Skip to main content
Compliance
3 min read

GDPR rights and our handling

Data subject rights, lawful basis, retention, and how to exercise them.

Last updated May 12, 2026

Who this applies to

GDPR applies if you're a data subject in the EU / EEA / UK, or if your workspace is in those regions. We treat all workspaces under GDPR-equivalent rights regardless of geography — it's simpler and you're never disadvantaged.

Lawful basis

We process personal data on these lawful bases:

  • Contract. To deliver the platform you're paying for (or trialing).
  • Legitimate interests. For product analytics, fraud prevention, and audit-log retention. You can object — see below.
  • Consent. For optional marketing communications. Granular opt-ins at Settings → Notifications.
  • Legal obligation. To comply with tax law, subpoenas, court orders.

The seven rights

1. Right of access (Article 15)

Download everything we hold about you. See Data export. Self-serve, instant.

2. Right to rectification (Article 16)

Update your profile at Settings → My account. For data inside your workspaces (your authored content, etc.), edit it in-place; the audit log preserves the history.

3. Right to erasure (Article 17)

Settings → My account → Delete account.

What gets deleted:

  • Your user record, profile, OAuth tokens, MFA secrets.
  • Your share of audit-log entries (where you were the actor) is anonymized — the action stays, your identity is removed.
  • Workspaces you own: you must transfer ownership or delete them first. The flow walks you through this.
  • Content you authored in workspaces where you were a member but not owner: the content stays (it belongs to the workspace) but author attribution is anonymized.

Deletion is irreversible. We retain a hashed identifier for 30 days post-deletion solely to honour the "do not re-onboard" request, then it's purged.

4. Right to restriction (Article 18)

If you're disputing accuracy of data we hold, you can request restriction. We pause processing of the disputed data while we investigate. Email privacy@aidomination.app to invoke.

5. Right to data portability (Article 20)

The data export is structured, machine-readable JSON. See Data export.

6. Right to object (Article 21)

You can object to processing based on legitimate interests. Specifically:

  • Product analytics. Opt out at Settings → Privacy → Analytics.
  • Marketing communications. Opt out at Settings → Notifications → Marketing.
  • Customer-success outreach. Opt out at Settings → Notifications → Customer success.

Some legitimate-interest processing (fraud prevention, audit-log integrity) cannot be objected to without ending the service relationship.

7. Rights related to automated decision-making (Article 22)

We do not make solely-automated decisions about you that produce legal effects. The compliance scanner blocks content, not people; the customer-success dashboard flags accounts for human review, never auto-actions.

Retention

Data Retention
Account profile Until deletion
Audit log 90 days to 7 years per plan (see Audit logs)
Content (drafts, published) Forever unless deleted
Backups 35 days rolling
Web logs / IPs 30 days
Stripe / billing 7 years per tax law

Deletion under Article 17 honours these timelines: backups still containing your data are not restored, and re-emerge purged when their rotation completes.

International transfers

If you're an EU subject, your primary data lives in EU regions. Some operational systems (incident response, support) may access your data from elsewhere — covered by Standard Contractual Clauses with our service providers. See our DPA at /legal/dpa.

Sub-processors

We use a small set of sub-processors (Stripe for billing, our cloud host for infra, etc.). The complete list and their roles are at /legal/subprocessors. We notify 30 days in advance of any change.

Breach notification

If we suffer a personal-data breach, we notify affected users without undue delay and within 72 hours of becoming aware, per Article 33. The notice includes the nature of the breach, the data involved, our response, and steps you can take.

DPO and contact

EU representatives and DPO contact: dpo@aidomination.app. Privacy queries: privacy@aidomination.app. Both are monitored; we respond within 30 days as required.

Supervisory authority

You have the right to lodge a complaint with your supervisory authority. We'd rather you talked to us first, but the right is unconditional.

See also

Was this article helpful?

Related docs

Compliance

The compliance scanner

Prohibited claims, regulated terms, and what blocks approval.

Compliance

Regulated industries

Legal, medical, and financial baselines, plus required disclaimers.

Compliance

CCPA rights and opt-out

California-specific rights, opt-out flow, and how we handle requests.

Compliance

Cookie policy summary

What we set, why, and how to disable each category.

Admin

Data export

GDPR Article 15 download — what's included, what's redacted, and how to request it.

Audits

Audit cadence

How daily, weekly, and monthly refreshes are scheduled — and how to override them.

Edit on GitHub
PreviousRegulated industriesNext CCPA rights and opt-out
GDPR rights and our handling · AI Domination