GDPR and AI: keeping prompts compliant
Every prompt an employee sends can contain personal data. The moment it does, GDPR applies, including where that data goes, how long it's kept, and whether it's used to train a model.
Prompts are processing
Under GDPR, sending personal data to an AI service is processing, and often a transfer. If the provider sits outside the EU, you inherit the full Schrems II burden: transfer impact assessments, supplementary measures, and ongoing legal exposure.
Keeping inference inside the EU removes the transfer entirely. There is nothing to assess because the data never leaves the jurisdiction.
Retention and the right to erasure
GDPR expects data minimization and gives individuals the right to erasure. An AI tool that stores chat history indefinitely works against both.
Configurable retention, and automatic deletion, turns a compliance obligation into a setting. Pryvan defaults to 12 months and lets each workspace tighten that to 7 days or less.
Training on personal data
Using customer conversations to train a shared model is hard to square with purpose limitation. Pryvan never trains its models on your data. When you want a custom model, your data trains your model only, privately, on vanafter compute.
Bring AI into your business, without giving up your data.
Join the waitlist. We're onboarding GDPR-sensitive SMEs across Europe.