SkrivSikkert ApS implements privacy-by-design principles by collecting minimal personal information.
No Data Storage
No personally identifiable information, session data, or user profiles stored permanently
Local Browser Processing
All user data remains in local browser memory without server-side storage
Anonymization
Encrypted anonymous identifiers with no reverse-engineering possible
EU Jurisdiction
All data processing within EU borders (Denmark + Sweden)
Interactive Data Processing Flow
Click the button below to see the complete data processing process
User Input (Local Browser)
AES-256 Encryption & Anonymization
Azure OpenAI (Sweden)
TLS 1.3 Return
Automatic Deletion
User Input (Local Browser)
Users enter text directly in the browser. Data is stored only in local browser memory without server transmission. The data controller has no access at this stage.
Legal Basis
GDPR Article 6(1)(b) - processing necessary for contract performance
Data Minimization
GDPR Article 5(1)(c) - only necessary data processed
EU Jurisdiction
All data processing remains within EU borders
Automatic Deletion
Instant data deletion at session end
Built-in Data Protection (Privacy by Design)
The system is designed with data protection as a core principle in line with GDPR Article 25. Data processing is activated only after the user's explicit request. No permanent storage, profiling, or tracking of personal data occurs.
Data Processing Agreements and Responsibility
Data Controller: SkrivSikkert ApS (CVR: 45455238) - No access to user data Sub-processor 1: Simply.com A/S - WordPress hosting (Article 28 agreement) Sub-processor 2: Microsoft Corporation - AI processing (Azure DPA) Data Subject Control: Complete control via local browser storage
Technical and Organizational Measures (TOMs)
Security measures implemented in line with GDPR Article 32 and international security standards.
Hosting Infrastructure
Simply.com (CVR: 29412006) - GDPR-certified web hosting, Danish servers
AI Processing
Microsoft Azure OpenAI (CVR: 13612870) - Sweden data center, EU DPA
Cryptographic hashing with no reverse-engineering possibility
Access Control
Multi-factor authentication and strict access policies for sensitive systems
Staff Training
Ongoing training in data protection and security procedures
Continuous Monitoring
Real-time abuse monitoring, content filters, and ongoing security oversight
Regular Updates
Quarterly security updates, assessments, and audits
Incident Response
Rapid system recovery and data breach procedures with 72-hour notification
Risk Assessments
Regular security risk assessments and preventive measures
Privacy Technologies
Do Not Track respect, Cookiebot management, and user-controlled data storage
Compliance Audit
GDPR Article 32 compliance and international security standards
GDPR Legal Basis and Compliance
Data processing is based on GDPR Article 6(1)(b) - processing is necessary to fulfill a contract or to take steps at the data subject's request before entering into a contract.
Privacy by Design
GDPR Article 25 - built-in data protection from system design
Data Minimization
GDPR Article 5(1)(c) - ultimate implementation of the principle
Non-Automated Decisions
GDPR Article 22 - AI generates suggestions only, user makes final decisions
DPIA Assessment
Data protection impact assessment completed - no full DPIA required
EU-Limited Processing
No third-country transfers - all processing stays within EU
Data Subject Rights (GDPR Chapter III)
Article 15 - Right of Access: No personal data to provide Article 17 - Right to Erasure: Automatically implemented at session end Article 20 - Right to Data Portability: No personal data to transfer Article 21 - Right to Object: Contact DPO: gdpr@spellbright.ai Article 22 - Automated Decisions: Not used - AI systems provide suggestions only
Complaint Access and Data Breach Procedures
Supervisory Authority: Danish Data Protection Agency, Carl Jacobsens Vej 35, 2500 Valby Contact Authority: +45 33 19 32 00, dt@datatilsynet.dk Data Breach Procedures: 72-hour authority notification implemented Data Subject Notification: Direct communication for high-risk breaches
Business Agreements and Professional Use
Data Processing Agreements (Article 28): Available for all professional clients Business Solutions Contact: hello@spellbright.ai DPO Contact: Stefan Huhne, gdpr@spellbright.ai Legal Status: GDPR-compliant hosting and AI processing within EU
Frequently Asked Questions
No, our AI models are not trained on your data. This is documented in our privacy policy under "Transparency in AI Use": "Prompts or other text generated through the platform are not used to train or improve the models."
