GDPR Compliance Policy

Company Details

• Company Name: Thalius AI AB
• Website: www.thalius.ai
• Contact Email: [email protected]
• Supervisory Authority: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY)

This policy should be read in conjunction with our Privacy Policy available at www.thalius.ai/privacy-policy.

Scope and Applicability

This GDPR Policy applies to visitors to our website, users of our demo sites and product trials, customers who implement Thalius Search on their platforms, end-users of our customers' websites utilizing Thalius services, business partners, vendors, suppliers, newsletter subscribers, and job applicants.

This policy applies to the processing of personal data of individuals located in the European Union (EU), European Economic Area (EEA), and Sweden, regardless of where Thalius operates or where the processing occurs.

Data Controller and Data Protection Contact

Thalius AI AB acts as the Data Controller for personal data processed through our website, demo sites, and direct customer relationships. Our customers who implement Thalius Search may act as independent Data Controllers for their end-users' data, while Thalius may act as a Data Processor in those relationships.

For all data protection inquiries, requests to exercise your rights, or complaints, please contact us at [email protected] or via our contact page. We will respond to all privacy inquiries within 30 days of receipt.

GDPR Principles for Data Processing

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently with clear information about our data processing activities.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes only.
• Data Minimization: We collect only personal data that is adequate, relevant, and necessary for our stated purposes.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected.
• Integrity and Confidentiality: We implement appropriate technical and organizational measures to ensure the security of personal data.
• Accountability: We take responsibility for compliance with these principles and can demonstrate our compliance through documentation and procedures.

Legal Bases for Processing Personal Data

We process personal data only when we have a valid legal basis under GDPR Article 6:

• Consent: Marketing communications, newsletters, non-essential cookies, product trials, and personalization features
• Contractual Necessity: Providing Thalius Search services, executing contracts, and responding to support requests
• Legal Obligation: Tax and accounting requirements, regulatory reporting, and data breach notification
• Legitimate Interests: Improving our AI technology, conducting analytics, ensuring security, preventing fraud, and B2B direct marketing

Categories of Personal Data We Collect

• Identity Data: Name, email address, company name, job title, phone number, and user account credentials
• Technical Data: IP address, browser type, device information, operating system, time zone, and geographic location
• Usage Data: Search queries, product views, clicks, navigation patterns, interaction with search features, taste profile preferences, session duration, and referral sources
• Marketing and Communications Data: Newsletter subscription preferences, marketing consent records, communication history, and event registration information

We do not intentionally collect special categories of personal data (sensitive data) such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Data Sharing and Disclosure

We may share personal data with trusted third-party service providers including cloud hosting providers, analytics platforms, CRM systems, email marketing platforms, payment processors, and customer support tools. All processors are contractually bound through Data Processing Agreements compliant with GDPR Article 28.

We may disclose personal data when required by law, regulation, or legal process, or when necessary to protect rights, property, or safety, enforce our Terms of Service, or investigate fraud and security issues.

Thalius does not sell personal data to third parties.

International Data Transfers

Personal data may be transferred to countries outside the EU/EEA where our service providers are located. We ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary safeguards. We conduct Transfer Risk Assessments to evaluate whether destination country laws may undermine our contractual protections, implementing additional technical and organizational measures where necessary.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Session and analytics data are retained for 26 months, active customer accounts for the duration of the business relationship plus 3 years, and financial records for 7 years. When retention periods expire, we securely delete or anonymize personal data using industry-standard methods.

Data Subject Rights Under GDPR

• Right to Be Informed: Clear and transparent information about how we process your personal data
• Right of Access: Obtain confirmation of whether we process your data and access your personal data
• Right to Rectification: Have inaccurate or incomplete data corrected or completed without undue delay
• Right to Erasure (Right to Be Forgotten): Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful
• Right to Restriction of Processing: Request temporary suspension of processing when accuracy is contested or processing is unlawful
• Right to Data Portability: Receive your data in a structured, machine-readable format and transmit it to another controller
• Right to Object: Object to processing based on legitimate interests, direct marketing, or research
• Right to Lodge a Complaint: Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your national data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond to requests within one month of receipt. We do not charge a fee unless requests are manifestly unfounded, excessive, or repetitive.

Data Security Measures

We implement robust technical security measures including data encryption in transit (TLS/SSL) and at rest (AES-256), role-based access controls, multi-factor authentication, firewalls, intrusion detection systems, and secure API endpoints. Organizationally, we maintain Privacy by Design principles, conduct regular employee training, restrict access on a need-to-know basis, maintain confidentiality agreements, conduct vendor due diligence, perform regular security audits, and maintain documented incident response procedures.

Data Breach Notification

In the event of a personal data breach likely to result in risk to individuals' rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) without undue delay and within 72 hours of becoming aware of the breach. We will also notify affected individuals without undue delay in clear language, providing contact details and information about measures taken to mitigate harm.

Special Provisions for AI-Powered Processing

We use proprietary AI-powered embedding models for semantic search and navigation with full transparency about how our algorithms work. Our embedding models are designed with control mechanisms that allow customization and transparency. Taste profiles are created only with explicit user consent, users can view and modify their profiles at any time, and users can use Thalius Search without creating a taste profile. We adhere to ethical AI principles including fairness, accountability, privacy, and human oversight.

Supervisory Authority and Complaints

If you believe our processing violates GDPR or Swedish data protection laws, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY). We encourage you to contact us first at [email protected] so we can attempt to resolve your concerns directly.

Changes to This GDPR Policy

We may update this GDPR Compliance Policy to reflect changes in our data processing practices, new legal or regulatory requirements, technological developments, and best practice recommendations. When we make material changes, we will update the "Last Updated" date, post a notice on our website, notify active users and customers via email, and obtain renewed consent if required by law. We review this policy at least annually to ensure ongoing compliance with GDPR and applicable laws.

Contact Information

For any questions, concerns, or requests regarding this GDPR Policy or our data protection practices, please contact: