How CircuCity AI protects personal data and meets EU regulatory requirements.
Our Commitment to GDPR
CircuCity AI is fully committed to compliance with the General Data Protection Regulation (EU 2016/679). We have implemented comprehensive technical and organizational measures to protect personal data and uphold data subject rights. This page details our GDPR compliance framework, data processing practices, and your rights as a data controller or data subject.
Data Processing Roles
Processor & Controller
Data Controller: You (our customer) determine the purposes and means of processing personal data collected through your AI chatbot.
Data Processor: CircuCity AI processes personal data on your behalf according to your documented instructions.
Sub-Processors: We engage trusted sub-processors (Hetzner, AWS, OpenAI, Resend, Stripe) who have been vetted for GDPR compliance and are bound by data processing agreements.
Joint Controllership: In limited contexts (anonymized analytics), we act as a joint controller with aggregated, non-personal data.
Data Processing Agreement (DPA)
A Data Processing Agreement is available to all customers upon request. The DPA covers:
Scope and purpose of data processing.
Duration of processing (term of subscription plus 30 days).
Categories of data subjects (your customers, your team members).
Types of personal data (names, emails, chat messages, order data).
Personnel: All employees undergo annual GDPR and security training. Access is granted on a least-privilege basis with audit logging.
Incident Response: Documented breach notification procedure. We notify affected customers within 48 hours of confirmed breach.
Vendor Management: Annual security reviews of all sub-processors. DPAs in place with all vendors.
International Data Transfers
All personal data is stored within the European Union (Hetzner, Falkenstein; AWS eu-central-1, Frankfurt). Where data transfers outside the EU are necessary (e.g., OpenAI inference in the US for chat response generation), we rely on:
Standard Contractual Clauses (SCCs) adopted by the European Commission.
Data Protection Impact Assessments (DPIA) for each transfer mechanism.
Transfer Impact Assessments (TIA) evaluating the legal framework of the destination country.
We do not transfer personal data to countries without an adequate level of protection as determined by the European Commission.
Data Retention & Deletion
Active Accounts: Data retained for the duration of your subscription.
Post-Termination: Data retained for 30 days, then permanently deleted.
Chat Logs: Retained for 12 months, then anonymized (PII removed, aggregate statistics retained).
Backups: Retained for 30 days. Deleted data is removed from backups within 90 days.
Billing Records: Retained for 7 years per Swedish tax law. Only minimal billing data is kept (name, email, transaction amount).
You can manually delete specific data at any time via the dashboard (conversations, documents, team members).
Breach Notification Procedure
In the event of a personal data breach:
Our security team is alerted via automated monitoring systems within 15 minutes.
Initial assessment and containment within 2 hours.
Customer notification within 48 hours if the breach poses a risk to data subjects.
Notification includes: nature of breach, categories of data affected, likely consequences, and remediation steps.
Supervisory authority notified within 72 hours where required.
Post-incident report and preventive measures shared with affected customers within 14 days.
Data Protection Officer
Our Data Protection Officer oversees GDPR compliance and serves as the point of contact for supervisory authorities and data subjects.
Email: privacy@circucity.se
Privacy inquiries: privacy@circucity.se
Postal: CircuCity AI AB, Stockholm, Sweden
Response within 72 hours for all data subject requests.
Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is: