Talk to us
GDPR

The obligations Ansikt actually touches.

GDPR is bigger than any one product. This page lists the obligations Ansikt addresses and points to the detail page that handles each. The legal articles live with their regulators — we say honestly where we fit.

01 · The two articles

Right to access. Right to erasure.

15 Article 15 · Right of access

"What photos do you have of me?"

Read more →
17 Article 17 · Right to erasure

"Delete every photo of me."

Read more →
02 · How Ansikt maps to the law

Each obligation, the surface that handles it.

Article
What the law asks
How Ansikt answers
Art. 5(1)(a)
Lawfulness, fairness, transparency
Process personal data lawfully and transparently. Tell the subject what you're doing.
Audit log of every search and export, with operator and reason. Subject portal shows where their face appears. In preview Detail → Consent · /consent
Art. 5(1)(c)
Data minimisation
Only the data you actually need. No more.
We store the extracted face thumbnail and a vector per face. The full original image stays at the source — we never copy it. Detail → Capabilities · /capabilities
Art. 15
Right of access
A complete copy of all personal data on a 30-day clock.
Reference photo or identity → every appearance, every source URL, exportable as a regulator-ready PDF. Detail → DSAR surfacing · /dsar
Art. 17
Right to erasure
Locate and delete every appearance. Prove it was done.
Final audit report attached to the subject's record. Per-source removal tasks routed to owners. In preview Detail → DSAR surfacing · /dsar
Art. 25
Privacy by design
Bake privacy into the system, not on top of it.
Read-only connectors. EU-only infrastructure. No third-party model providers. URL proxy with face blurring. In preview Detail → Security · /security
Art. 30
Records of processing
Maintain records of what you process, why, and for whom.
Append-only log. Operator and reason on every action. Exportable for the DPA on request.
Art. 32
Security of processing
Appropriate technical and organisational measures.
AES-256 at rest. HTTPS for connector traffic and console. SSO and SCIM. EU jurisdiction only. Working towards ISO 27001 readiness. Detail → Security · /security
03 · Honest about the edges

What Ansikt doesn't do for you.

A tool can find photos. It cannot make legal judgments for you. Here's where the work stays yours.

We do

Find every appearance across the systems you connect, with audit trail.

We don't

Decide whether your lawful basis for processing is still valid.

We do

Route removal tasks to the owners of each source, with status tracking.

We don't

Push deletes to your sources without your operator confirming.

We do

Generate a regulator-ready PDF export of every appearance and how it was found.

We don't

Replace your DPO. Legal review of each response stays with your team.

Note for DPOs

DPIA support, in progress.

A DPIA for face-recognition processing under Article 35 is its own piece of work. We're putting one together with counsel, accurate to what Ansikt actually does. Until it ships, talk to us — we can share where we are and what we know.

Part of a loop

The request is closed. The audit row is on the books. From here the loop closes — a withdrawal updates the consent record, the proxy enforces it on the next request, and most days nothing new arrives. That is the point. The system is doing the work.