GDPR Compliance Statement

Last updated: May 2026

This GDPR Compliance Statement outlines how Hello Ada ensures compliance with the General Data Protection Regulation (GDPR), the Danish Data Protection Act, and requirements typically applied by Danish municipalities and schools.

It applies to both:

  • helloada.ai
  • edu.helloada.ai

1Commitment to Data Protection

Hello Ada is committed to protecting personal data and ensuring that our platform is safe for children, schools, and families.

We follow the principles of:

• Lawfulness
• Fairness
• Transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity
• Accountability

These principles guide the design and operation of the Hello Ada platform.

2Data Processor Role for Schools

When used in schools (edu.helloada.ai):

  • The school or municipality acts as Data Controller.
  • Hello Ada acts as Data Processor under GDPR Article 28.
  • We process data only according to the instructions provided by the school.
  • A Data Processing Agreement (DPA) is entered into with each school or municipality.

The platform is designed to minimise processing of personal data for school use, including removing student logins and avoiding the need for identifying information.

3Data Controller Role for Families

For parent and educator accounts on helloada.ai, Hello Ada acts as the Data Controller and adheres to GDPR Articles 13 and 14 regarding transparency.

4Lawful Basis for Processing

In Schools

  • Public interest in providing education (GDPR Article 6(1)(e))
  • Data processor agreement with the controller (Article 28)

For Families

  • Contract: Managing user accounts
  • Consent: Optional newsletter
  • Legitimate interest: Security, fraud prevention, error logs

5Data Minimisation

Hello Ada has implemented a "minimum necessary" data strategy.

In the school environment (edu.helloada.ai):

  • No student accounts
  • No names, emails, or student identifiers
  • No behavioural profiling
  • Server-side analytics only
  • No non-essential cookies

Only project text, prompts, and necessary technical logs are processed.

6Hosting and Data Location

Core application hosting, database storage, and backups are operated in European regions using:

  • Google Cloud Platform (EU region)
  • Amazon Web Services (EU region)

AI model processing follows the provider and region characteristics of the selected model tier described below. Any processing outside the EU is handled only under GDPR-compliant safeguards.

7AI Model Compliance

Hello Ada uses the AI providers implemented in the application: Ordbogen/Odin for the Danish provider tier, Mistral for the European provider tier, and Google Vertex AI/Gemini plus Anthropic Claude through AWS Bedrock for the Europe-hosted tier.

  • No-training, no-retention, or equivalent provider processing controls
  • Data processed only to generate outputs, guardrail decisions, or task suggestions requested by the user
  • No intentional transmission of personal data
  • Students instructed not to enter identifying information
  • Teachers supervise use in classroom settings
  • Provider and region choices are based on the selected model tier and deployment configuration

All providers operate under GDPR-compliant agreements.

8Subprocessors

We use a limited set of vetted subprocessors essential for delivering the service.

All subprocessors:

  • Operate under GDPR-compliant agreements
  • Are listed in the Privacy Policy
  • Are located in EU regions or covered by approved safeguards
  • Are monitored through ongoing reviews

No advertising or behavioural tracking subprocessors are used.

9Security Measures

Hello Ada uses industry-standard security controls including:

  • Encryption in transit (TLS) and at rest
  • Network segmentation
  • Firewalling and intrusion detection
  • Role-based access control
  • Security logging and audit trails
  • Least-privilege access
  • Regular vulnerability and dependency scanning
  • Secure development practices

Only authorised engineering staff have access to system data.

10Data Retention

Retention periods follow strict minimisation guidelines:

  • Student project data: 90 days
  • AI logs: 30–90 days
  • Backups: 30 days
  • Parent/teacher accounts: 18–24 months of inactivity
  • Support communications: Up to 12 months

Schools may request earlier deletion at any time.

11Data Subject Rights

Data subjects (or their guardians/schools) may exercise their rights to:

• Access
• Rectification
• Erasure
• Restriction
• Objection
• Portability

Requests can be made via: privacy@helloada.ai

For students, requests must be coordinated through the school as the Data Controller.

12DPIA (Data Protection Impact Assessment) Support

Hello Ada provides all necessary documentation required for schools and municipalities to perform a DPIA.

This includes:

  • Data flow descriptions
  • Subprocessor list
  • Technical and organisational measures (TOMs)
  • Retention schedules
  • Security architecture information
  • Export controls
  • AI processing characteristics

We support municipal IT and legal teams during their assessment.

13Incident Response

Hello Ada maintains procedures for:

• Detection
• Reporting
• Containment
• Resolution

Any incident affecting personal data is reported promptly to the Data Controller in accordance with GDPR Articles 33 and 34.

14Updates

This compliance statement will be updated if regulations, technology, or subprocessors change.

The most recent version will always be available on our website.