Legal
GDPR Compliance
Last updated: May 26, 2026
FileAI is committed to protecting the privacy rights of individuals in the European Union and European Economic Area in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page explains how we meet our obligations as a data controller and outlines your rights as a data subject.
This page should be read alongside our full Privacy Policy.
1. Data Controller
FileAI acts as the data controller for personal data collected through the platform. This means we determine the purposes and means of processing your personal data.
Organisation: FileAI
Contact: privacy@fileai.com
Third-party processors (Clerk, Stripe, OpenAI, Cloudflare) act as data processors on our behalf, operating under Data Processing Agreements (DPAs) that bind them to GDPR obligations.
2. Legal Basis for Processing
We process personal data under one or more of the following GDPR lawful bases:
Contract (Art. 6(1)(b))
Processing your account details, uploaded files, and usage data is necessary to provide the service you signed up for.
Legitimate Interests (Art. 6(1)(f))
Security monitoring, fraud prevention, product analytics (anonymised), and service improvement — balanced against your interests and rights.
Legal Obligation (Art. 6(1)(c))
Retaining billing records for tax and regulatory compliance.
Consent (Art. 6(1)(a))
Optional marketing communications. You can withdraw consent at any time.
3. Data We Process
| Category | Data | Basis |
|---|---|---|
| Identity | Name, email address | Contract |
| Account | Clerk user ID, OAuth tokens, 2FA status | Contract |
| Files | Uploaded files (temp), converted output (temp) | Contract |
| Billing | Stripe customer ID, plan, payment history | Contract / Legal obligation |
| Usage | Tool usage counts, conversion history, job logs | Contract / Legitimate interests |
| Technical | IP address, browser, OS, session cookies | Legitimate interests |
We do not process special category data (health, biometric, etc.) and do not engage in automated decision-making that produces legal effects on individuals.
4. Your Rights Under GDPR
As an EU/EEA data subject you have the following rights under Articles 15–22 of the GDPR. To exercise any right, email privacy@fileai.com with "GDPR Request" in the subject line. We will respond within 30 days (extendable to 90 days for complex requests with notice).
Right of Access (Art. 15)
Request a copy of the personal data we hold about you, including processing purposes and recipients.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data without undue delay.
Right to Erasure (Art. 17)
Request deletion of your personal data ('right to be forgotten') where no legitimate ground for retention exists.
Right to Restriction (Art. 18)
Request we restrict processing in certain circumstances, e.g. while a rectification request is being resolved.
Right to Portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON/CSV) to transfer to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including for direct marketing purposes.
Withdraw Consent (Art. 7)
Where processing is consent-based (e.g. marketing emails), withdraw consent at any time with immediate effect.
No Automated Decisions (Art. 22)
Not be subject to solely automated decisions producing legal or significant effects. We do not do this.
5. Data Retention
| Data type | Retention period |
|---|---|
| Uploaded files (Free) | 24 hours after job completion |
| Uploaded files (Pro) | 30 days after job completion |
| Uploaded files (Business) | 90 days after job completion |
| Account & profile data | Duration of account + 30 days post-deletion |
| Billing records | 7 years (legal / tax obligation) |
| Usage logs (identifiable) | 90 days, then anonymised |
| Usage logs (anonymised) | Indefinitely for aggregate analytics |
| Support communications | 3 years from last interaction |
6. International Data Transfers
Some of our sub-processors (including Clerk and Stripe) are based in the United States. Transfers of personal data to the US are protected by:
- Standard Contractual Clauses (SCCs) — EU Commission-approved transfer mechanisms incorporated into our DPAs with each processor.
- EU–US Data Privacy Framework — where processors are certified under this framework.
We only transfer data where adequate protections are in place and do not transfer data to countries without an adequacy decision or appropriate safeguards.
7. Data Protection Contact
While we are not currently required to appoint a formal Data Protection Officer (DPO) under Article 37 GDPR, we have designated a point of contact for all data protection matters:
Data Protection Enquiries: privacy@fileai.com
Subject line: "GDPR Request — [your name]"
Response time: Within 30 days
8. Supervisory Authority
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority). In the EU/EEA, you can find your authority at edpb.europa.eu.
We encourage you to contact us first at privacy@fileai.com so we can try to resolve your concern directly before escalation.