GDPR Compliance

Last updated: January 2024

Our GDPR & AI Act Commitment

GET AI PORTRAIT is fully committed to complying with the General Data Protection Regulation (GDPR), the EU AI Act, and protecting the privacy rights of all users, especially EU citizens. We implement privacy-by-design principles and ensure transparent AI processing.

Your Rights Under GDPR

1. Right to Access

You can request a copy of all personal data we hold about you.

2. Right to Rectification

You can request correction of any inaccurate personal data.

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data from our systems.

4. Right to Data Portability

You can request your data in a machine-readable format.

5. Right to Object

You can object to processing of your personal data for marketing purposes.

6. Right to Restrict Processing

You can request limitation of processing under certain circumstances.

Legal Basis for Processing

We process personal data based on:

  • Explicit Consent (Article 9): Required for biometric data processing
  • Contract: Processing is necessary to provide our service
  • Legitimate Interest: For improving our service and user experience
  • Legal Obligation: When required by law

Special Category Data: Biometric data (facial features) is processed only with your explicit, informed consent, which can be withdrawn at any time.

AI-Specific Rights Under GDPR & AI Act

In addition to standard GDPR rights, you have specific rights regarding AI processing:

  • Right to Explanation: Understand how AI processes your data
  • Right to Human Review: Request human oversight of AI decisions
  • Right to Object to AI Processing: Opt-out of AI-based processing
  • Right to Transparency: Clear information about AI system capabilities and limitations
  • Right to Non-Discrimination: Protection against AI bias

Data Protection Measures

  • Encryption of data in transit and at rest
  • Regular security audits and assessments
  • Limited access controls
  • Data minimization practices
  • Privacy by design principles

Data Processing Details

What We Collect

  • Email address (for account creation)
  • Photos containing faces (for AI processing)
  • Biometric data (facial features for artistic transformation only)
  • Usage data (for service improvement)
  • Consent records (for compliance documentation)

How Long We Keep It

  • Account data: Until account deletion
  • Uploaded photos: Maximum 30 days after processing
  • Biometric data: Deleted immediately after portrait generation
  • Generated portraits: Until you delete them
  • Usage data: 12 months
  • Consent records: As required by law (typically 3 years)

Processing Locations

  • Primary processing: EU data centers
  • Backup storage: EU-compliant facilities
  • No transfer to countries without adequate protection

International Data Transfers

When we transfer data outside the EU, we ensure adequate protection through:

  • Standard Contractual Clauses
  • Adequacy decisions
  • Appropriate safeguards

Data Breach Procedures

In the unlikely event of a data breach, we will:

  • Notify authorities within 72 hours
  • Inform affected users without undue delay
  • Take immediate steps to mitigate damage
  • Document the breach and our response

Automated Decision-Making & Profiling

Transparency about AI Processing:

  • We use AI for artistic style transfer, not for decision-making about you
  • No automated profiling that produces legal or significant effects
  • AI processing is limited to portrait generation
  • Human oversight is maintained for content moderation
  • You can request human review of any AI-related concern

Exercising Your Rights

To exercise any of your GDPR or AI Act rights:

  1. Use in-app privacy settings for immediate actions
  2. Email our Data Protection Officer for complex requests
  3. Expect acknowledgment within 48 hours
  4. Receive full response within 30 days

Contact Information:
Data Protection Officer: dpo@dreif-ai.com
Privacy Team: privacy@dreif-ai.com
Response time: Within 30 days (usually faster)
No fee for reasonable requests

Children's Privacy Protection

Special protections for minors:

  • Users must be 16+ in EU countries (13+ elsewhere)
  • We do not process biometric data of known minors
  • Parental consent required for users under 18
  • Enhanced privacy defaults for younger users
  • No marketing to users under 18

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR or AI Act requirements.

Lead Supervisory Authority:
Berlin Commissioner for Data Protection and Freedom of Information
Website: www.datenschutz-berlin.de

EU residents can also contact their local data protection authority. Find yours at:
European Data Protection Board Members