This means when you use our tools to translate, summarize, or proofread copyrighted material, the text is:
Only used to deliver the immediate service
Not part of the model's training data
Not accessible to other users
Automatically deleted after processing
You can safely use all our tools with copyrighted material without concern for copyright infringement.
All your data stays within EU borders:
Web Hosting: Denmark (with Simply.com)
AI Processing: Sweden (Microsoft Azure OpenAI data center)
No data transfers to countries outside the EU
Yes, SkrivSikkert is fully GDPR-compliant. We:
Operate under Danish and EU data protection law
Have a dedicated Data Protection Officer (DPO)
Use only GDPR-certified partners (Simply.com and Microsoft Azure OpenAI)
Have completed a data protection impact assessment
Implement privacy-by-design principles
Comply with all GDPR requirements for data minimization, pseudonymization, and user rights
We're recommended for Danish educational institutions, which highlights our focus on safe use in the education sector.
SkrivSikkert ApS: Does NOT have access to your prompts or AI-generated outputs
Microsoft Azure OpenAI: Processes data only to deliver the service - no access during normal operation
Other Users: Have NO access to your data
We have comprehensive data breach procedures:
Immediate assessment of breach scope
Notification to the Data Protection Agency within 72 hours
Direct communication to affected users
Implementation of measures to limit consequences
Thorough investigation and preventive action
However: Due to our data minimization practices (no permanent storage of prompts/outputs), the risk of a meaningful data breach is extremely low, as we simply don't have data to lose.
We have comprehensive security measures in place:
Technical Measures:
Encryption of data during transmission and storage
Anonymization through encrypted identifiers
Multi-factor authentication for sensitive system access
Regular security updates
Automatic content filters and abuse monitoring
Organizational Measures:
Strict access controls
Ongoing staff training in data protection
Regular security assessments and audits
Dedicated Data Protection Officer (DPO)
We designed our platform specifically with the education sector and protection of minors' data in mind:
No Personal Identification:
No user logins on the main platform
No collection of personally identifiable information
Complete anonymity for all users
Local Data Processing:
All user activity processed only in browser's local memory
Data doesn't leave the user's device (except encrypted AI communication)
Automatic deletion at session end
Special Considerations for Minors:
No profiling or tracking of user behavior
No risk of students' work becoming visible to others
Teachers and students can use the tool without GDPR concerns
This ensures the platform can be used safely in all educational contexts, from elementary school through higher education.
Introduction and Principles
Introduction
This privacy policy describes how SkrivSikkert ApS ("Skrivsikkert.dk," "us," "our," "we") protects and processes your personal data when you use our services through our website for grammar correction, translations, and general interactions with the AI models we offer. We handle your personal data in line with this privacy policy and applicable law, including the EU's General Data Protection Regulation (GDPR) and the Danish Data Protection Act. Skrivsikkert.dk is the data controller for your personal data, and questions about personal data can be directed to us using the contact information provided later in this document.
At SkrivSikkert.dk, we designed our platform in line with GDPR (Regulation No. 2016/679 of April 27, 2016) and the Data Protection Act. This commitment is an ongoing process where we dedicate ourselves to developing our services with a focus on data protection and user privacy.
Our primary goal is to respect and protect our users' privacy. For this reason, we've made the decision not to require user logins or identify users in any way. This means we don't collect, log, or store any data that can be linked to users' personal identity or their activity on SkrivSikkert.dk. Our approach ensures your interactions with our platform remain private and secure. We made this decision in part because we're used by schools and other public institutions in educational settings.
The application you interact with is built in WordPress and hosted on a web server with the Danish-owned company Simply. The web server is located in Denmark and is GDPR-certified. Our language model is developed by Microsoft (Azure OpenAI), and our data center is located in Sweden. Therefore, no data transfer occurs to countries outside Europe.
When you submit a request through our service, your information is processed in a way that protects your privacy. Your requests are converted into an "anonymous identifier," which is an encrypted code that ensures we cannot track or store information about what you asked. This secure process means we don't store or monitor the session where your request is processed. Everything you do on our platform is stored locally on your device in your web browser and is accessible only to you. This ensures your data stays private and is automatically deleted when you leave our site. We guarantee your data security and protect your privacy this way.
Agreements with Schools
We offer business agreements for schools that want to integrate SkrivSikkert into their teaching. If you're interested in exploring how SkrivSikkert can support learning in your classroom or help students with dyslexia, don't hesitate to contact us at hello@spellbright.ai for more information. Our focus on making SkrivSikkert safe to use in education can be seen in how we're recommended by the Center for IT in Education (CIU) to all directors at vocational schools and high schools across the country.
Learn more about our prices for business subscriptions for schools on our business order page. For orders of over 100 subscriptions, we offer special pricing. Contact us at hello@spellbright.ai or +45 36 20 97 37 for a customized quote.
Data Processing and Security
Anonymity
All your interactions with our AI models, including entered text (prompts) and generated responses, are processed anonymously and stored only temporarily in your browser's local memory. This data is automatically deleted when you close your browser session, ensuring no personally identifiable data is stored on our servers.
Security Measures
We have implemented comprehensive security measures, including:
Encryption of data during transmission and storage.
Various access controls and security protocols to protect against unauthorized access.
Regular security assessments and audits to ensure our systems and procedures comply with the latest GDPR requirements and the upcoming AI regulation.
Procedures for rapid system and data recovery in case of a technical or physical incident.
Regular security updates to our systems.
Multi-factor authentication for access to sensitive systems.
Ongoing training for our staff in data protection and security.
Data Centers
Our LLM model is located in Sweden, ensuring all data remains within EU jurisdiction and is subject to GDPR's strict protection requirements. We guarantee your data is not transferred to countries outside the EU. All data processing occurs exclusively within EU borders, specifically in Denmark (hosting) and Sweden (AI processing).
Sub-Processors
We work only with carefully selected and GDPR-compliant sub-processors, including Microsoft (Azure OpenAI) for our AI services. All our sub-processors are required to maintain the same high standards for data protection as we do.
Data Confidentiality and Security
Your data when using the AI tools is processed with strict confidentiality and security protocols. This data:
Is not accessible to other customers.
Is not accessible to OpenAI.
Is not accessible to SkrivSikkert employees.
Is not used to improve OpenAI models.
Is not used to improve Microsoft's or third parties' products or services.
Is not automatically used to improve Azure OpenAI models.
No data transfer occurs to jurisdictions outside the EU.
Data Storage and Deletion
To comply with abuse monitoring, Azure OpenAI (Microsoft) may store prompts and generated content securely and encrypted for up to thirty (30) days. SkrivSikkert.dk has no access to read your data during this monitoring period. The stored data can only be made accessible to a Microsoft employee who has undergone a comprehensive security clearance process and is employed within the EU.
A review of this data can only occur if either a prompt or generated output is automatically identified as potentially harmful by Microsoft's automatic content filters. Only then can the flagged data be reviewed. All data is permanently deleted after the monitoring period. This data is also not linked to the sender's IP address or anything else that is personally identifiable.
Data Minimization
We take the principle of data minimization very seriously. This means we only collect and process the personal data absolutely necessary to deliver our services. Our approach to data minimization includes:
Limited Data Collection: We collect no personally identifiable data.
Anonymization: Where possible, we anonymize data to remove personally identifiable information.
Automatic Data Deletion: We've implemented automatic processes to delete data that is no longer necessary.
Regular Data Review: We regularly review our data stores to identify and remove unnecessary data.
Privacy by Design: Our systems are designed from the ground up with data minimization in mind, ensuring we only process data absolutely necessary for each specific function.
Data Retention Periods
We have clear policies for data retention to ensure we only keep data as long as necessary. Our data retention periods are as follows:
AI Interactions (Prompts and Outputs)
Not stored by SkrivSikkert.
Automatically deleted from our systems at the end of each browser session
May potentially be stored by Microsoft Azure OpenAI for up to 30 days as part of their security procedures, but this data is not accessible to us and is reviewed only in extremely rare cases
This data is not linked to personal identifiers such as IP addresses.
We regularly review our data retention practices to ensure we comply with GDPR's storage limitation principle. If you have specific questions about storage of your data, you're welcome to contact our DPO.
Rights and Legislation
Your Rights
As a user, you have rights under GDPR, including:
Right of access to your personal data
Right to rectification of inaccurate personal data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing of your personal data
To exercise your rights or if you have questions about our data protection practices, you can contact our Data Protection Officer (DPO) at gdpr@spellbright.ai.
