You can manually delete specific data at any time via the dashboard (conversations, documents, team members).

Breach Notification Procedure

In the event of a personal data breach:

  • Our security team is alerted via automated monitoring systems within 15 minutes.
  • Initial assessment and containment within 2 hours.
  • Customer notification within 48 hours if the breach poses a risk to data subjects.
  • Notification includes: nature of breach, categories of data affected, likely consequences, and remediation steps.
  • Supervisory authority notified within 72 hours where required.
  • Post-incident report and preventive measures shared with affected customers within 14 days.

Data Protection Officer

Our Data Protection Officer oversees GDPR compliance and serves as the point of contact for supervisory authorities and data subjects.

Email: privacy@circucity.se

Privacy inquiries: privacy@circucity.se

Postal: CircuCity AI AB, Stockholm, Sweden

Response within 72 hours for all data subject requests.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is:

  • Swedish Authority for Privacy Protection (IMY)
  • Box 8114, 104 20 Stockholm, Sweden
  • Email: imy@imy.se
  • Website: www.imy.se