PagePrinted
Last updated · 22 May 2026sha256 · fe7c33944680

Your GDPR Rights

A short map. Every right has a one-click route or a one-email path.

Table of contents
  1. · I · Overview
  2. · II · Article 15 — access
  3. · III · Article 16 — rectification
  4. · IV · Article 17 — erasure
  5. · V · Article 18 — restriction
  6. · VI · Article 20 — portability
  7. · VII · Article 21 — object
  8. · VIII · Article 22 — automated decisions
  9. · IX · Datatilsynet

The GDPR (Regulation (EU) 2016/679) gives every person whose data is processed in the EEA a set of named, enforceable rights. We treat each one as a feature, not a chore. This page is the index; the full privacy notice at /legal/privacy is the long-form source of truth.

· I ·Overview

Most rights are self-service inside your account. Where a right requires a human (because, for example, you want to restrict processing during a dispute), we accept the request by email at [p…@p…] and acknowledge within one business day. We have one month to fully comply, as required by GDPR Article 12(3); we usually finish in a week.

· II ·Article 15 — right of access

You can ask what data we hold on you. We make this self-service at /account/export. The export is a signed ZIP containing a JSON record of every field we hold, every manuscript and image you generated, the audit log of consent decisions, and a copy of the relevant Article 30 processing-activity entries.

· III ·Article 16 — right of rectification

If something we hold is wrong — your name is misspelled, your address is out of date — you can fix it directly at /account/profile. For things the profile page cannot reach (a corrupted manuscript record, a wrong country code on an old invoice), email us and we'll correct it manually.

· IV ·Article 17 — right to erasure

Delete your account at /account/delete. The deletion runs immediately: the account is suspended and cannot be signed back into; within thirty days, the underlying data is purged from primary systems and from backups as they rotate. The only data we are required to retain longer is the invoice record (Norwegian Bookkeeping Act, five years) — and that record is reduced to the legal minimum: name, address, line items, amount, date.

· V ·Article 18 — right to restrict processing

Useful when there is a dispute open — for example, you are contesting the accuracy of data we hold, and you want us to stop using it while we sort it out. Email [p…@p…] with the subject line "Restrict processing" and we mark the account accordingly within one business day.

· VI ·Article 20 — right to data portability

The export at /account/export is already a machine-readable JSON archive — that's the portability right exercised by default. You can take that file to another service that accepts our schema (we publish the schema at /dev/schemas/export.json) and import it there.

· VII ·Article 21 — right to object

You can object to any processing we do under the legitimate-interest basis (mostly telemetry and fraud-prevention). We will stop unless we can show an overriding legitimate ground; we will tell you which, and the reasoning.

· VIII ·Article 22 — automated decisions

The studio's safety classifier is an automated decision system, but it does not produce solely automated decisions: a classifier block is reviewed by a human within 24 hours, and you can ask for human review immediately by clicking "Ask a human". You always have the right to express your point of view and contest the outcome.

· IX ·Datatilsynet — the Norwegian supervisor

If you think we have not honoured one of these rights, please write to us first at [p…@p…]. If we don't fix it, you have the right under GDPR Article 77 to complain to a supervisory authority. The Norwegian Data Protection Authority is Datatilsynet:

  • Postboks 458 Sentrum, 0105 Oslo, Norway
  • Phone: +47 22 39 69 00
  • Email: [p…@d…]
  • Web: datatilsynet.no

EU residents may, alternatively, complain to their own national supervisory authority — the GDPR lets you pick.