GDPR Compliance Policy

Thalius AI AB
Effective Date: October 22, 2025
Last Updated: October 22, 2025

1. Introduction

Thalius AI AB ("Thalius," "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals who interact with our AI-powered semantic navigation and search services. This GDPR Compliance Policy outlines how we collect, process, store, and protect personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Swedish data protection laws, and other applicable privacy regulations.

Company Details:

  • Company Name: Thalius AI AB

  • Website: www.thalius.ai

  • Contact Email: privacy@thalius.ai

  • Supervisory Authority: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY)

This policy should be read in conjunction with our Privacy Policy available at www.thalius.ai/privacy-policy.

2. Scope and Applicability

2.1 Who This Policy Applies To

This GDPR Policy applies to:

  • Visitors to our website (www.thalius.ai)

  • Users of our demo sites and product trials

  • Customers who implement Thalius Search™ on their e-commerce platforms

  • End-users of our customers' websites utilizing Thalius services

  • Business partners, vendors, and suppliers

  • Newsletter subscribers and marketing contacts

  • Job applicants and employees

2.2 Territorial Scope

This policy applies to the processing of personal data of individuals located in the European Union (EU), European Economic Area (EEA), and Sweden, regardless of where Thalius operates or where the processing occurs.

3. Data Controller and Data Protection Officer

3.1 Data Controller

Thalius AI AB acts as the Data Controller for personal data processed through our website, demo sites, and direct customer relationships. Our customers who implement Thalius Search™ may act as independent Data Controllers for their end-users' data, while Thalius may act as a Data Processor in those relationships.

3.2 Data Protection Contact

For all data protection inquiries, requests to exercise your rights, or complaints, please contact:

Email: privacy@thalius.ai
Website Contact Form: www.thalius.ai/contact

Response time: We will respond to all privacy inquiries within 30 days of receipt.

4. GDPR Principles for Data Processing

Thalius adheres to the following GDPR principles in all data processing activities:

4.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about our data processing activities through this policy and our Privacy Policy.

4.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process data in a manner incompatible with those purposes.

4.3 Data Minimization

We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

4.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and kept up to date. Inaccurate data is corrected or deleted without delay.

4.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

4.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data, protecting it against unauthorized or unlawful processing, accidental loss, destruction, or damage.

4.7 Accountability

We take responsibility for compliance with these principles and can demonstrate our compliance through documentation, policies, and procedures.

5. Legal Bases for Processing Personal Data

We process personal data only when we have a valid legal basis under GDPR Article 6:

5.1 Consent (Article 6(1)(a))

We obtain your explicit consent for:

  • Marketing communications and newsletters

  • Non-essential cookies and tracking technologies

  • Participation in product trials and demos

  • Taste profile creation and personalization features

You have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5.2 Contractual Necessity (Article 6(1)(b))

We process personal data when necessary to:

  • Provide our Thalius Search™ services to customers

  • Execute contracts with business partners

  • Respond to service inquiries and support requests

5.3 Legal Obligation (Article 6(1)(c))

We process personal data to comply with legal obligations, including:

  • Tax and accounting requirements

  • Regulatory reporting obligations

  • Data breach notification requirements

5.4 Legitimate Interests (Article 6(1)(f))

We may process personal data based on our legitimate interests when:

  • Improving and developing our AI-powered search technology

  • Conducting analytics to enhance user experience

  • Ensuring network and information security

  • Preventing fraud and abuse

  • Direct marketing to business contacts (B2B)

We conduct legitimate interest assessments to ensure that our interests do not override your fundamental rights and freedoms.

