GDPR Compliance

1. Data Controller

For the purposes of the GDPR, HootGPT acts as the Data Controller of your personal data. This means we determine how and why your personal data is processed.

2. Lawful Basis for Processing

Under the GDPR, we process your personal data based on the following lawful grounds:

• Contractual Necessity (Art. 6(1)(b)): Processing is necessary for the performance of a contract with you, such as creating your account, processing subscriptions, and generating AI content you request.
• Legitimate Interest (Art. 6(1)(f)): Processing is necessary for our legitimate business interests, such as improving our platform, ensuring security, and preventing fraud.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as subscribing to marketing communications. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): Processing is necessary to comply with applicable laws, such as tax and accounting regulations.

3. Your Rights Under GDPR

As a data subject in the European Economic Area (EEA) or the UK, you have the following rights:

• Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): You can request that we correct any inaccurate or incomplete data.
• Right to Erasure (Art. 17): You can request that we delete your personal data and all uploaded files (“Right to be Forgotten”).
• Right to Restrict Processing (Art. 18): You can request that we limit the way we use your data.
• Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): You can object to our processing of your personal data for direct marketing or profiling purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

4. How to Exercise Your Rights

To exercise any of the rights listed above, please contact us at [email protected] with the subject line “GDPR Data Request.” We will respond to your request within 30 days, as required by the GDPR.

You may also delete your generated assets (images, voice clones, documents) or your entire account at any time from your account dashboard, which will permanently remove your data from our active servers.

5. International Data Transfers

HootGPT is based in the UAE. If you are located in the EEA or UK, your personal data may be transferred to and processed in countries outside the EEA/UK. When this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Processing only through enterprise API endpoints from third-party AI providers whose terms prohibit the use of your data for model training.

6. Third-Party AI Data Processing

To deliver our AI features, your prompts, uploaded text, images, and audio are transmitted securely to third-party AI providers (including OpenAI, Anthropic, Google Gemini, and DeepSeek). These providers act as Data Processors under the GDPR:

• Data is processed solely for generating your requested output.
• We use enterprise API endpoints where your data is not used to train third-party foundational AI models.
• Data is transmitted over encrypted connections (TLS/SSL).

7. Data Retention

We retain your personal data and generated assets only for as long as your account is active or as needed to provide you with our services. When you delete your account, all associated personal data and generated content are permanently removed from our active servers within 30 days. For further details, see our Privacy Policy.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Art. 33 of the GDPR. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

9. Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. You may also contact us first at [email protected] so we can address your concerns.

10. Contact Us

For any GDPR-related questions, requests, or concerns, please contact us at: