A factual overview of GDPR concepts and the privacy topics customers commonly ask about. This page is informational only and is not legal advice.
This page describes general GDPR concepts and privacy topics in plain language. It does not state that Aris888 AI is certified, audited, approved by a regulator, or automatically compliant for every customer use case. Legal obligations depend on the customer, location, data, configuration, contract terms, and how the platform is used.
The General Data Protection Regulation, commonly called GDPR, is European Union Regulation 2016/679. It sets rules for processing personal data and gives individuals rights over their personal data. Related regimes may also apply, including the UK GDPR for the United Kingdom and local data protection laws in other jurisdictions.
Personal data means information relating to an identified or identifiable person. In an AI agent platform, personal data may appear in account records, uploaded knowledge files, widget conversations, support messages, billing metadata, analytics events, admin logs, or prompts entered by users.
Under GDPR, a controller decides why and how personal data is processed. A processor processes personal data on behalf of a controller. For many SaaS workflows, the customer acts as controller for its workspace content and end-user interactions, while the platform provider may act as processor for that customer data. Exact roles should be confirmed in the applicable agreement and data processing terms.
GDPR gives individuals several rights, subject to legal conditions and exceptions. These may include access, correction, deletion, restriction, portability, objection, and rights related to certain automated decision-making. Requests need enough information to identify the relevant account, workspace, record, or conversation.
Modern SaaS products may rely on infrastructure, authentication, analytics, payment, support, email, and model-provider services. If those services process personal data, they may be processors or subprocessors depending on the relationship. Customers should review the applicable contract, data processing terms, and vendor list when available.
GDPR restricts certain transfers of personal data outside the European Economic Area unless an approved transfer mechanism or exemption applies. Common mechanisms can include adequacy decisions, Standard Contractual Clauses, and supplementary measures where required. Transfer details depend on infrastructure, vendors, customer location, and contract terms.
GDPR requires appropriate technical and organizational measures based on risk. In practical terms, teams should consider access controls, authentication, least privilege, logging, retention, encryption in transit, secure vendor relationships, incident response, and internal policies. No public website page can replace a customer-specific security and legal review.
GDPR includes storage limitation principles, meaning personal data should not be kept longer than necessary for the relevant purpose unless there is another lawful reason. In a workspace, retention can involve account data, knowledge files, conversation logs, analytics, audit logs, backups, and support records.
For privacy questions or data rights requests, use the privacy contact channel listed in the Help Center or Contact page. A useful request should include the request type, email address, organization or workspace context, and enough detail to identify the relevant data. Do not include passwords, private keys, or unnecessary sensitive information in a request.
For the broader privacy notice, see the Privacy Policy.
