GDPR Compliance

Our Commitment

KvarnAI AB is a Swedish company and we seek to comply with the General Data Protection Regulation (GDPR) in our role as controller and, where applicable, processor. We aim to process personal data lawfully, fairly, transparently, and in accordance with the principles of privacy by design and privacy by default. This page provides a high-level summary of our GDPR approach. Please also see our Privacy Policy for service-specific details.

Data Controller and Processor Roles

KvarnAI AB is the controller for personal data relating to website visitors, account holders, billing, support, security, and our direct relationship with users and prospective customers.

When business customers use KvarnAI to process messages, conversation content, files, or other end-user data through their agents, that customer generally acts as the controller and KvarnAI acts as the processor or service provider acting on that customer's instructions.

If you interacted with an AI agent operated by one of our business customers, that customer may be the appropriate first point of contact for privacy requests. We may assist them in responding where required by law or contract.

Legal Basis for Processing

We may process personal data under one or more of the following legal bases, depending on the context:

• Contract: To provide, maintain, and support the services you request.
• Legitimate interests: To secure, improve, monitor, and administer our platform, prevent fraud, investigate misuse, and defend legal claims.
• Consent: Where consent is required, for example for certain marketing communications, optional analytics technologies, or specific optional features.
• Legal obligation: To comply with applicable laws and regulatory obligations, including accounting, tax, sanctions, and disclosure requirements.

Data Storage and Location

Primary application and customer data is stored in Stockholm, Sweden using Supabase in the eu-north-1 region.

However, certain ancillary processing may occur outside the EU/EEA if you enable non-EU AI providers, messaging or telephony providers, payment providers, analytics services, or if application delivery uses infrastructure outside the EU.

We offer EU-based AI processing options, including Berget AI (Sweden) and Mistral (France). Whether your processing remains entirely within the EU/EEA depends on all enabled providers, channels, and features, not only the selected AI model. See our Privacy Policy for details on all providers and transfer mechanisms.

Data Processing Agreement

KvarnAI may act as a data processor where business customers use the platform to process personal data on behalf of their own end users. For data processing inquiries or to request a copy of our DPA, contact privacy@kvarn.ai.

Your Rights Under GDPR

Subject to the conditions, limitations, and exceptions in applicable law, data subjects may have the following rights:

• Right of access: Request confirmation of whether we process your personal data and obtain a copy of that data.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of personal data in circumstances where Article 17 GDPR applies.
• Right to restriction of processing: Request that we limit processing in circumstances provided by Article 18 GDPR.
• Right to data portability: Receive certain personal data in a structured, commonly used, and machine-readable format.
• Right to object: Object to processing based on legitimate interests and to direct marketing.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Automated decision-making: Where applicable, not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, subject to Article 22 GDPR and its exceptions.

To exercise these rights, contact privacy@kvarn.ai. If we act only as processor for the relevant data, we may direct your request to the relevant customer or assist them in handling it.

We may request reasonable information to verify your identity before disclosing, deleting, or correcting personal data.

We aim to respond without undue delay and, in any event, within one month of receiving a valid request. For complex or numerous requests, this period may be extended by up to two additional months where permitted by law.

Data Retention

We retain personal data only for as long as necessary for the relevant purpose and in accordance with applicable law.

• Account and profile data: Retained while your account is active and generally deleted or anonymized within 30 days after closure, unless longer retention is required for legal obligations, security, fraud prevention, dispute handling, or backup integrity.
• Conversation data: Retained according to workspace settings, contractual instructions, and product configuration. Users may delete conversations, but residual copies may persist temporarily in backups or logs.
• Billing and accounting data: Retained for 7 years as required by Swedish accounting law (Bokföringslagen).
• Analytics and usage data: May be aggregated, minimized, or anonymized after approximately 90 days where feasible and appropriate.

Security Measures

We implement technical and organizational measures appropriate to the risks involved, including:

• Encryption in transit and encryption at rest in our primary infrastructure
• Role-based access controls and least-privilege access
• Multi-factor authentication for privileged or otherwise relevant internal access
• Security reviews, monitoring, and audit logging
• Incident response and breach management procedures
• Employee confidentiality obligations and relevant internal policies

Where KvarnAI acts as processor, we notify the relevant controller without undue delay after becoming aware of a personal data breach affecting customer-controlled data.

Where KvarnAI acts as controller, we notify the competent supervisory authority and, where required, affected individuals, within the time limits required by applicable law.

International Data Transfers

When personal data is transferred outside the EU/EEA, we use transfer mechanisms intended to provide an adequate level of protection under applicable law. Depending on the provider and transfer, these may include Standard Contractual Clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

Where a customer chooses a provider located in a country without an adequacy decision, additional safeguards, transfer assessments, contractual measures, notices, or other compliance steps may be required depending on the use case.

For providers in jurisdictions such as China, customers remain responsible for their own controller-side compliance, including ensuring that they have an appropriate legal basis, have provided any required transparency notices, and have implemented any additional safeguards or derogations required for their own end users. See our Privacy Policy for more detail.

Processors and Sub-Processors

Depending on the service and features used, we may use processors and sub-processors in categories such as:

• Hosting and infrastructure: Supabase (EU, Stockholm), Vercel (application delivery)
• AI and model providers: Berget AI, Mistral, OpenAI, Anthropic, Google, xAI, Groq, Cerebras, Together AI, Cohere, DeepSeek, OpenRouter, and other providers made available through the platform
• Messaging and telephony: Meta (WhatsApp Business Platform), Telegram, Twilio, and other enabled channel providers
• Voice and audio: ElevenLabs and related voice providers
• Payments: Stripe and, where enabled, additional payment partners or local payment methods
• Analytics: Plausible Analytics (EU-hosted), PostHog

Where required by contract or applicable law, we inform business customers before adding material new sub-processors and give them an opportunity to object. For the current list, contact privacy@kvarn.ai.

Data Protection Officer

For questions or concerns about data protection or privacy, contact:

• Privacy inquiries: privacy@kvarn.ai
• Data Protection Officer: dpo@kvarn.ai

Supervisory Authority

If you believe your personal data has been handled unlawfully, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or with the supervisory authority in the EU/EEA country where you live, work, or believe the infringement occurred.

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm, Sweden
www.imy.se