Your privacy rights (GDPR)

Under the EU General Data Protection Regulation (GDPR) and UK GDPR, you have specific rights over the personal data we hold about you. This page explains each right and how to exercise it.

Who's the data controller?

JARAI Studio is the data controller for the personal data processed when you use the Client Portal. Our Privacy Notice (see Legal) lists the legal bases we rely on, the data categories we process, and the processors (Azure, OpenAI, Anthropic, etc.) we use.

Your eight rights

Right	What it means	How to exercise
Access (Art. 15)	Get a copy of all personal data we hold about you, in a portable format.	Settings → Privacy → Download my data. Returns a ZIP within 30 days.
Rectification (Art. 16)	Correct inaccurate or incomplete personal data.	Settings → Profile → edit directly, or Request correction for fields you can’t edit.
Erasure / “Right to be forgotten” (Art. 17)	Delete your personal data. Subject to legal-retention exceptions (e.g., tax records).	Settings → Privacy → Delete my account. 30-day grace period, then full cascade.
Restriction (Art. 18)	Pause processing of your data without deleting it.	Settings → Privacy → Restrict processing. We’ll stop using your data for productions but keep it on file.
Portability (Art. 20)	Get your data in a machine-readable format (JSON / CSV).	Settings → Privacy → Download my data — same export as Access right.
Object (Art. 21)	Object to processing based on legitimate interest (e.g., marketing emails, profiling).	Settings → Privacy → Object to marketing / Object to profiling.
Automated decision-making (Art. 22)	Right not to be subject to a decision based solely on automated processing.	Productions are operator-triggered and customer-approved — no fully-automated decisions about you. If you believe otherwise, contact support.
Withdraw consent (Art. 7)	Withdraw any consent you previously gave (e.g., marketing opt-in).	Settings → Privacy → toggle the consent.

Response times

• Acknowledgement: within 72 hours of your request
• Resolution: within 30 days (extendable to 90 days for complex requests, with notice)
• Erasure cascade: 30-day grace period (you can cancel during this window), then full deletion across all production data + AI provider records

What about the productions JARAI created using my data?

When you request erasure, we delete:

• Your account profile + auth records
• Your subscription + billing history (subject to 7-year tax-law retention obligation, anonymised after the grace period)
• Productions where you are the customer + their derivative deliverables
• Operator audit log entries that reference you

We do NOT delete:

• Already-published content on third-party platforms (TikTok, LinkedIn, etc.) — you control those platforms directly; we can’t reach in and pull
• Data we anonymised before storage (aggregated usage statistics that don’t identify you)

Complaints

If you believe we’ve handled your data wrong, you can:

1. Email us at privacy@jarai.studio — we’ll respond within 72 hours
2. Lodge a complaint with your supervisory authority:
   • UK: ICO (Information Commissioner’s Office)
   • Spain: AEPD (Agencia Española de Protección de Datos)
   • Other EU: your national supervisory authority

See also

• Privacy Notice — full text of our privacy policy
• Submit a takedown notice — different right; for IP/likeness infringement
• Contact support — for privacy-related questions