Privacy policy

Grunden AI AB, org.nr 559341-9129, is the data controller for the processing of your personal data on grunden.ai. Contact: privacy@grunden.ai.

Data protection officer (DPO): Fredrik Andersson. Questions about processing, access requests, rectification or deletion go to fredrik@grunden.ai.

• Account data: email, name, password hash, user ID.
• Invoicing data: company name, address, organisation number, VAT number, country.
• Chat and API content: prompts and responses are stored to provide you with history and for internal debugging. Content is not used to train models.
• Usage and cost data: token counts, model, latency, amounts, timestamps — for billing, statistics and quality follow-up.
• Technical data: IP address, user agent, request logs — kept for 30 days for security and troubleshooting.
• Payment data: we store the transaction ID from Mollie but never full card numbers.

• Performance of contract (GDPR art. 6.1.b): deliver the service, manage the account, run inference on our own GLM 5.1 hardware in Sweden.
• Legal obligation (art. 6.1.c): accounting (BFL — 7-year retention of billing records), VAT reporting, anti-money-laundering measures.
• Legitimate interest (art. 6.1.f): security, abuse detection, aggregated statistics.
• Consent (art. 6.1.a): optional newsletters and research collaborations — you can withdraw at any time.

We engage the following processors (GDPR art. 28). Written data processing agreements are in place with all of them.

• 6G AI Sweden AB (GPU infrastructure — we rent NVIDIA H200 clusters in their facility in Kista, Stockholm; database, auth and realtime are run by us on top of the same stack) — Sweden.
• Mollie (payments) — Netherlands.
• GleSYS (DNS) — Sweden.
• Proton (email) — Switzerland. Proton is not in the EU/EEA but is covered by an adequacy decision by the Commission concerning Swiss data protection.
• Model inference: runs on our own hardware — no external model providers. The current sub-processor list is in the DPA. We do not sell data to third parties and content is not used to train models.

No transfers occur to third countries outside the EU/EEA in the standard configuration. If future processing requires third-country transfers, we will use the EU Commission's Standard Contractual Clauses (SCC) and notify you in advance.

• Account data: until you delete the account.
• Invoices and accounting records: 7 years after the end of the calendar year the financial year ended (BFL ch. 7 §2).
• Chat history: until you delete it or the account.
• Request logs: 30 days.
• Security incident logs: up to 12 months.

Under the GDPR you have the right to:

• Access a copy of your data (art. 15),
• Rectify inaccurate or incomplete data (art. 16),
• Erase data when no longer needed (art. 17) — accounting records cannot be erased within the 7-year period,
• Restrict processing (art. 18),
• Object to processing based on legitimate interest (art. 21),
• Data portability: receive your data in a machine-readable format (art. 20),
• Withdraw consent for consent-based processing (art. 7.3),
• Lodge a complaint with the supervisory authority: Integritetsskyddsmyndigheten (IMY), imy@imy.se, +46 8 657 61 00.

Requests go to privacy@grunden.ai. We respond within 30 days.

We use TLS for all traffic, hashed passwords (bcrypt via Supabase Auth), encrypted API keys in the database and the principle of least privilege. Personal-data security incidents are reported to IMY within 72 hours and to affected users without undue delay.

We only use strictly necessary cookies: Supabase auth session cookies (`sb-access-token`, `sb-refresh-token`) to keep you signed in, and a preference cookie (`NEXT_LOCALE`) for language selection. No third-party tracking cookies, no marketing or analytics cookies, no fingerprinting. Per ePrivacy art. 5(3), consent is not required for strictly necessary cookies — therefore we show no consent banner. If we ever add non-essential cookies (e.g. product analytics), a consent mechanism will be introduced beforehand and you will be notified via /sub-processors.

The EU AI Act applies in stages from 2025. Grunden.ai is a deployer of the GPAI model GLM 5.1 (we run it on our own hardware, we don't train it ourselves) and a provider of the chat and API service as an AI system built on top of the model.

Our role

• We are deployer of the GPAI model GLM 5.1 (open-weight, MIT license, released by Z.ai) and provider of an AI system — the chat service is an AI system built on top of the model. Obligations for the GPAI model itself (art. 53) lie with Z.ai; obligations for the AI system (transparency art. 50, safe operation, any high-risk obligations) lie with us.
• We are not a GPAI provider. The training-data summary, technical documentation (art. 53) and copyright policy are Z.ai's responsibility. We link to their documentation where available.
• We have trained staff in AI literacy (art. 4): capabilities, risks and limitations of the models we host. As provider of the AI system we are also obligated under art. 50 to label AI-generated content — see the transparency section.

Your responsibility as a customer

• High-risk systems (art. 6 + Annex III): if you build a service that falls under this — e.g. recruitment, credit, biometrics, education assessment, law enforcement — you are the provider of that system and must comply with art. 9–15 (risk management, data governance, logging, human oversight, robustness).
• Transparency requirements (art. 50): if your service communicates with natural persons, you must inform the user they are interacting with AI.
• Synthetic content (art. 50.2): image, audio and video generations must be machine-readably marked. Text generation is exempt if it undergoes human review or is clearly artistic.
• Prohibited uses (art. 5): social scoring, harmful manipulation, untargeted scraping for facial recognition, emotion detection in workplaces/education, biometric categorisation of sensitive attributes. See the terms of service — such use is prohibited under the agreement and can lead to termination.

The AI Act's main obligations for high-risk systems apply from 2 August 2026 and in full from 2 August 2027. We update this section as new parts enter into force or our role changes.

We may update this policy. Material changes are announced by email at least 30 days before they enter into force.