GDPR and AI - How We Protect Your Data
EU hosting, no training on customer data, and full transparency at every step. This is how we built Gothia AI Portal to protect your and your customers' data.
Your data is entirely your own. It may seem obvious, but in a world where AI services often collect and use customer data to improve their models, it's not obvious to everyone. Do you think about your data protection? You're not alone, and there are ways to protect your information and feel secure.
We built Gothia AI Portal with data protection as a foundational principle, not an afterthought.
Where is your data stored?
All your data is securely stored in Sweden with a reliable European hosting provider. This means no servers are located in the USA and you don't have to worry about Cloud Act complications. Additionally, the database is isolated for each customer, which protects your information from others' access.
- Database: Local PostgreSQL
- Vector database: Local Qdrant
- Hosting: Hostinger VPS in Europe
What happens to data sent to the AI?
When HelperBot or Compass answers questions, they use Anthropic Claude as their language technology provider. Anthropic has a clear policy that they follow:
"We do not train our models on customer data sent via API."
This means your documents, conversations, and customer information are always completely private and are not used to improve the AI model. They are only processed to generate a response, and that's it.
We also have a Data Processing Agreement (DPA) with all our subprocessors to further secure your safety.
What rights do you have?
The portal has built-in GDPR features:
- Data export — users can download all their data as JSON
- Account deletion — 30-day grace period, then permanent deletion
- Data retention — AI logs and notifications are automatically cleared after 90 days
- Cookie consent — Google Analytics only loads if the user consents
- Transparency notices — HelperBot and Compass clearly show that responses are generated by AI
What agreements are in place?
We have published all relevant GDPR documents:
- DPA (Data Processing Agreement) — available at gothiaai.se/dpa
- Processing Register — according to GDPR Article 30
- DPIA (Data Protection Impact Assessment) — for the AI features in the portal
- Subprocessor list — Anthropic, Stripe, Hostinger, one.com
All DPAs with subprocessors are verified and automatically included in their terms of service.
Payments and PCI DSS
Card payments are handled smoothly and securely through Stripe. Your card details always remain private because they never pass through our servers. Stripe is PCI DSS Level 1 certified, which is the highest security standard for payments.
Security headers and encryption
All sites (portal, website, demo) serve strict security headers:
- HSTS (Strict Transport Security)
- Content Security Policy
- X-Frame-Options: DENY
- Referrer-Policy: strict-origin-when-cross-origin
All traffic is encrypted with TLS/SSL via Let's Encrypt.
Summary
| Question | Answer |
|---|---|
| Where is data stored? | Sweden/EU |
| Is my data used to train AI? | No |
| Can I export my data? | Yes |
| Can I delete my account? | Yes (30d grace period) |
| Is there a DPA? | Yes, published |
| PCI DSS? | Yes, via Stripe |
We value transparency because it builds trust. Don't hesitate to get in touch if you have any questions about how we handle data – we're here to help you!