Elenor AI Platform GDPR Compliance

Effective date: 17 November 2025

This document summarizes how the Elenor AI Platform meets the key GDPR requirements and outlines risk management procedures.

1. Controller and Contacts

  • Controller: Cristian Bucioaca, Elenor AI Platform.
  • Privacy contact: privacy@elenor.io.
  • No dedicated DPO is appointed; the Controller handles data protection matters directly.

2. Legal Basis

  • Performance of contract (Art. 6(1)(b)): account creation, platform services, subscription management.
  • Legal obligation (Art. 6(1)(c)): tax and accounting records handled via Stripe.
  • Legitimate interest (Art. 6(1)(f)): security logging, incident handling, aggregated analytics.
  • Consent (Art. 6(1)(a)): only when the User voluntarily submits sensitive data; not required for core functionality.

3. Data Minimisation and Storage Limitation

  • Row Level Security policies ensure users access only their own records.
  • Data is collected only to the extent necessary for providing platform services.
  • Retention periods are defined per data category and documented in the Privacy Policy.
  • Users can delete their accounts and all associated data at any time.

4. Data Subject Rights

  1. Access: Users can request exports of their data; responses provided within 30 days.
  2. Rectification: profile data editable through account settings.
  3. Erasure: account deletion removes all user data and associated records.
  4. Restriction: Users may disable specific features or cancel subscriptions.
  5. Portability: exports available in machine-readable formats.
  6. Objection: Users can challenge processing based on legitimate interests.
  7. Complaint: Users may contact the Office for Personal Data Protection (www.uoou.cz).

5. Processor Agreements

  • Supabase: DPA included in subscription; EU data hosting.
  • Google Cloud: DPA covering AI services and infrastructure. Regions configured based on requirements.
  • Anthropic: API terms specify short-term retention for quality evaluation.
  • OpenAI: Data Processing Addendum governs API usage; HTTPS enforced.
  • Stripe: independent controller of payment information with its own DPA.

6. Risk Assessment and DPIA

  • The Platform processes user data necessary for account management and service delivery.
  • Risks are mitigated through Row Level Security, encryption, and access controls.
  • Data is not publicly shared or sold to third parties.
  • A formal DPIA will be conducted if services with high privacy risks are introduced.
  • Internal records and technical documentation support ongoing compliance.

7. Security Measures

  • Encrypted transport (HTTPS) for all communications.
  • Service role keys stored on backend only.
  • Database protected with Row Level Security policies.
  • Passwords hashed using industry-standard algorithms.
  • Regular dependency updates and security audits.
  • Access logging with minimal personal data.

8. Incident Response Plan

  1. Detect incidents through monitoring and logging.
  2. Revoke compromised credentials immediately.
  3. Assess impact and identify affected users.
  4. Notify affected users within 72 hours if required by GDPR.
  5. Report to supervisory authority when necessary.
  6. Document incidents and update procedures.

9. Documentation and Audit Trail

  • Privacy Policy, Terms of Service, and this GDPR document are version-controlled.
  • Updates tracked via Git for traceability.
  • Material changes to data processing trigger review of all legal documentation.
  • Processor agreements maintained and reviewed annually.

10. Product-Specific Compliance

Individual products may have additional GDPR requirements. See product-specific compliance documentation:

This document demonstrates GDPR compliance for the Elenor AI Platform and should be read alongside the Privacy Policy and product-specific documentation.