GDPR Compliance Statement

Last updated: November 2025

This GDPR Compliance Statement outlines how Hello Ada ensures compliance with the General Data Protection Regulation (GDPR), the Danish Data Protection Act, and requirements typically applied by Danish municipalities and schools.

It applies to both:

  • helloada.ai
  • edu.helloada.ai

1Commitment to Data Protection

Hello Ada is committed to protecting personal data and ensuring that our platform is safe for children, schools, and families.

We follow the principles of:

• Lawfulness
• Fairness
• Transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity
• Accountability

These principles guide the design and operation of the Hello Ada platform.

2Data Processor Role for Schools

When used in schools (edu.helloada.ai):

  • The school or municipality acts as Data Controller.
  • Hello Ada acts as Data Processor under GDPR Article 28.
  • We process data only according to the instructions provided by the school.
  • A Data Processing Agreement (DPA) is entered into with each school or municipality.

The platform is designed to minimise processing of personal data for school use, including removing student logins and avoiding the need for identifying information.

3Data Controller Role for Families

For parent and educator accounts on helloada.ai, Hello Ada acts as the Data Controller and adheres to GDPR Articles 13 and 14 regarding transparency.

4Lawful Basis for Processing

In Schools

  • Public interest in providing education (GDPR Article 6(1)(e))
  • Data processor agreement with the controller (Article 28)

For Families

  • Contract: Managing user accounts
  • Consent: Optional newsletter
  • Legitimate interest: Security, fraud prevention, error logs

5Data Minimisation

Hello Ada has implemented a "minimum necessary" data strategy.

In the school environment (edu.helloada.ai):

  • No student accounts
  • No names, emails, or student identifiers
  • No behavioural profiling
  • Server-side analytics only
  • No non-essential cookies

Only project text, prompts, and necessary technical logs are processed.

6Hosting and Data Location

All data is stored and processed within the European Union using:

  • Google Cloud Platform (EU region)
  • Amazon Web Services (EU region)

No data is transferred outside the EU unless explicitly permitted under GDPR-compliant safeguards.

7AI Model Compliance

Hello Ada uses Claude, Gemini, and SkoleGPT under strict conditions:

  • No-training and no-retention modes
  • Data processed only to generate outputs
  • No intentional transmission of personal data
  • Students instructed not to enter identifying information
  • Teachers supervise use in classroom settings
  • AI processing occurs within approved regions where supported

All providers operate under GDPR-compliant agreements.

8Subprocessors

We use a limited set of vetted subprocessors essential for delivering the service.

All subprocessors:

  • Operate under GDPR-compliant agreements
  • Are listed in the Privacy Policy
  • Are located in EU regions or covered by approved safeguards
  • Are monitored through ongoing reviews

No advertising or behavioural tracking subprocessors are used.

9Security Measures

Hello Ada uses industry-standard security controls including:

  • Encryption in transit (TLS) and at rest
  • Network segmentation
  • Firewalling and intrusion detection
  • Role-based access control
  • Security logging and audit trails
  • Least-privilege access
  • Regular vulnerability and dependency scanning
  • Secure development practices

Only authorised engineering staff have access to system data.

10Data Retention

Retention periods follow strict minimisation guidelines:

  • Student project data: 90 days
  • AI logs: 30–90 days
  • Backups: 30 days
  • Parent/teacher accounts: 18–24 months of inactivity
  • Support communications: Up to 12 months

Schools may request earlier deletion at any time.

11Data Subject Rights

Data subjects (or their guardians/schools) may exercise their rights to:

• Access
• Rectification
• Erasure
• Restriction
• Objection
• Portability

Requests can be made via: privacy@helloada.ai

For students, requests must be coordinated through the school as the Data Controller.

12DPIA (Data Protection Impact Assessment) Support

Hello Ada provides all necessary documentation required for schools and municipalities to perform a DPIA.

This includes:

  • Data flow descriptions
  • Subprocessor list
  • Technical and organisational measures (TOMs)
  • Retention schedules
  • Security architecture information
  • Export controls
  • AI processing characteristics

We support municipal IT and legal teams during their assessment.

13Incident Response

Hello Ada maintains procedures for:

• Detection
• Reporting
• Containment
• Resolution

Any incident affecting personal data is reported promptly to the Data Controller in accordance with GDPR Articles 33 and 34.

14Updates

This compliance statement will be updated if regulations, technology, or subprocessors change.

The most recent version will always be available on our website.