6. Categories of Personal Data We Collect

6.1 Identity Data

  • Name

  • Email address

  • Company name and job title

  • Phone number

  • User account credentials

6.2 Technical Data

  • IP address

  • Browser type and version

  • Device information

  • Operating system

  • Time zone settings

  • Geographic location (country/region level)

6.3 Usage Data

  • Search queries and keywords

  • Product views and clicks

  • Navigation patterns

  • Interaction with search features (sliding, toggle, filters)

  • Taste profile preferences (when opted-in)

  • Session duration and frequency

  • Referral sources

6.4 Marketing and Communications Data

  • Newsletter subscription preferences

  • Marketing consent records

  • Communication history

  • Event registration information

6.5 Special Categories of Data

Thalius does not intentionally collect special categories of personal data (sensitive data) as defined in GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

If such data is inadvertently collected, we will delete it immediately unless we have explicit consent or another lawful basis for processing.

7. How We Collect Personal Data

7.1 Direct Collection

We collect data directly from you when you:

  • Fill out forms on our website (contact forms, demo requests)

  • Create a user account or taste profile

  • Subscribe to our newsletter

  • Participate in surveys or provide feedback

  • Communicate with us via email or phone

  • Attend events or webinars

  • Apply for employment

7.2 Automated Collection

We automatically collect certain data when you visit our website or use our services through:

  • Cookies and similar tracking technologies

  • Server logs and analytics tools

  • Search and navigation interaction tracking

7.3 Third-Party Sources

We may receive personal data from:

  • E-commerce platforms where Thalius Search™ is integrated

  • Analytics providers

  • Marketing platforms (e.g., LinkedIn, Apollo.io)

  • Business partners and referral sources

  • Publicly available sources (business contact information)

8. How We Use Personal Data

8.1 Service Provision and Improvement

We process personal data to:

  • Deliver, maintain, and improve Thalius Search™ functionality

  • Customize search results based on user behavior and preferences

  • Develop and refine our embedding models and algorithms

  • Provide customer support and technical assistance

  • Troubleshoot and resolve technical issues

8.2 Communication

We use personal data to:

  • Respond to inquiries and requests

  • Send service-related notifications

  • Provide product updates and feature announcements

  • Send marketing communications (with consent)

  • Conduct customer satisfaction surveys

8.3 Analytics and Research

We analyze personal data to:

  • Understand how users interact with our services

  • Identify usage patterns and trends

  • Measure the effectiveness of our search technology

  • Generate aggregated and pseudonymized reports

  • Conduct product research and development

8.4 Legal and Security Purposes

We process personal data to:

  • Comply with legal obligations and regulatory requirements

  • Protect against fraud, abuse, and security threats

  • Enforce our Terms of Service

  • Resolve disputes and legal claims

  • Maintain business records and documentation

9. Cookies and Tracking Technologies

9.1 Cookie Categories

We use the following categories of cookies:

Strictly Necessary Cookies: Essential for website functionality and cannot be disabled. These include session management, security, and load balancing cookies.

Performance and Analytics Cookies: Help us understand how visitors use our website by collecting anonymous usage statistics.

Functional Cookies: Enable enhanced functionality and personalization, such as remembering user preferences and taste profiles.

Marketing and Targeting Cookies: Used to deliver relevant advertisements and track marketing campaign effectiveness (requires consent).

9.2 Cookie Consent

We obtain explicit consent before placing non-essential cookies on your device. You can:

  • Accept or reject specific cookie categories

  • Modify your cookie preferences at any time

  • Withdraw consent through browser settings

For detailed information about cookies we use, please refer to our Cookie Policy.

10. Data Sharing and Disclosure

10.1 Third-Party Service Providers

We may share personal data with trusted third-party service providers who process data on our behalf, including:

  • Cloud hosting providers (e.g., Azure, AWS)

  • Analytics platforms (e.g., Google Analytics)

  • Customer relationship management (CRM) systems

  • Email marketing platforms

  • Payment processors

  • Customer support tools

All processors are contractually bound through Data Processing Agreements (DPAs) compliant with GDPR Article 28.

10.2 E-Commerce Platform Partners

When Thalius Search™ is integrated into customer websites, we may access and process personal data from those platforms to provide our services. The nature of this processing is defined in our customer contracts and DPAs.

10.3 Legal Disclosures

We may disclose personal data when required by law, regulation, legal process, or governmental request, or when necessary to:

  • Protect the rights, property, or safety of Thalius, our customers, or others

  • Enforce our Terms of Service

  • Investigate fraud, security breaches, or technical issues

10.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have.

10.5 No Sale of Personal Data

Thalius does not sell personal data to third parties.

11. International Data Transfers

11.1 Transfer Mechanisms

Personal data may be transferred to and processed in countries outside the EU/EEA, including the United States and other jurisdictions where our service providers are located.

When transferring data internationally, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs as per the June 4, 2021 decision

  • Adequacy Decisions: Transfers to countries deemed adequate by the European Commission

  • Additional Safeguards: Supplementary measures to address risks in third countries

11.2 Transfer Risk Assessments

We conduct Transfer Risk Assessments (TRAs) to evaluate whether the laws and practices of the destination country may undermine the protection provided by contractual safeguards. Where necessary, we implement additional technical and organizational measures.

11.3 Data Processing Agreements

All international data transfers to processors are governed by comprehensive Data Processing Agreements that incorporate Standard Contractual Clauses and ensure GDPR-compliant processing.

12. Data Retention

12.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods vary depending on the type of data and processing purpose.

12.2 Retention Periods

Website Visitor Data:

  • Session and analytics data: 26 months

  • Cookie data: As specified in cookie consent (typically 13 months)

Customer Account Data:

  • Active accounts: Duration of business relationship plus 3 years

  • Inactive accounts: 3 years after last activity, then deleted

Marketing Communications:

  • Newsletter subscribers: Until consent is withdrawn

  • Marketing contacts: 3 years from last engagement

Contract and Business Records:

  • Customer contracts: 10 years (Swedish Accounting Act requirement)

  • Financial records: 7 years (tax law requirement)

Usage and Search Data:

  • Aggregated, anonymized data: Retained indefinitely for research

  • Identifiable usage data: 12 months, then anonymized or deleted

12.3 Deletion Procedures

When retention periods expire, we securely delete or anonymize personal data using industry-standard methods to ensure it cannot be reconstructed or recovered.

13. Data Subject Rights Under GDPR

You have the following rights regarding your personal data:

13.1 Right to Be Informed (Articles 13-14)

You have the right to clear, transparent information about how we process your personal data. This policy and our Privacy Policy fulfill this obligation.

13.2 Right of Access (Article 15)

You have the right to:

  • Obtain confirmation of whether we process your personal data

  • Access your personal data

  • Receive information about the processing, including purposes, categories, recipients, and retention periods

13.3 Right to Rectification (Article 16)

You have the right to have inaccurate or incomplete personal data corrected or completed without undue delay.

13.4 Right to Erasure ("Right to Be Forgotten") (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected

  • You withdraw consent and there is no other legal basis

  • You object to processing and there are no overriding legitimate grounds

  • The data has been unlawfully processed

  • Erasure is required for compliance with legal obligations

Exceptions apply when processing is necessary for legal obligations, public interest, or establishment of legal claims.

13.5 Right to Restriction of Processing (Article 18)

You have the right to request restriction (temporary suspension) of processing when:

  • You contest the accuracy of the data

  • Processing is unlawful but you prefer restriction over erasure

  • We no longer need the data but you need it for legal claims

  • You have objected to processing and verification is pending

13.6 Right to Data Portability (Article 20)

You have the right to:

  • Receive your personal data in a structured, commonly used, machine-readable format

  • Transmit your data to another controller

This applies when processing is based on consent or contract and carried out by automated means.

13.7 Right to Object (Article 21)

You have the right to object to:

  • Processing based on legitimate interests

  • Direct marketing (including profiling)

  • Processing for scientific, historical, or statistical research

When you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or for legal claims.

