EU GPT logo
EU GPT
Privacy

Privacy Statement

Last updated: 30 April 2026

Version 1.0

1. Introduction

EU GPT (“we”, “us” or “our”) is a European sovereign AI platform. Privacy and data sovereignty are the foundation of our service. We are built on the principle that your data belongs to you and that using AI does not require giving up control over your data.

Unlike non-European AI platforms, EU GPT does not use your content data for commercial purposes such as training AI models, profiling or resale. Your data is stored within your own account environment so that you retain access to it. Content analysis of your data by EU GPT only takes place within the boundaries described in this privacy statement (for example authorised problem analysis at your request, or security incidents, see chapter 6). You retain full control and ownership of your data at all times.

This privacy statement describes which data is processed, why this is necessary, and which rights you have under the General Data Protection Regulation (GDPR).

2. Data Controller

The data controller is:

EU GPT
Science Park 608 - A11
1098 XH Amsterdam
The Netherlands
Email: info@eugpt.nl
Privacy: info@eugpt.nl
Chamber of Commerce no.: 97997250

EU GPT has not currently appointed a Data Protection Officer (DPO), as the core activity of EU GPT does not consist of large-scale processing of special categories of personal data, or systematic and large-scale monitoring of data subjects. EU GPT continuously monitors the need to appoint a DPO as the service grows.

3. How we handle your data

To be fully transparent about our practices, we describe below what EU GPT does and does not do with your data:

  • Your content data (prompts, input, documents and generated answers) is stored within your own account environment on European servers, so that you can review your chat history. You retain full control and ownership of this data at all times.
  • EU GPT does not use your content data for commercial purposes outside of providing the service to you. Your data is not sold, not reused for other customers and not used for profiling or marketing purposes.
  • We do not use your data for model training. The AI models within EU GPT do not learn from your interactions.
  • EU GPT may use aggregated statistics to improve and strengthen the service (see Art. 4.3 for further details).
  • If access to your specific data is necessary to analyse or resolve an issue you have reported, EU GPT will request your explicit consent in advance. This consent applies exclusively for the purpose of the relevant problem analysis.
  • We do not share data with third parties, other than the sub-processors necessary to provide the service (see Art. 8). Your data is not forwarded to governments.
  • We do not sell or trade personal data.
  • We do not profile you based on your use of the service.
  • What you delete is immediately removed from the active service and erased from backups within the applicable backup cycle (maximum 30 days), unless retention is legally required.

4. Data processed automatically

When using EU GPT, only the following technical and functional data is processed automatically. This is data that is necessary to operate and secure the service:

4.1 Account data

If you create an account, we process the data you provide during registration (such as email address and any organisation name). This data is necessary to create and manage your account.

4.2 Technical connection data

On every visit to the service, technical data inherent to internet traffic is processed automatically:

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of access

This data is used solely to operate the service and to ensure security.

4.3 Usage data (aggregated statistics)

EU GPT may generate aggregated statistics about the use of the service to improve and strengthen the service. This concerns only data that cannot be traced back to individual users, such as the total number of sessions, peak usage times and general usage patterns.

The aggregation process consists of combining usage data at group level, with individual identifiers removed before the data is analysed. After aggregation, re-identification of individual users is no longer reasonably possible.

4.4 Payment data

If you take out a paid subscription, the necessary payment data is processed by our payment service provider. EU GPT itself does not store full payment details. The current payment service provider is listed in the sub-processor overview at eugpt.nl.

5. Legal bases

The data processing that takes place is based on the following legal bases:

  • Performance of the contract (art. 6(1)(b) GDPR): for delivering the service, managing your account, and storing chat history as a core part of the service.
  • Legitimate interest (art. 6(1)(f) GDPR): for security, availability and generating aggregated statistics to improve the service. EU GPT’s interest in improving the service outweighs the (minimal) impact on the user’s privacy, since the statistics cannot be traced back to individual users.
  • Legal obligation (art. 6(1)(c) GDPR): for tax and accounting obligations relating to invoicing data.
  • Consent (art. 6(1)(a) GDPR): for any marketing communications, only if you give explicit consent. You can withdraw this consent at any time.

6. How your content data is treated

The content you enter into EU GPT — your prompts, texts, documents and the answers generated by the AI — is processed in real time to fulfil your request. This data is also stored within your account environment as part of the service, so that you can review and continue your chat history. The following applies:

  • Content data is stored on European servers with encryption in transit and at rest.
  • You are and remain the full owner of all your data at all times. EU GPT claims no rights to your input or to the generated output.
  • You have full control over your own data within the service at all times. What you delete is immediately erased from the active service; any remnants in backups are also removed within the standard backup cycle (maximum 30 days).
  • If access to your specific data is necessary to resolve an issue you have reported, EU GPT will request your explicit consent in advance.
  • In exceptional cases (technical failure, security incident) authorised personnel may obtain limited access, solely in accordance with internal procedures and confidentiality agreements.
  • There is no commercial reuse, resale or content analysis of your data for purposes outside delivering the service to you. Limited technical processing for security, error detection and authorised problem analysis remains possible within the framework described in this chapter.

7. European infrastructure and sovereignty

EU GPT is architecturally designed to ensure that your data falls exclusively under European law. The service runs on European cloud infrastructure that is owned and operated by European parties, and uses open source software. This provides the following safeguards:

  • All data processing takes place within the European Union, on infrastructure that falls under European law.
  • The infrastructure complies with the highest European security standards.
  • EU GPT continuously works to prevent user data from becoming subject to foreign legislation, such as the US CLOUD Act or FISA Section 702. The architectural choice for European parties and infrastructure only is aimed at this.
  • EU GPT applies additional technical and organisational security measures, including encryption in transit and at rest, strict access controls, separated customer environments and secure development practices.

