cloak.business

GDPR Compliance

Last Updated: 2026-02-09

Overview#

cloak.business is fully compliant with the General Data Protection Regulation (EU) 2016/679 (GDPR). As a platform purpose-built for PII detection and anonymization, data protection is at the core of everything we build. This document describes how cloak.business supports GDPR compliance for both our own operations and for the organizations that use our service.

Data Processing#

In-Memory Architecture#

cloak.business processes all submitted content -- text, images, and documents -- entirely in memory. No submitted content is written to disk, stored in a database, or retained after the response is returned to the user.

PrincipleImplementation
No storage of submitted contentText and images are processed in server memory (RAM) only
No training on user dataSubmitted content is never used to train or improve models
No third-party data sharingAll processing occurs on our own servers; no data is sent to external providers
Immediate disposalContent is discarded from memory as soon as the API response is sent

EU Data Residency#

All data processing takes place exclusively in Germany, European Union:

  • Infrastructure hosted in an ISO 27001:2022 certified data center in Germany
  • No data transfers outside the European Economic Area (EEA)
  • Full compliance with EU data residency requirements
  • German federal data protection law (BDSG) applies in addition to GDPR

Data Subject Rights#

cloak.business fully supports all data subject rights under GDPR Chapter III:

Right of Access (Article 15)#

Users can request a complete export of all personal data we hold about them. Data exports are available in standard JSON format through the account settings or upon request.

Right to Rectification (Article 16)#

Users can update their personal information (name, email, account details) at any time through the account settings interface.

Right to Erasure -- Right to be Forgotten (Article 17)#

Users can delete their account at any time. Account deletion permanently removes:

  • All account information (name, email, hashed password)
  • All session data and login history
  • All operation history (if the optional feature was enabled)
  • All API keys and tokens
  • All subscription and billing references

Deletion is irreversible and executed promptly upon request.

Right to Data Portability (Article 20)#

Users can export their data in standard, machine-readable formats (JSON). This includes account information, operation history, and any stored settings or preferences.

Right to Object (Article 21)#

Users can object to processing and opt out of optional features at any time, including:

  • Operation history recording
  • Analytics and usage tracking
  • Marketing communications

Right to Restriction of Processing (Article 18)#

Users can request restriction of processing in applicable circumstances as defined by Article 18. Restricted accounts retain data but suspend active processing.

Data Processing Agreement (DPA)#

A Data Processing Agreement under GDPR Article 28 is available for enterprise and business customers. The DPA covers:

  • Scope and purpose of data processing
  • Obligations of the processor (cloak.business)
  • Sub-processor management and notification
  • Technical and organizational security measures
  • Data subject rights assistance
  • Data breach notification obligations
  • Data return and deletion upon contract termination
  • Audit rights

To request a DPA, contact us through the contact form at cloak.business and select "Privacy Inquiries."

Privacy by Design (Article 25)#

cloak.business implements data protection by design and by default as required by GDPR Article 25:

PrincipleHow We Implement It
Data minimizationOnly email and name required for accounts; no unnecessary data collected
Purpose limitationData processed solely for PII detection and anonymization
Storage limitationSubmitted content never stored; account data retained only while needed
Integrity and confidentialityAES-256-GCM encryption, TLS in transit, role-based access control
Default privacyOptional features (history, analytics) disabled by default

Right to be Forgotten#

Account deletion is designed to be thorough and permanent:

  1. User initiates deletion through account settings or by contacting support
  2. All personal data is removed from the database, including account details, session records, operation history, and API keys
  3. Payment processor references are cleared (actual payment data is held by the payment processor under their own retention policies)
  4. Deletion is irreversible -- no recovery is possible after deletion is confirmed

Since submitted text and images are never stored, there is no content to delete -- it was already discarded at the time of processing.

Data Portability#

Users can export their data at any time in standard formats:

  • Account information -- JSON export of profile data
  • Operation history -- JSON export of analysis records (if history was enabled)
  • Settings and preferences -- JSON export of configured presets and preferences

Exports are generated on demand and delivered directly to the user.

Breach Notification (Articles 33 and 34)#

cloak.business maintains documented breach response procedures in compliance with GDPR:

Supervisory Authority Notification (Article 33)#

  • Data breaches affecting personal data are reported to the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notification includes the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken

Data Subject Notification (Article 34)#

  • Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, affected individuals are notified without undue delay
  • Notification includes a description of the breach, potential consequences, and measures taken to address and mitigate the impact

Sub-Processors#

cloak.business maintains a directory of sub-processors involved in service delivery. The current sub-processor list is available upon request. We notify customers of any changes to sub-processors in advance, allowing them to object if necessary.

Contact for GDPR Requests#

For any GDPR-related inquiries, data subject requests, or to request compliance documentation:

  1. Visit cloak.business
  2. Open the Contact form
  3. Select "Privacy Inquiries" as the topic
  4. Describe your request

We respond to all data subject requests within the GDPR-mandated timeframe of one month.

Document maintained by cloak.business Contact: support@cloak.business