Data Processing Agreement (DPA)
Version 1.0 | February 23, 2026
This agreement applies automatically to all Business Users through incorporation in our Terms of Service. Consumers are not covered — see our Privacy Policy. Public sector organizations and enterprises with specific requirements are welcome to contact legal@glenngpt.se.
1. Parties and Definitions
Data Controller: The Customer (the Business User using GlennGPT).
Data Processor: Smultron Studio AB, Org. No. 559437-9751, Box 5, 414 52 Göteborg, Sweden, privacy@glenngpt.se
Terms used in this agreement have the meaning defined in the GDPR. "Service" refers to GlennGPT. "Main Agreement" refers to the Terms of Service.
2. Scope of Processing
The Processor processes personal data on behalf of the Controller to provide AI-powered chat services (the Service). The nature of processing includes storage, retrieval, transmission to AI models, and display of conversation data. Processing continues for as long as the Main Agreement is in effect and includes:
- Receiving, processing, and storing conversation data (prompts and AI responses)
- Forwarding prompts to AI models for inference
- Technical operations: logging, troubleshooting, capacity management
- Quota tracking and usage metering
Personal Data Processed
| Category | Description |
|---|---|
| Conversation Content | Prompts and AI responses. May contain personal data depending on what the user enters. |
| Account Data | Email address, name, password (hashed). |
| Technical Metadata | Timestamps, model selection, session ID, IP address. |
| Usage Data | Message count and subscription tier. |
Data Subjects: The Controller's employees, consultants, and other users granted access to the Service, as well as individuals whose personal data may appear in conversation content.
3. Processor Obligations
3.1. Instructions
The Processor processes personal data only in accordance with the Controller's documented instructions (Article 28(3)(a) GDPR). The Main Agreement and this DPA constitute the Controller's complete documented instructions; additional instructions require written agreement. If an instruction is deemed to infringe the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately.
3.2. Confidentiality
All persons authorized to process the personal data have committed to confidentiality or are under a statutory obligation of secrecy (Article 28(3)(b) GDPR).
3.3. Security
The Processor implements measures in accordance with Article 32 GDPR, including: encryption in transit (TLS 1.3) and at rest, role-based access control, Swedish data residency, separated environments, regular security audits, and documented procedures for incident response and data deletion. Further details are available in our Privacy Policy.
3.4. Data Subject Rights
The Processor assists the Controller in fulfilling its obligations under Articles 15–22 GDPR. If a data subject contacts the Processor directly, they will be referred to the Controller (Article 28(3)(e) GDPR).
3.5. Additional Obligations
The Processor assists the Controller with compliance under Articles 32–36 GDPR, including security, breach notification, and data protection impact assessments (Article 28(3)(f) GDPR).
3.6. Deletion and Return
Upon termination of the Service, the Processor will delete or return all personal data within 30 days, at the Controller's choice, unless retention is required by law (Article 28(3)(g) GDPR). Export in a machine-readable format may be requested at any time.
3.7. Audits
The Processor makes available all information necessary to demonstrate compliance with Article 28 GDPR and allows for audits by the Controller or its appointed auditor (Article 28(3)(h) GDPR). Audits require at least 30 days' prior notice. Costs are borne by the Controller, unless the audit reveals material non-compliance.
4. Sub-Processors
The Controller grants the Processor general authorization to engage sub-processors (Article 28(2) GDPR). The Processor will notify the Controller of any planned changes at least 30 days in advance by email. If the Controller objects, the parties will attempt to find a resolution; if no agreement is reached within 30 days, the Controller may terminate the Service without penalty. Sub-processors are bound by the same data protection obligations as set out in this agreement (Article 28(4) GDPR).
Current Sub-Processors
| Sub-Processor | Country | Processing | Safeguards | Retention |
|---|---|---|---|---|
| Berget AI AB | Sweden | Primary AI inference | — | None |
| OpenAI, L.L.C. | USA | GPT models (optional, Pro/Max) | SCCs (Module 3) | Per provider enterprise terms/configuration |
| Anthropic PBC | USA | Claude models (optional, Pro/Max) | SCCs (Module 3) | Per provider enterprise terms/configuration |
| Google LLC | USA | Gemini models (optional, Pro/Max) | EU-US DPF + SCCs (Module 3) | Per provider enterprise terms/configuration |
OpenAI, Anthropic, and Google are only engaged when users actively select external AI models in Pro/Max plans. All AI sub-processors are engaged under contractual terms intended to prevent use of customer data for AI training where such controls are available. Payment processing (Mollie) is outside this DPA because Smultron Studio AB acts as controller for billing data. For BYOK integrations (own API keys), the provider is not a sub-processor of the Processor — see Privacy Policy Section 4.1.
5. Data Breach Notification
The Processor will notify the Controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware of it, enabling the Controller to meet its statutory 72-hour notification obligation under Article 33 GDPR. The notification will contain the information specified in Article 33(3) GDPR. The Processor will assist with notification to the Swedish Authority for Privacy Protection (IMY) and communication to affected data subjects.
6. International Transfers
Personal data is primarily processed in Sweden. Transfers to third countries occur only through the sub-processors listed above, protected by EU Commission Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. If a transfer can no longer be carried out in accordance with applicable safeguards, the Processor will cease the transfer until adequate protections are in place.
7. Term and General
This agreement remains in effect for as long as the Main Agreement is in force. Sections 3.6 (Deletion), 3.7 (Audits), 5 (Breach Notification), and liability provisions survive termination. Amendments, liability, governing law, and dispute resolution are governed by the Main Agreement and Article 82 GDPR.
8. Contact
Privacy Inquiries: privacy@glenngpt.se
Supervisory Authority: Swedish Authority for Privacy Protection (IMY) — www.imy.se
By using GlennGPT as a Business User, you acknowledge and accept this Data Processing Agreement.