GDPR Compliance

Last updated: April 5, 2026

Our commitment: AIFied is built with privacy by design. We are fully committed to compliance with the General Data Protection Regulation (EU) 2016/679. All data is stored in EU datacenters and processed according to GDPR principles.

1. Our Role Under GDPR

AIFied is operated by ATELIER KIDSCRAFT S.R.L. (CUI: 52105433), registered in Romania. We act as a Data Controller for your account data (name, email, preferences) and as a Data Processor for social media data processed on your behalf (monitored posts, generated responses, relationship profiles).

2. Legal Basis for Processing

Data Type	Legal Basis	Purpose
Account information	Contract performance (Art. 6(1)(b))	To provide the AIFied service
Payment information	Contract performance (Art. 6(1)(b))	To process subscription payments
Social media tokens	Consent (Art. 6(1)(a))	To monitor and post on your behalf
Public social media posts	Legitimate interest (Art. 6(1)(f))	To identify relevant conversations
Usage analytics	Legitimate interest (Art. 6(1)(f))	To improve the service
Communication data	Legitimate interest (Art. 6(1)(f))	To send service notifications

3. Data Protection Principles

In accordance with Article 5 of the GDPR, we process personal data following these principles:

Lawfulness, fairness, transparency: We clearly explain what data we collect and why
Purpose limitation: Data is collected only for specified, explicit purposes
Data minimization: We collect only the minimum data necessary to provide the service
Accuracy: You can update your data at any time through your account settings
Storage limitation: Activity logs are deleted after 30 days; monitoring data is anonymized after 90 days
Integrity and confidentiality: Data is encrypted in transit (TLS 1.3) and at rest (AES-256 for sensitive tokens)
Accountability: We maintain records of processing activities as required by Article 30

4. Your Rights

Under GDPR, you have the following rights. To exercise any of them, email support@aified.online.

Right	What It Means	How to Exercise
Access (Art. 15)	Get a copy of all personal data we hold about you	Email us requesting a data export
Rectification (Art. 16)	Correct inaccurate data	Edit in Settings, or email us
Erasure (Art. 17)	Delete all your data ("right to be forgotten")	Email us requesting account deletion
Restriction (Art. 18)	Limit how we process your data	Email us with your request
Portability (Art. 20)	Receive your data in a machine-readable format	Email us requesting JSON export
Objection (Art. 21)	Object to processing based on legitimate interest	Email us with your objection
Withdraw consent (Art. 7)	Withdraw consent for social media access	Disconnect platforms in Settings

We will respond to all requests within 30 days as required by GDPR.

5. Data Storage Location

All data is stored on servers located in Nuremberg, Germany, operated by Hetzner Online GmbH. No personal data is transferred outside the European Economic Area (EEA).

6. Sub-Processors

We use the following sub-processors:

Sub-Processor	Purpose	Location	Safeguards
Hetzner Online GmbH	Server hosting (backend + frontend)	Germany (EU)	GDPR compliant, ISO 27001
OpenAI, Inc.	AI content generation	USA	DPA in place, EU-US Data Privacy Framework
Stripe, Inc.	Payment processing	USA / Ireland (EU)	PCI DSS Level 1, GDPR compliant, EU entity (Stripe Payments Europe Ltd)
Namecheap, Inc.	Domain registration	USA	Standard Contractual Clauses

For OpenAI specifically: we use their API tier which contractually prohibits training on customer data. Content sent to OpenAI is processed transiently and not stored beyond the API request lifecycle.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33)
If the breach poses a high risk to you, we will notify you directly without undue delay (Article 34)
Our notification will include: nature of the breach, data categories affected, approximate number of individuals affected, likely consequences, and measures taken

8. Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for AIFied's core processing activities, particularly:

Monitoring of publicly available social media conversations
Automated processing and profiling of social media users (relationship CRM)
AI-powered content generation using third-party models

Our assessment concluded that appropriate safeguards are in place, including encryption, data minimization, retention limits, and user control over all processing.

9. Children's Data

AIFied is not directed at individuals under 18 years of age. We do not knowingly process personal data of children. If we discover that a child's data has been processed, we will delete it immediately.

10. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. As our company is registered in Romania, the relevant authority is:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucuresti, Romania
www.dataprotection.ro

You may also lodge a complaint with the supervisory authority of your own EU member state.

11. Contact Our Data Protection Team

For any GDPR-related questions or requests:

Email: support@aified.online
Subject line: "GDPR Request" for priority handling
Response time: Within 30 days