Privacy Policy

1. Who We Are

Smultron Studio AB (Org. No. 559437-9751) operates the GlennGPT AI chat service. We are the data controller for your account data, billing data, and website analytics under GDPR. Where Business Users' employees or agents input personal data into the Service, we act as data processor as governed by our Data Processing Agreement. This Privacy Policy describes our general data practices; the Data Processing Agreement governs the specific processor obligations under GDPR Article 28.

Address: Box 5, 414 52 Göteborg, Sweden
Contact: privacy@glenngpt.se | glenngpt.se

2. What Data We Collect

What We Don't Collect: Marketing cookies, social media trackers, cross-site tracking data, or any data that identifies you personally through our website analytics.

3. How We Use Your Data

We use your personal data to:

• Provide the Service: Process your conversations, maintain chat history, manage your account
• Handle Payments: Process subscriptions and maintain billing records
• Ensure Security: Detect fraud, prevent abuse, protect system integrity
• Improve Quality: Analyze usage patterns, optimize performance (anonymized where possible)
• Communicate: Send service updates, respond to support requests

Legal Basis: Contract performance (GDPR Art. 6(1)(b)), Legitimate interest (Art. 6(1)(f)), Legal obligation (Art. 6(1)(c)), Consent for marketing (Art. 6(1)(a)).

Cloud AI Models: When you select optional cloud AI models (OpenAI, Anthropic, Google) in Pro/Max plans, processing is based on contract performance (GDPR Art. 6(1)(b)) - necessary to deliver the advanced AI features you've subscribed to.

4. Who We Share Data With

Essential Service Providers

• Berget AI (Sweden): Primary AI inference that processes your prompts to generate responses. Data remains in Sweden, GDPR-compliant, never stored after processing, never used for training.
• OpenAI (United States), Anthropic (United States), Google (United States): Optional cloud AI models available in Pro/Max plans. When you select these models, conversation data is processed outside Sweden under Standard Contractual Clauses. Limited retention (see Section 4.1 for details), never used for training.
• Mollie B.V. (Netherlands/EU): Payment processing — handles subscriptions. PCI DSS and GDPR-compliant. For payment processing, Mollie acts as an independent controller and uses SCCs for its own sub-processors outside the EU/EEA.

We Never: Sell your data, share with advertisers, use conversations for AI training, or provide data to social media platforms. International transfers only occur when you choose optional external model processing, using applicable transfer safeguards.

4.1 Cloud AI Sub-Processors and Third-Party Integrations

If you want to access additional external models other than the Swedish hosted Open Source models provided as the primary service, GlennGPT offers two ways to access external cloud AI models, with different data processing relationships:

A. Platform-Provided Cloud AI Models (Sub-Processors)

When you select cloud AI models provided through our platform interface (available in Pro and Max subscription plans), these providers act as our sub-processors under GDPR Article 28. This means:

• Your contractual relationship is with GlennGPT
• We remain responsible as your data processor
• The cloud AI provider processes data on our behalf according to our instructions
• You authorize us to use these specific sub-processors by using the platform-provided models

Authorized Cloud AI Sub-Processors:

What Data Is Shared with Cloud AI Sub-Processors:

• Your conversation prompts (messages you send)
• AI-generated responses
• Conversation context (for multi-turn conversations)
• Technical metadata (timestamps, model selection, API parameters)

What Data Is NOT Shared:

• Your email address or account information
• Payment information
• Conversations with other AI models (Swedish models or BYOK integrations, unless you mix models in the same conversation)
• Your subscription details or billing history

Data Retention by Sub-Processors: Cloud AI sub-processors have limited data retention periods under their current DPA and service terms. Retention and technical settings may change over time. We apply contractual and technical controls intended to prevent training on customer conversations where those controls are available.

Sub-Processor Authorization and Notification:

By subscribing to Pro or Max plans and selecting platform-provided cloud AI models, you provide general authorization (GDPR Article 28(2)) for us to engage the cloud AI sub-processors listed above.

If we plan to add, replace, or materially change our cloud AI sub-processors we will:

• Email you at least 30 days in advance with details of the proposed change
• Provide you with the opportunity to object to the change
• If you object and we cannot accommodate your objection, you may terminate your subscription without penalty

B. Bring Your Own Key (BYOK) Third-Party Integrations

Basic, Pro and Max subscribers can also connect their own cloud AI API keys through account settings ("BYOK" integrations). In this scenario:

• You have a separate, direct contractual relationship with the AI provider
• The AI provider is NOT our sub-processor - they are an independent data controller
• GlennGPT acts only as a technical intermediary, securely passing your prompts to the provider's API
• The provider's own privacy policy, DPA, and terms of service apply
• You are responsible for compliance with the provider's terms

Your Responsibilities for BYOK:

• Review and accept the third-party provider's privacy policy and terms
• Ensure your API key is authorized for the intended use
• Understand that the provider processes your data under their policies, not ours
• Monitor your usage and costs directly with the provider
• Revoke API access through your provider account if you no longer wish to use the integration

BYOK Data Flow:

• GlennGPT securely encrypts and transmits your prompt using your API key
• The AI provider processes your request under their own data processing terms
• GlennGPT receives and displays the response
• GlennGPT stores the conversation in your account (in Sweden) for your chat history
• The third-party provider's data retention and usage policies apply to their processing

Supported BYOK Providers:

You may connect API keys from OpenAI, Anthropic, Google, and other OpenAI-compatible providers. Each provider has different terms - review their documentation.

