GDPR Compliance
Active AI Writer ("we", "us", "our") is committed to protecting and respecting your privacy. This GDPR Compliance statement explains how we comply with the General Data Protection Regulation (GDPR) and how we handle your personal data.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a comprehensive data protection law that came into effect on May 25, 2018. It replaced the existing EU Data Protection Directive 95/46/EC and provides enhanced rights to individuals in the European Economic Area (EEA) regarding their personal data.
- 1. Our commitment to GDPR compliance
- 2. Data Controller and Data Processor
- 3. Legal basis for processing
- 4. Your data subject rights
- 5. What data we collect and why
- 6. Data security measures
- 7. Data retention and deletion
- 8. International data transfers
- 9. Data breach notification
- 10. Data Protection Officer
- 11. How to exercise your rights
- 12. Right to lodge a complaint
1. Our commitment to GDPR compliance
Active AI Writer is committed to maintaining high standards of information security, privacy, and transparency. We place a high priority on protecting and managing your data in accordance with GDPR requirements and have implemented comprehensive measures to ensure compliance.
Our GDPR compliance principles:
- Lawfulness, fairness and transparency: We process your data lawfully, fairly and in a transparent manner
- Purpose limitation: We collect data for specified, explicit and legitimate purposes
- Data minimization: We only collect data that is adequate, relevant and limited to what is necessary
- Accuracy: We keep your data accurate and up to date
- Storage limitation: We retain data only as long as necessary for the purposes for which it was collected
- Integrity and confidentiality: We process data securely and protect it from unauthorized access
- Accountability: We are responsible for and can demonstrate compliance with GDPR principles
2. Data Controller and Data Processor
Data Controller
For personal data we collect about you (such as your name, email address, payment information), Active AI Writer acts as the Data Controller. This means we determine the purposes and means of processing your personal data.
Data Controller contact information:
Active AI Writer
Email: support@activeaiwriter.com
Website: https://activeaiwriter.com
Data Processor
When you use Active AI Writer to process text content through AI models, we act as a Data Processor on your behalf. You remain the Data Controller for the content you input for AI processing. We process this content strictly according to your instructions and do not use it for any other purposes.
Important distinction:
- Your account data (name, email, etc.) - we are the Data Controller
- Text content you submit for AI processing - you are the Data Controller, we are the Data Processor
3. Legal basis for processing
We process your personal data under the following legal bases as defined by GDPR Article 6:
- Contract performance (Article 6(1)(b)): Processing necessary to perform our contract with you when you use our services
- Consent (Article 6(1)(a)): You have given explicit consent for specific processing activities (e.g., marketing communications)
- Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests (e.g., fraud prevention, system security)
- Legal obligations (Article 6(1)(c)): Processing necessary to comply with legal requirements (e.g., tax laws, accounting regulations)
4. Your data subject rights
Under the GDPR, you have comprehensive rights regarding your personal data. We respect these rights and have procedures in place to handle your requests efficiently.
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. This includes:
- Confirmation that we are processing your data
- Access to your personal data
- Information about how we process your data
- Details about data recipients, retention periods, and your other rights
Right to Rectification (Article 16)
You can request that we correct inaccurate or incomplete personal data. You can update most information directly through your account settings.
Right to Erasure / "Right to be Forgotten" (Article 17)
You can request that we delete your personal data under certain conditions:
- The data is no longer necessary for the purposes it was collected
- You withdraw your consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- The data must be erased to comply with a legal obligation
Right to Restriction of Processing (Article 18)
You can request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. We provide data export functionality in your account settings.
Right to Object (Article 21)
You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.
Rights related to automated decision-making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significantly affects you. We do not engage in such automated decision-making.
Right to withdraw consent (Article 7(3))
Where we process your data based on consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.
5. What data we collect and why
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Account Information | Name, email address, password | Account creation and management | Contract performance |
| Payment Information | Billing address, payment method | Process subscriptions and payments | Contract performance |
| Usage Data | Features used, AI requests, timestamps | Service provision and improvement | Legitimate interest |
| Technical Data | IP address, browser type, device info | Security and service optimization | Legitimate interest |
| Communication Data | Support tickets, feedback | Customer support and service improvement | Contract performance |
| Marketing Data | Email preferences, campaign interactions | Marketing communications (opt-in only) | Consent |
6. Data security measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32.
Technical measures
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption
- Access controls: Role-based access controls (RBAC) and multi-factor authentication for administrative access
- Secure infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure
- Regular security testing: Penetration testing, vulnerability assessments, and security audits
- Monitoring and logging: 24/7 security monitoring and comprehensive audit logs
Organizational measures
- Staff training: Regular GDPR and data protection training for all employees
- Data processing agreements: Contracts with all processors and sub-processors
- Privacy by design: Privacy considerations integrated into all development processes
- Incident response plan: Documented procedures for handling data breaches
- Regular reviews: Periodic review and updates of security measures
7. Data retention and deletion
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as required by GDPR Article 5(1)(e).
Retention periods
- Account data: Retained while your account is active and for up to 30 days after account deletion (to allow for account recovery)
- Payment records: Retained for 7 years to comply with tax and accounting regulations
- Usage logs: Retained for up to 90 days for security and troubleshooting purposes
- Marketing data: Retained until you unsubscribe or withdraw consent
- Support communications: Retained for 3 years to maintain service quality and training purposes
Secure deletion
When data reaches the end of its retention period or when you request deletion, we securely delete or anonymize your data using industry-standard methods to ensure it cannot be recovered or reconstructed.
8. International data transfers
Our servers are located in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries.
Safeguards for EEA data transfers
For data transfers from the EEA to countries outside the EEA that are not deemed to provide an adequate level of protection, we implement appropriate safeguards as required by GDPR Chapter V:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses for data transfers
- Data Processing Agreements: Comprehensive agreements with all third-party processors
- Additional security measures: Enhanced technical and organizational measures to protect transferred data
9. Data breach notification
In accordance with GDPR Articles 33 and 34, we have procedures in place to detect, report, and investigate data breaches.
Our commitments:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of a data breach that poses a risk to individuals' rights and freedoms
- We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Breach notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address it
- We maintain detailed documentation of all data breaches for supervisory authority review
10. Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and serve as a point of contact for data subjects and supervisory authorities.
Contact our DPO:
Email: dpo@activeaiwriter.com
Subject line: "GDPR / Data Protection Inquiry"
Our DPO is responsible for:
- Monitoring compliance with GDPR and other data protection laws
- Providing advice on data protection impact assessments
- Cooperating with supervisory authorities
- Acting as the contact point for data subjects exercising their rights
- Training and raising awareness among staff
11. How to exercise your rights
You can exercise your GDPR rights through the following channels:
Self-service options
- Account settings: Update your personal information, change email preferences, and export your data
- Privacy dashboard: View what data we collect and manage your privacy settings
- Unsubscribe links: Opt out of marketing emails using the unsubscribe link in any email
Contact us for assistance
For rights that require verification or manual processing (such as data deletion or restriction requests):
- Email: support@activeaiwriter.com with subject "GDPR Request"
- Include: Your name, email address, specific request, and any relevant details
- Response time: We will respond within 30 days (extendable to 60 days for complex requests)
Verification process
To protect your privacy, we will verify your identity before processing requests to access, delete, or transfer your data. We may request additional information to confirm your identity.
12. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of alleged infringement if you believe our processing of your personal data violates the GDPR.
EU Supervisory Authorities:
A list of supervisory authorities in the EU can be found at:
https://edpb.europa.eu/about-edpb/board/members_en
However, we encourage you to contact us first at support@activeaiwriter.com so we can address your concerns directly.