13.8 Rights Related to Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Thalius AI Systems: Our AI-powered search and navigation technology uses embeddings and algorithms to deliver personalized product recommendations. However, these systems do not make automated decisions with legal or similarly significant effects on individuals. Users maintain full control over their interactions and can always view and modify their taste profiles.

13.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Response Time: We will respond to requests within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by two additional months, and we will inform you of the extension.

Verification: We may request additional information to verify your identity before fulfilling your request.

Free of Charge: We do not charge a fee for processing requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

14. Records of Processing Activities

14.1 Article 30 GDPR Compliance

In accordance with GDPR Article 30, Thalius maintains comprehensive Records of Processing Activities (RoPA) that document:

  • Name and contact details of the controller and DPO

  • Purposes of processing

  • Categories of data subjects and personal data

  • Categories of recipients

  • International data transfers

  • Retention periods

  • Technical and organizational security measures

14.2 Availability

Our Records of Processing Activities are maintained internally and made available to the Swedish Authority for Privacy Protection (IMY) upon request.

15. Data Security Measures

15.1 Technical Measures

We implement robust technical security measures, including:

  • Encryption: Data encryption in transit (TLS/SSL) and at rest (AES-256)

  • Access Controls: Role-based access controls (RBAC) and multi-factor authentication (MFA)

  • Network Security: Firewalls, intrusion detection systems, and DDoS protection

  • Secure Development: Security testing throughout the software development lifecycle

  • API Security: Secure API endpoints with authentication and authorization

  • Pseudonymization and Anonymization: Where appropriate, to minimize privacy risks

15.2 Organizational Measures

We maintain organizational security practices including:

  • Privacy by Design and Default: Data protection integrated into system design

  • Employee Training: Regular data protection and security awareness training

  • Access Restrictions: Limited access to personal data on a need-to-know basis

  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements

  • Vendor Management: Due diligence and contractual requirements for third-party processors

  • Regular Audits: Periodic security assessments and compliance reviews

  • Incident Response Plan: Documented procedures for detecting and responding to breaches

15.3 Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR when processing is likely to result in high risk to individuals' rights and freedoms, particularly when:

  • Implementing new AI technologies or processing methods

  • Processing data on a large scale

  • Making automated decisions with significant effects

  • Processing sensitive or special categories of data

16. Data Breach Notification

16.1 Breach Detection and Response

We maintain procedures to detect, investigate, and respond to personal data breaches promptly. Our incident response plan includes:

  • Immediate containment and mitigation measures

  • Assessment of breach scope, nature, and risks

  • Documentation of the breach and response actions

  • Notification to relevant parties as required

16.2 Notification to Supervisory Authority

In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR).

The notification will include:

  • Nature of the breach, including categories and numbers of individuals and records

  • Contact details for further information

  • Likely consequences of the breach

  • Measures taken or proposed to address the breach and mitigate harm

16.3 Notification to Data Subjects

When a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals without undue delay (Article 34 GDPR), providing:

  • Clear and plain language description of the breach

  • Contact details for further information

  • Likely consequences

  • Measures taken or proposed to mitigate harm

17. Special Provisions for AI-Powered Processing

17.1 Transparent and Controlled Embeddings

Thalius uses proprietary AI-powered embedding models for semantic search and navigation. We are committed to transparency in our AI systems:

Transparency: We provide clear information about how our AI algorithms work, including the logic behind search results and recommendations.

Controlled Processing: Our embedding models are designed with control mechanisms that allow customization and transparency, distinguishing us from "black box" AI systems.

No Bias Training: We actively work to identify and mitigate biases in our AI models to ensure fair and equitable search results.

17.2 Taste Profiles and Personalization

Our Taste Finder feature allows users to create personalized taste profiles. Important safeguards include:

  • Opt-In Only: Taste profiles are created only with explicit user consent

  • User Control: Users can view, modify, and delete their taste profiles at any time

  • Transparency: Users can see how their taste profile influences search results

  • No Mandatory Profiling: Users can use Thalius Search™ without creating a taste profile

17.3 AI Ethics and Compliance

We adhere to ethical AI principles:

  • Fairness: Ensuring AI systems do not discriminate or create unfair bias

  • Accountability: Clear responsibility for AI system outcomes

  • Privacy: Privacy-preserving AI design

  • Human Oversight: Human review of AI system performance and decisions

18. Children's Privacy

Thalius services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16 without parental consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@thalius.ai.

