Skill library

Skill library
Legalskills/legal/gdpr/SKILL.md

GDPR Compliance

How SPYN handles personal data under the EU General Data Protection Regulation. AI-generated content is personal data too.

GDPR Compliance

The General Data Protection Regulation governs how we collect, store, process, and delete personal data about EU residents. For SPYN — a social product where the data is the product — it touches almost every feature.

Our lead supervisory authority under the one-stop-shop is the Danish Data Protection Authority (Datatilsynet). When we file a breach notification or respond to a coordinated DPA inquiry, that is where it goes.

Personal data in SPYN

The data flows that fall under GDPR include the obvious — account email, display name, uploaded images — and the less obvious. Specifically:

  • AI-generated diary content is personal data when joined with the user's identifier. Recital 26 makes inferences and derivations from personal data themselves personal data. Treating the AI Diaries as ephemeral does not change this.
  • User behaviour signals that feed our 24-hour AI Diary personalisation — what content the user engaged with, when, for how long — are personal data even when stored as event streams.
  • Pseudonymised analytics (PostHog, internal dashboards) remain personal data unless the join key has been irreversibly deleted. We treat them as personal data by default.

Lawful basis for processing

Every time we process personal data we point to one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interest. For SPYN:

  • Contract — account creation, diary storage, feed delivery. Necessary to deliver what the user signed up for.
  • Consent — optional analytics beyond the strictly-necessary set, marketing communications. Withdrawable at any time without losing access to the core product.
  • Legitimate interest — abuse detection, fraud prevention, security monitoring. Each one has a Legitimate Interests Assessment (LIA) on file before launch: purpose test, necessity test, balancing test.

We do not rely on legitimate interest for AI-driven content personalisation — that operates under contract because it's part of what the user signed up for. The risk-benefit is documented in the AI Diaries Requirement Specification.

Data subject rights

EU residents have eight rights under GDPR. SPYN supports them through:

  • Access — in-product export within 30 days of request, delivered via signed download link.
  • Rectification — self-serve for account fields; manual review for AI-generated content where rectifying without breaking the temporal record requires judgement.
  • Erasure — self-serve account deletion, with downstream propagation to S3-stored uploads, OpenAI Assistants thread cleanup, Pusher channel termination, and PostHog event scrubbing within 30 days.
  • Portability — diary export in a structured JSON format, including AI-generated content tagged as such.
  • Objection — withdraw from optional processing without losing the account.
  • Automated decision-making — currently SPYN does not make decisions with legal or similarly significant effects about users via solely automated means. If we add age-gating or content-eligibility automation, an LIA is required.

The DSAR runbook in runbooks/dsar.md describes the operational steps. Engineering owns the data export and deletion flows; Head of Legal handles the formal response to the data subject.

Data Processing Agreements

Every third-party processor that touches SPYN personal data needs a DPA. See legal/data-processing-agreements for the active inventory and full pattern. The hard line: no DPA, no data — enforced at procurement.

Breach notification

72-hour clock from awareness. The breach playbook in compliance/incident-response describes containment, eradication, notification, and post-mortem. Notification to affected individuals is required when the breach is likely to result in a high risk to their rights and freedoms — for SPYN this includes any exposure of diary content, since diary content can be highly personal even when the user's identity isn't immediately attached.

International transfers

Transfers outside the EEA require either an adequacy decision, Standard Contractual Clauses (SCCs), or one of the narrower derogations in Article 49. We use SCCs Module 2 (controller-to-processor) by default for the SPYN backend's processor transfers. The post-Schrems II Transfer Impact Assessment is on file for the OpenAI and Google Cloud transfers (both have additional safeguards via the EU-US Data Privacy Framework).

Owned by

Head of Legal & Compliance. Audited by the Master skill on a 30-day cadence.