{{COMPANY_NAME}} ({{COMPANY_LEGAL_NAME}}), registered at {{COMPANY_ADDRESS}}, reachable at {{CONTACT_EMAIL}}, is the data controller for the processing described in this policy.
If you are located in the UK, the UK entity identified in {{COMPANY_NAME}}'s applicable terms is your data controller and is registered with the UK Information Commissioner's Office (ICO).
We use your data to:
For users in the EEA or UK, we process your data on the following lawful bases under GDPR Art. 6:
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests are not overridden by your rights and freedoms. You may object to this processing at any time — see Section 9.
When you use AI features, your inputs (prompts, uploaded content, files) may be processed by third-party large language model (LLM) providers such as OpenAI, Anthropic, Google, or others ("Model Providers") under their respective terms of service and privacy policies. {{COMPANY_NAME}} is not responsible for the data practices of Model Providers.
We recommend reviewing the privacy policies of the Model Providers you use through our service:
Where {{COMPANY_NAME}} uses AI systems that generate synthetic content (including text, images, audio, or video), we will mark outputs as artificially generated in a machine-readable format where technically feasible, in compliance with EU AI Act Art. 50(2). Deployers using our service to generate deepfakes or AI-manipulated content for public interest matters must comply with EU AI Act Art. 50(4) by disclosing that the content is AI-generated.
For artistic, satirical, or creative works, the disclosure obligation is limited to informing you that AI-generated content exists, without impeding the display or enjoyment of the work.
{{COMPANY_NAME}} does not use your private or personal data to train third-party AI models without your explicit, separate consent. This means we do not share your inputs with Model Providers for the purpose of training or improving their models, unless you have opted in to such use.
Where {{COMPANY_NAME}} itself trains any AI models on user data, this will be done only on aggregated, anonymized datasets and you will be notified in advance.
AI-generated output may be inaccurate, incomplete, or inappropriate. Output may include factual errors, outdated information, or content that does not reflect your intent. You are responsible for reviewing all AI output before relying on it, particularly in contexts where accuracy is critical (legal, medical, financial, or safety-related decisions).
{{COMPANY_NAME}} does not guarantee the accuracy, fitness for a particular purpose, or non-infringement of AI output.
We do not sell your data. We share data only with:
A current list of our sub-processors (GDPR Art. 28(2)) is available at /sub-processors. This list is updated at least annually and whenever we engage a new sub-processor.
Data may be processed in the EU/EEA, the UK, the US, and other jurisdictions where our sub-processors operate. For transfers outside the EEA/UK, we rely on the following legal mechanisms:
You may request a copy of the relevant SCCs by contacting {{CONTACT_EMAIL}}.
We retain data for the following periods, subject to applicable law:
| Data category | Retention period | Notes |
|---|---|---|
| Account data | Until account deletion + 30 days | Backups excluded from the 30-day deletion window; backups are overwritten on a rolling 30-day cycle. |
| Service data (your content) | While account is active; deleted within 30 days of account deletion | You can request immediate deletion at any time via the in-app deletion feature or by emailing us. |
| Billing records | 7 years from transaction date | Required by Norwegian accounting and tax law (bokføringsloven, årsregnskapsloven). Includes invoices, receipts, and subscription records. |
| Support communications | 3 years from resolution | For dispute resolution and quality purposes. |
| Security logs | 1 year | For fraud detection and security incident investigation. |
| Backups | Rolling 30-day cycle | Encrypted, stored in EU; permanently deleted after 30 days via overwrite. |
We may retain data longer than the above where required by law, regulatory obligation, or ongoing legal proceedings. We will always notify you if a legally required retention period affects your data.
You have the following rights under GDPR, subject to applicable limitations:
To exercise any of these rights, email {{CONTACT_EMAIL}}. We respond within 30 days, which is the deadline under GDPR.
You also have the right to lodge a complaint with your local supervisory authority. For EEA users, you can contact your national Data Protection Authority or the lead authority in the country where {{COMPANY_NAME}}'s EU representative is established. A full list is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users can contact the ICO at ico.org.uk.
If {{COMPANY_NAME}} makes solely automated decisions that have legal or similarly significant effects on you, you have the right:
This right does not apply where the automated decision is (a) necessary for a contract between you and us (e.g., fraud detection), (b) authorized by EU or national law, or (c) based on your explicit consent.
If you are subject to an automated decision that significantly affects you, contact {{CONTACT_EMAIL}} to exercise your rights.
We implement appropriate technical and organizational security measures, including:
No security measure is absolute; we cannot guarantee 100% security. If you have questions about our security practices, contact {{CONTACT_EMAIL}}. See our Security page for more detail.
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and at the latest within 72 hours of becoming aware, in accordance with GDPR Art. 33. Where appropriate, we will provide: a description of the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, our DPO or contact point for further inquiries, and the likely consequences of the breach and measures taken or proposed to address it.
We will also notify the relevant supervisory authority within 72 hours unless the breach is unlikely to result in a risk to individuals' rights.
{{COMPANY_NAME}} is not directed to children under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact {{CONTACT_EMAIL}} and we will promptly delete it.
Note for Norwegian users: under Datatilsynet's guidance, the age of digital consent in Norway is 13 for certain contexts. If you are under 16 (or under 13 for Norwegian-specific services), you should not use this service without verifiable parental consent. We reserve the right to request age verification.
We will notify you of material changes to this policy by email or in-product notice at least 30 days before they take effect. Material changes include changes to the legal basis for processing, the categories of data collected, the purposes of processing, or the identities of sub-processors. You may review the current version at any time at https://{{COMPANY_DOMAIN}}/privacy/. Previous versions are available at /privacy/previous.
Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.
For privacy questions, data subject requests, or breach notifications:
{{COMPANY_NAME}}
Email: {{CONTACT_EMAIL}}
Address: {{COMPANY_ADDRESS}}
If we are required to have a Data Protection Officer (DPO) under GDPR Art. 37, the DPO's contact details are available at the above email address.
For EEA users, our EU representative (if applicable) is: {{EU_REPRESENTATIVE}}