8. Sharing with third parties

EU GPT does not share your data with third parties, except for the following exceptions:

  • Infrastructure provider (processor): for technically running the service, under a data processing agreement in accordance with article 28 GDPR. This party is European and processes data exclusively within the EU.
  • Payment service provider: solely for processing payments for paid subscriptions.

There is no transfer to non-European parties. Data processing agreements that comply with the GDPR have been concluded with all processors. A current overview of sub-processors, including their name, the nature of the processing and the location, is available at eugpt.nl.

9. Transfers outside the EEA

EU GPT is designed to fully avoid transfers of data outside the European Economic Area (EEA). All processing takes place on European infrastructure. Should a transfer be unavoidable in exceptional circumstances, we apply the safeguards required by chapter V of the GDPR, including standard contractual clauses (SCCs), and inform you in advance.

10. Cookies

EU GPT only uses functional cookies that are strictly necessary for the operation of the service. A detailed overview of the cookies used, their purpose and lifespan is available in the cookie statement at eugpt.nl.

EU GPT does not use third-party tracking, marketing or analytics cookies. For any non-essential cookies, your consent will be requested in advance.

11. Retention periods

We apply the following retention periods:

  • Account data: for the duration of your account and up to 12 months after termination, for administrative settlement and to handle any legal claims.
  • Technical log files: maximum 6 months.
  • Invoicing data: 7 years in accordance with the statutory tax retention obligation.
  • Content data (chats, documents): you decide when this is deleted during the term of your account. When you delete it, the data is permanently erased. After termination of your account, content data is automatically and permanently erased within 90 days.

12. Security

EU GPT takes appropriate technical and organisational measures to protect the data we process. These measures include encryption of data in transit and at rest, access controls, separated customer environments, secure development practices, logging and monitoring of access, and regular security testing. Our European infrastructure provider operates at the highest European security level.

13. Data breaches

Despite all security measures taken, a security incident can never be completely ruled out. In the event of a data breach, EU GPT acts as follows:

  • EU GPT reports data breaches that pose a risk to data subjects within 72 hours to the Dutch Data Protection Authority, in accordance with article 33 GDPR.
  • If a data breach is likely to pose a high risk to your rights and freedoms, we will inform you without undue delay and in clear language about the nature, scope and possible consequences of the incident.
  • We immediately take measures to limit the consequences of the incident and to prevent recurrence.
  • We document every security incident, including the facts, the consequences and the corrective measures taken.

Not every security incident leads to notification of individual users. EU GPT assesses per incident whether the risk is such that notification of data subjects is required, in accordance with the thresholds of article 34 GDPR.

14. Your rights

Under the GDPR, you have the following rights regarding the data we process about you:

  • Access (art. 15 GDPR): you can request which data we process about you.
  • Rectification (art. 16 GDPR): you can have incorrect data corrected.
  • Erasure (art. 17 GDPR): you can request deletion. You can also delete content data directly via the service.
  • Restriction (art. 18 GDPR): you can request restriction of processing.
  • Data portability (art. 20 GDPR): you can receive your personal data in a structured, commonly used and machine-readable format (JSON/CSV).
  • Objection (art. 21 GDPR): you can object to processing based on legitimate interest.
  • Withdrawal of consent (art. 7(3) GDPR): you can withdraw previously given consent at any time, without affecting the lawfulness of processing prior to withdrawal.

You can exercise your rights by contacting us at info@eugpt.nl. We respond within one month of receiving your request. If the complexity or number of requests justifies it, this period may be extended by a maximum of two months. In that case we will inform you within one month about the extension and the reason for it.

15. Automated decision-making

Within EU GPT there is no automated decision-making within the meaning of article 22 GDPR that has legal consequences for you or significantly affects you in a similar way. The AI within the service generates answers to your request; the final assessment and application is always up to you.

If, as an organisation, you use the service for decision-making that significantly affects data subjects, you as deployer are responsible for ensuring appropriate human intervention, in accordance with the GDPR and the EU AI Act.

16. Minors

The service is intended for persons aged 16 and over. In the Netherlands, on the basis of article 8 GDPR, consent of a parent or legal representative is required for the processing of personal data of children under 16.

EU GPT does not specifically ask for age during registration, but reserves the right to remove accounts that appear to belong to minors without valid consent. Parents or legal representatives who suspect that a child has created an account without consent can contact us via privacy@eugpt.nl.

17. Sources of personal data

EU GPT in principle only processes personal data obtained directly from you (during registration, when using the service, or upon payment). If an organisation deploys EU GPT for the benefit of its employees, EU GPT may receive personal data from that organisation in its capacity as data controller.

18. International users

The service is primarily aimed at users within the European Economic Area (EEA). Users outside the EEA may use the service, but should bear in mind that EU GPT operates under Dutch and European law. EU GPT cannot guarantee that the service complies with local legislation outside the EEA.

19. Complaints

Do you have a complaint about the processing of your data? Please first contact us at info@eugpt.nl. We aim to substantively address your complaint within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
www.autoriteitpersoonsgegevens.nl

20. Changes

We may amend this privacy statement, for example in the event of changes to our service or changes in laws and regulations. The most recent version is always available at eugpt.nl. In the case of significant changes, we will inform you at least 30 days in advance via email or via the service. An overview of previous versions and changes implemented is available at eugpt.nl.

21. Contact

For questions about this privacy statement, please contact:

EU GPT
Email: info@eugpt.nl
Privacy: info@eugpt.nl
Website: https://eugpt.nl