GDPR Compliance

1. Our GDPR Commitment

The General Data Protection Regulation (GDPR) protects the privacy rights of individuals in the European Union and European Economic Area. While Tractatus is based in Aotearoa New Zealand, we extend GDPR protections to all users globally—not as compliance theatre, but because these protections align with our core values of human agency and data sovereignty.

One architectural approach: We recognize GDPR as one important framework among many for data protection. Organizations may face different regulatory requirements (CCPA, Privacy Act 2020, etc.). Our approach is to build structural constraints that can adapt to plural regulatory contexts, not impose a single compliance model.

Core Principles

Privacy by Design: Data protection built into system architecture from the start
Minimal Data Collection: We collect only what's necessary for specific, stated purposes
Transparent Processing: Clear information about what data we collect and why
User Control: Mechanisms for access, correction, deletion, and portability
Accountability: Documented decisions, auditable processes, measurable compliance

2. How the Framework Enforces GDPR

The Tractatus Framework doesn't rely on hoping developers "remember GDPR." Instead, we use architectural constraints that make non-compliant data handling difficult or impossible.

2.1 Boundary Enforcement Service

Our BoundaryEnforcer service blocks operations that would violate privacy boundaries:

Hard Boundaries: Prevents writing user data to public files, logging sensitive information, or exposing credentials
Pre-Action Checks: All data operations validated before execution, not after
Audit Logging: Every boundary decision recorded for compliance auditing
Framework Instructions: inst_009 (User Data Protection) and inst_010 (PII Confidentiality) enforce GDPR Article 5 principles architecturally

2.2 Cross-Reference Validation

When data operations conflict with privacy rules:

CrossReferenceValidator flags conflicts between data collection and privacy instructions
Operations that violate GDPR principles (data minimization, purpose limitation) are blocked
System provides alternative approaches that satisfy both functional and privacy requirements

2.3 Pluralistic Deliberation for Values Conflicts

When legitimate interests conflict (e.g., fraud prevention vs. privacy):

PluralisticDeliberationOrchestrator surfaces the conflict for human judgment
System doesn't flatten "privacy vs security" to a metric—preserves incommensurability
Decisions are documented with justification, creating an auditable compliance trail
No amoral AI making privacy trade-offs autonomously—human values guide decisions

3. Your GDPR Rights

Under GDPR Articles 15-22, you have the following rights. We honor these rights for all users, regardless of location.

Right to Access (Article 15)

Request a copy of all personal data we hold about you, including processing purposes and data recipients.

How to exercise: Email privacy@agenticgovernance.digital with subject "GDPR Access Request"

Response time: Within 30 days (extendable to 90 days for complex requests)

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

How to exercise: Email privacy@agenticgovernance.digital with corrected information

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data when no legitimate grounds exist for processing.

How to exercise: Email privacy@agenticgovernance.digital with subject "GDPR Erasure Request"

Limitations: We may retain data if required for legal obligations, public interest, or legitimate claims

Right to Restriction of Processing (Article 18)

Request temporary suspension of data processing in specific circumstances (e.g., accuracy disputes).

How to exercise: Email privacy@agenticgovernance.digital with justification

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format (JSON, CSV).

How to exercise: Email privacy@agenticgovernance.digital with subject "GDPR Portability Request"

Format: We provide data in JSON format by default

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Email privacy@agenticgovernance.digital with objection reason

Note: We never send marketing emails without explicit opt-in

4. Data Processing Details

4.1 Legal Basis for Processing

We process personal data under these GDPR-compliant legal bases:

Consent (Article 6(1)(a)): Newsletter subscriptions, optional donation publicity
Contract (Article 6(1)(b)): Processing donations, delivering services
Legal Obligation (Article 6(1)(c)): Tax reporting, anti-money laundering compliance
Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvement

4.2 Data Retention

We retain personal data only as long as necessary:

