Your GDPR rights

Summary

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) gives you specific rights over the personal data we hold about you. This page explains how to exercise them.

Right of access (Article 15)

You have the right to ask us what data we hold about you. Everything we can extract is available on demand as a JSON file.

How: Sign in, go to Settings → Export all data, or call GET /v1/auth/export directly with your session cookies. You'll get a JSON bundle containing account profile, sessions, API key metadata, adaptation proposals, team memberships, billing summary, and your full SSD (State Document).

Right to data portability (Article 20)

The same export is structured, commonly-used, and machine-readable JSON — designed to be portable to another service. You can download it or transmit it directly.

Right to rectification (Article 16)

Edit any information in your profile at any time from the dashboard. Audit history is immutable by design (required for compliance and debugging), but your active profile is fully editable.

Right to erasure (Article 17, "right to be forgotten")

Delete your account from Settings → Delete account. We schedule deletion with a 30-day grace period to protect against accidental or coerced deletion; during that window your account is read-only and you may cancel the deletion. After the grace period, all personal data is permanently removed from our primary systems. Encrypted backups age out within 90 days.

Some data is retained for legal reasons (e.g., Stripe tax records, as required by law). These are documented in our Privacy Policy.

Right to restrict processing (Article 18)

Disable any optional feature: turn off LLM-powered Adaptation, remove individual API keys, pause privacy rules, or opt out of analytics. Each toggle takes effect immediately.

Right to object (Article 21)

You can object to any processing not strictly necessary for service delivery. Email privacy@soullayer.ai with the subject "Article 21 objection" and we'll respond within 30 days.

Rights related to automated decision-making (Article 22)

Our only automated decision system is LLM-powered Adaptation (Pro plan+). It is opt-in, and every proposed change to your profile is surfaced as a reviewable proposal before it takes effect. You always have final approval.

How to contact us

Email privacy@soullayer.ai. Include your account email so we can verify your identity. We respond within 30 days as required by the GDPR.

How to file a complaint

You have the right to lodge a complaint with your local data protection authority. For a list of EEA supervisory authorities, see the European Data Protection Board.

What we never share

Your raw API keys, TOTP secret, password hash, and encryption passphrase are never included in exports — that is a deliberate security choice, not a limitation of portability. API key metadata (name, prefix, last-used date) is included so you can reconstruct which keys existed; you must re-issue the key values themselves.

See also

• Privacy Policy
• Terms of Service