19. Your Right to Lodge a Complaint

19.1 Supervisory Authority

If you believe that our processing of your personal data violates GDPR or Swedish data protection laws, you have the right to lodge a complaint with the supervisory authority:

Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY)
Box 8114
104 20 Stockholm, Sweden
Phone: +46 (0)8 657 61 00
Email: imy@imy.se
Website: www.imy.se

19.2 Cross-Border Complaints

If you reside in another EU/EEA country, you may also lodge a complaint with the data protection authority in your country of residence.

19.3 Contact Us First

While you have the right to lodge a complaint with the supervisory authority, we encourage you to contact us first at privacy@thalius.ai so we can attempt to resolve your concerns directly.

20. Changes to This GDPR Policy

20.1 Policy Updates

We may update this GDPR Compliance Policy from time to time to reflect:

  • Changes in our data processing practices

  • New legal or regulatory requirements

  • Technological developments

  • Best practice recommendations

20.2 Notification of Changes

When we make material changes to this policy, we will:

  • Update the "Last Updated" date at the top of this document

  • Post a notice on our website

  • Notify active users and customers via email (where appropriate)

  • Obtain renewed consent if required by law

20.3 Review Frequency

We review this policy at least annually to ensure ongoing compliance with GDPR and applicable laws.

21. Additional Information

21.1 Data Processing Agreements

Customers who implement Thalius Search™ and wish to enter into a Data Processing Agreement (DPA) in accordance with GDPR Article 28 should contact us at privacy@thalius.ai. Our standard DPA includes:

  • Subject matter, duration, nature, and purpose of processing

  • Types of personal data and categories of data subjects

  • Controller and processor obligations and rights

  • Security measures and sub-processor provisions

  • Data subject rights support and audit provisions

21.2 Privacy by Design and Default

Thalius follows Privacy by Design and Privacy by Default principles (Article 25 GDPR):

  • Data protection is integrated into system architecture from the outset

  • Default settings provide the highest level of privacy protection

  • Only necessary data is processed by default

  • Privacy-enhancing technologies are prioritized

21.3 Accountability and Compliance Demonstration

We maintain comprehensive documentation to demonstrate GDPR compliance, including:

  • This GDPR Policy and Privacy Policy

  • Records of Processing Activities (Article 30)

  • Data Processing Agreements with processors

  • Legitimate Interest Assessments

  • Data Protection Impact Assessments

  • Data breach records and incident reports

  • Consent records and withdrawal mechanisms

  • Employee training records

22. Contact Information

For any questions, concerns, or requests regarding this GDPR Policy or our data protection practices, please contact:

Thalius AI AB
Privacy Team
Email: privacy@thalius.ai
Website: www.thalius.ai
Contact Form: www.thalius.ai/contact

Swedish Authority for Privacy Protection (IMY)
Box 8114
104 20 Stockholm, Sweden
Phone: +46 (0)8 657 61 00
Email: imy@imy.se
Website: www.imy.se

23. Acknowledgment and Consent

By using Thalius services, accessing our website, or providing us with personal data, you acknowledge that you have read and understood this GDPR Compliance Policy and our Privacy Policy. Where required by law, we will obtain your explicit consent for specific processing activities, which you may withdraw at any time.

Last Updated: October 22, 2025
Version: 1.0
Document Owner: Thalius AI AB Privacy Team

This GDPR Compliance Policy is provided for informational purposes and represents Thalius AI AB's commitment to data protection and privacy. It should be read in conjunction with our Privacy Policy and Terms of Service available at www.thalius.ai.