Server Logs: 90 days (security monitoring)
Donation Records: 7 years (tax/legal requirements)
Contact Form Submissions: 2 years or until resolved
Account Data: Until account deletion requested + 30 days
Analytics: 26 months (aggregated, non-identifiable after 14 months)

4.3 International Transfers

Our infrastructure is hosted with OVH (France, EU) to keep data within GDPR jurisdiction. For third-party services:

Stripe (Payment Processing): Uses Standard Contractual Clauses for EU-US transfers
MongoDB Atlas (Database): Hosted in EU-West region (Frankfurt, Germany)
We do not transfer data to countries without adequate protection unless required by law and with your explicit consent

4.4 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts (GDPR Article 22). All consequential decisions involve human judgment.

5. Security Measures (Article 32)

We implement appropriate technical and organizational measures to ensure data security:

Technical Measures

Encryption: TLS 1.3 in transit, AES-256 at rest for sensitive data
Access Controls: Role-based access, principle of least privilege
Credential Management: Defense-in-depth architecture (5 protection layers, inst_072)
Security Monitoring: Intrusion detection, log analysis, vulnerability scanning
Regular Audits: Monthly security reviews, quarterly penetration testing

Organizational Measures

Data Protection by Design: Privacy requirements integrated from system conception
Staff Training: Regular privacy and security awareness training
Incident Response: Documented procedures for breach notification (within 72 hours per Article 33)
Vendor Management: Data Processing Agreements with all third-party processors

6. Framework Benefits for GDPR Compliance

The Tractatus Framework's architectural approach provides structural support for GDPR compliance that goes beyond policy documentation:

6.1 Built-in Privacy by Design (Article 25)

Privacy boundaries enforced architecturally—can't accidentally log PII or write user data to public files
Pre-action checks validate GDPR compliance before operations execute
Default configuration is privacy-protective (data minimization, purpose limitation)

6.2 Accountability and Demonstrable Compliance (Article 5(2))

Audit Logs: Every data operation logged with justification, creating Records of Processing Activities (ROPA)
Decision Trail: PluralisticDeliberationOrchestrator documents values conflicts and resolutions
Framework Statistics: Real-time compliance metrics via analytics dashboard
Audit logs show why decisions were made, not just what happened—critical for demonstrating compliance to supervisory authorities

6.3 Handling Conflicts Between Legitimate Interests

GDPR recognizes that legitimate interests can conflict (security vs. privacy, fraud prevention vs. data minimization). The framework handles these conflicts architecturally:

When a conflict arises, PluralisticDeliberationOrchestrator surfaces it for human judgment
System doesn't flatten incommensurable values to optimization metrics
Documented deliberation satisfies GDPR Article 6(1)(f) Legitimate Interests Assessment requirements
Creates auditable evidence of balancing test between interests and fundamental rights

Example: When analytics suggests collecting additional user data for fraud detection, the framework doesn't auto-approve. It triggers deliberation: "Fraud prevention (legitimate interest) vs. Data minimization (Article 5(1)(c))." Human judgment determines if collection is proportionate, documented in audit logs for supervisory authority review.

7. Contact & Data Protection Officer

For privacy concerns, GDPR requests, or data protection questions:

Privacy Contact:

Email: privacy@agenticgovernance.digital

Response time: Within 5 business days for initial response, 30 days for full resolution

Right to Lodge a Complaint

If you believe we've violated GDPR, you have the right to lodge a complaint with a supervisory authority:

EU Residents: Contact your national Data Protection Authority (find yours here)
NZ Residents: Contact the Office of the Privacy Commissioner (privacy.org.nz)

We encourage you to contact us first—we're committed to resolving concerns directly and transparently.

8. Updates to This Policy

We may update this GDPR compliance page to reflect changes in:

Our data processing activities
Legal or regulatory requirements
Framework capabilities that enhance GDPR compliance

Change Notification: Material changes will be communicated via email (if you've provided one) and prominently displayed on our website for 30 days. Continued use after notification constitutes acceptance of changes.

Version History: Previous versions of this policy are available upon request to privacy@agenticgovernance.digital