Legal Basis for Cloud AI Processing:

• Platform-Provided: Contract performance (GDPR Article 6(1)(b)) - necessary to deliver the Pro/Max subscription features you've purchased
• BYOK: Contract performance (GDPR Article 6(1)(b)) - necessary to provide the technical integration feature you've subscribed to

Switching Between Models: You can switch between Swedish models, platform-provided cloud models, and BYOK integrations at any time through your account settings. Each conversation is processed only by the model you select for that specific conversation.

5. How Long We Keep Your Data

• Active Account: Conversations and account data retained until you delete them or close your account
• Cloud AI Processing: When using optional cloud models, retention varies by provider and current provider terms/configuration (see Section 4.1)
• Access Logs: 90 days (security and performance)
• After Account Closure: Most data deleted within 30 days
• Billing Records: 7 years (Swedish accounting law requirement)
• Support Communications: 2 years (quality assurance)

6. Your GDPR Rights

You have the right to:

• Access (Art. 15): Get a copy of your data in structured format
• Rectification (Art. 16): Correct inaccurate data via account settings
• Erasure (Art. 17): Delete your data (except legal obligations like billing records)
• Restriction (Art. 18): Limit processing during disputes
• Portability (Art. 20): Export your data in machine-readable format
• Object (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent: For marketing or optional features

Exercise Your Rights: Email privacy@glenngpt.se - we respond within 30 days, free of charge unless requests are excessive.

File a Complaint: Swedish Authority for Privacy Protection (IMY) - www.imy.se | imy@imy.se

7. Security Measures

We protect your data with:

• Encryption: TLS 1.3 in transit, encrypted database at rest
• Access Controls: Role-based access
• Network Security: Firewalls, intrusion detection, regular security audits
• Incident Response: Data breach notification to supervisory authority within 72 hours (GDPR Art. 33); notification to affected users without undue delay when breach poses high risk to rights and freedoms (GDPR Art. 34). For Business Users where we act as data processor, we notify you within 24 hours as specified in our DPA.

8. International Data Transfers

Swedish Processing (Default)

All GlennGPT platform infrastructure (databases, servers, user accounts, and billing) is hosted exclusively in Swedish data centers. When using Swedish-hosted AI models (indicated by "(Sweden)" in the model name), your data never leaves Sweden.

Privacy-Conscious Users: To ensure your data never leaves Sweden, use only models marked with "(Sweden)" and avoid selecting cloud AI models marked "(External)".

Optional Cloud AI Processing

When you select cloud AI models marked "(External)" in Pro/Max plans, conversation data is transferred to the United States. See Section 4.1 for detailed sub-processor information.

Transfer Safeguards:

• EU Commission-approved Standard Contractual Clauses (SCCs)
• Limited retention under current provider terms and configured controls
• Contractual and technical controls intended to prevent AI training where available

BYOK Integrations: When using your own API keys, you are responsible for the international transfer as you have a direct relationship with the provider. See Section 4.1 for details.

No Other Transfers: All account data, billing, and logs remain in Sweden. Mollie payment processing occurs within the EU (Netherlands). Our analytics are self-hosted in Sweden. We do not use US-based CDNs or marketing tools.

9. Cookies and Analytics

We use only essential cookies required for the service to function:

• Session Cookies: Keep you logged in
• Security Cookies: Authentication and fraud protection

No advertising or third-party tracking cookies.

Privacy-Focused Analytics

We use self-hosted, cookie-free analytics to understand how our website is used. This analytics solution:

• Does not use cookies or local storage
• Does not report direct personal identifiers
• Does not track users across websites
• Is hosted on our own Swedish infrastructure
• Collects only anonymized, aggregate data (page views, referrer, country, device type)

Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)) - we have a legitimate interest in understanding website usage to improve our service. Analytics reports are configured as aggregate statistics with no direct identifiers, which minimizes privacy risk.

10. Age Restriction

The Service is not intended for users under 18. If we discover data from a minor, we will delete it promptly. Parents should contact privacy@glenngpt.se if concerned.

11. Policy Updates

We may update this policy to reflect legal or operational changes. We will provide at least 30 days' notice of significant changes via email or service notification. Continued use after updates constitutes acceptance. This policy is governed by Swedish law, including the General Data Protection Regulation (EU) 2016/679 and the Swedish Data Protection Act (2018:218).

12. Contact Us

Privacy Inquiries: privacy@glenngpt.se

General Support: support@glenngpt.se

Website: glenngpt.se

By using GlennGPT, you acknowledge that you have read and understood this Privacy Policy.