GDPR and AI - How We Protect Your Data
Gothia AI Portal runs on EU hosting with an isolated database per customer. AI features do not train on your data.
GDPR features were built into the portal from day one.
Where is data stored?
All data is located in France with Scaleway, a European hosting provider. No servers in the USA, so the Cloud Act question does not arise. The database is also isolated per customer.
- Database: Local PostgreSQL
- Vector database: Local Qdrant
- Hosting: Scaleway VPS in France
What happens with data sent to the AI?
ChatBot and Compass use an external language model to generate responses. Our provider has a policy of not training models on customer data sent via API.
Your documents and conversations are sent to the provider only to generate a response. They are not stored with the provider and are not used for model training.
We have Data Processing Agreements (DPA) with all subprocessors.
Your Rights
The portal has built-in GDPR features:
- Data export — users can download all their data as JSON
- Account deletion — 30-day right of withdrawal, then permanent deletion
- Data retention — AI logs and notifications are deleted after 90 days
- Cookie consent — Google Analytics is only loaded after consent
- Transparency notices — ChatBot and Compass show that responses are AI-generated
What agreements exist?
All relevant GDPR documents are published:
- DPA (Data Processing Agreement) — gothiaai.se/dpa
- Records of Processing — according to GDPR Article 30
- DPIA (Data Protection Impact Assessment) — for AI features
- Subprocessor list — complete list with named providers at gothiaai.se/dpa
Payments
Card payments go through Stripe, which is PCI DSS Level 1 certified. Card details never pass through our servers.
Security Headers and Encryption
All sites (portal, website, demo) serve:
- HSTS (Strict Transport Security)
- Content Security Policy
- X-Frame-Options: DENY
- Referrer-Policy: strict-origin-when-cross-origin
All traffic is encrypted with TLS via Let's Encrypt.
Summary
| Question | Answer |
|---|---|
| Where is data stored? | Sweden/EU |
| Is my data used to train AI? | No |
| Can I export my data? | Yes |
| Can I delete my account? | Yes (30-day right of withdrawal) |
| Is there a DPA? | Yes, published at gothiaai.se/dpa |
| PCI DSS? | Yes, via Stripe |
Please reach out if anything is unclear about how we handle data.