GDPR & AI Act transparency

Controller / processor roles, a Records-of-Processing summary, AI Act Article 50 transparency to users, and the model card for the AI system that powers EuroLaw Hub.

Last updated · 26 February 2026

1. Controller / processor roles

Scenario
Account, billing, support, security telemetry
Our role
Controller
Notes
We determine the purposes and means. See Privacy Policy §§ 3–4.
Scenario
Documents you upload + conversations you submit
Our role
Processor (on your instructions)
Notes
We process them solely to deliver the Service to you. The Anthropic DPA prohibits training on customer content.
Scenario
Watchdog alerts and AI-generated bulletins
Our role
Controller for the editorial layer, processor for inputs you submit
Notes
Watch parameters you create are processed on your instructions; the alerts produced are stored in your account.

2. Records of Processing Activities — summary (Art. 30 GDPR)

Processing activity
User account management
Categories of data
Email, hashed password, plan, role
Legal basis
Art. 6(1)(b)
Recipients / sub-processors
Managed MongoDB hosting (EU)
Retention
Life of account + 90 days
Processing activity
AI-assisted research and uploads
Categories of data
Prompts, uploaded documents, vectors
Legal basis
Art. 6(1)(b)
Recipients / sub-processors
Anthropic (DPA + SCCs)
Retention
Until deletion or 24 months of inactivity
Processing activity
Watchdog scans + alerts
Categories of data
Watch parameters, alert payloads, citations
Legal basis
Art. 6(1)(b)
Recipients / sub-processors
Anthropic (DPA + SCCs)
Retention
Until dismissed; soft-archive after 6 months
Processing activity
Bulletins (editorial)
Categories of data
Editorial inputs and outputs
Legal basis
Art. 6(1)(b) and Art. 6(1)(f) for editorial library
Recipients / sub-processors
Anthropic (DPA + SCCs)
Retention
Indefinite while published; admin can unpublish or delete
Processing activity
Billing
Categories of data
Plan, subscription IDs, invoice metadata
Legal basis
Art. 6(1)(b), Art. 6(1)(c)
Recipients / sub-processors
Payment processor / merchant of record (DPA + SCCs)
Retention
Up to 10 years for tax law
Processing activity
Security, audit, rate limiting
Categories of data
IP, user agent, route, timestamp
Legal basis
Art. 6(1)(f)
Recipients / sub-processors
Internal infrastructure provider
Retention
12 months
Processing activity
Consent records
Categories of data
Consent decisions, version, timestamp, IP, UA
Legal basis
Art. 6(1)(c) + Art. 7(1) accountability
Recipients / sub-processors
Internal database (EU)
Retention
5 years

3. AI Act transparency to users (Art. 50)

EuroLaw Hub is an AI system within the meaning of Regulation (EU) 2024/1689. We are required to inform users that they are interacting with an AI system; we do so prominently in the landing-page widget, in the Research Assistant interface, in the support chatbot greeting, and across every AI-generated bulletin (which is labelled as such).

Where EuroLaw Hub uses live retrieval to generate content (e.g. Watchdog scans, Bulletin generation), the output is labelled and presented alongside primary-source citations. Human oversight is required for any decision with legal or similarly significant effects. EuroLaw Hub does not make solely-automated decisions about individuals (Art. 22 GDPR).

The product is decision support for qualified legal professionals. It is not intended to replace legal advice, and its outputs are not legal opinions. Users remain responsible for verifying the output against the cited sources and applying it under their own professional judgement.

4. Model card — the AI system that powers EuroLaw Hub

Field
Provider
Value
Anthropic, PBC (US). Accessed over the Anthropic API.
Field
Model family
Value
Claude (Sonnet / light + heavy variants for different module endpoints). EuroLaw Hub never sends prompts to other LLM providers without disclosing the change here.
Field
Intended use
Value
EU legal research and compliance decision-support for qualified counsel, in-house lawyers and compliance officers. Editorial bulletin drafting. Conversational support for product questions.
Field
Prohibited uses
Value
See Acceptable Use Policy in the Legal page. Specifically: no solely-automated significant decisions about individuals (Art. 22 GDPR); no Art. 5 AI Act prohibited practices; no generation of unlawful content; no extraction of system prompts.
Field
Known limitations
Value
Knowledge cut-off applies between training updates. Some answers may be incomplete, outdated or inaccurate. Citations are best-effort and may not include a stable URL. The model is not a fact-checker for the documents you upload — verify against the source.
Field
Training data on customer content
Value
Anthropic does NOT train its models on EuroLaw Hub customer content per the DPA between Anthropic and EuroLaw Hub.
Field
Risk classification under the AI Act
Value
EuroLaw Hub is not a 'high-risk' AI system within the meaning of Annex III. It is a general-purpose research and decision-support tool with mandatory human-in-the-loop and the Art. 50 transparency obligations addressed in §3.
Field
Human oversight
Value
Every output is reviewed by the qualified user before it is acted upon in a legal matter. EuroLaw Hub does not exercise legal judgement on behalf of users.

5. Contact for data protection and AI matters

Data Protection Officer and AI compliance contact: altay@eurolawhub.com. You can also reach us through the support chatbot at the bottom-right of every page (note: the chatbot does not give legal advice and escalates account or data-protection issues to the email above).