Please note that due to our limited data retention, we cannot provide access to historical prompts or AI-generated content. We can only give you access to data you've shared directly with us through, for example, our contact form. You can withdraw your consent at any time by contacting our DPO.
Note that withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Additional Details on Consent Processes
We only obtain consent through active actions, never through pre-checked boxes.
We keep documentation of given consent, including time and content.
You can withdraw your consent at any time through your account profile or by contacting our DPO.
We renew consent if our data processing purposes change significantly.
Data Portability
To exercise your right to data portability, you can request a copy of your personal data in a structured, commonly used, and machine-readable format. We will fulfill your request within 30 days.
GDPR and Legal Compliance
Our use of Azure OpenAI Service and our general data processing practices ensure full compliance with GDPR and other relevant data protection legislation. This is achieved through the following measures:
Data is processed in accordance with Microsoft's Products and Services Data Protection Addendum, which is fully GDPR-compliant.
All data storage and processing occurs exclusively on a European data center in Sweden, guaranteeing compliance with European, including Danish, data protection requirements
Users have full control over their data, including the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object.
We implement various security measures, including encryption of data during transmission and storage, as well as strict access controls.
All user interactions with our AI models are processed anonymously, and data is stored only temporarily in the user's browser's local memory, ensuring maximum protection of personal data.
We do not transfer personal data to countries outside the EU.
We conduct regular security assessments and audits to ensure continued compliance with GDPR and other relevant data protection rules.
In case of a data breach, we have implemented procedures for rapid notification to both the data controller and affected data subjects.
We work only with carefully selected and GDPR-compliant sub-processors who are required to maintain the same high standards for data protection.
Platform and Technical Details
To ensure data remains within the EU, we use the following:
Use of data centers located exclusively within the EU
Implementation of technical restrictions that prevent data transfer outside the EU
Regular auditing of data flows to ensure compliance
Risk Assessment and Decision-Making
Initial Data Protection Impact Assessment
As part of our commitment to ensuring the highest standard of data protection, we have conducted an initial data protection impact assessment for our AI-based service. This analysis helped us evaluate potential risks associated with our data processing activities.
The result of our initial analysis showed that our current data processing activities do not require a full Data Protection Impact Assessment (DPIA) according to GDPR criteria. This is primarily due to:
Our limited retention of personal data
The absence of automated decisions with significant impact on users
Our implemented security measures and data minimization practices
We have specifically assessed that our service does not fall under the categories that typically require a full DPIA, as we:
Do not conduct systematic and extensive evaluation of personal aspects based on automatic processing, including profiling.
Do not process special categories of data (sensitive data) on a large scale.
Do not conduct systematic monitoring of a publicly accessible area on a large scale.
Nevertheless, based on our analysis, we have implemented and improved a range of measures to minimize potential risks:
Strengthened encryption methods for data in transit and at rest
Strict access control policies
Regular staff training in data protection
Continuous monitoring and updating of our security measures
We commit to regularly reviewing and updating our risk assessment to ensure it remains relevant as our services evolve and the data threat landscape changes. Should our data processing activities change significantly in the future, we are prepared to conduct a full DPIA if it becomes necessary.
We conduct regular risk assessments of our data processing activities. These assessments include:
Assessment of the likelihood and consequences of these risks
Implementation of measures to mitigate identified risks
Ongoing monitoring and evaluation of these measures
Automated Decision-Making
It's important to emphasize that our system does not make automated decisions with legal or similarly significant consequences for our users. Our system performs the following actions:
Generates suggestions and recommendations based on user input
Offers language and stylistic improvements
All outputs from our AI system are meant as suggestions, and the final decision to implement these suggestions always lies with the user. We encourage our users to review and evaluate all AI-generated suggestions critically before use.
In line with GDPR Article 22, we ensure that:
Users are always informed that they're interacting with an AI system
No significant decisions are made solely based on automated processing
The website is built in WordPress and hosted on a GDPR-certified web server with the Danish-owned company Simply, located in Denmark. Interaction with our AI services occurs through this platform.
Key Points About the Application
Hosting: The web server is located in Denmark and is GDPR-certified.
AI Model: Our language model is developed by Microsoft (Azure OpenAI), and the data center is geographically located in Sweden.
Data Transfer: No data transfer occurs to countries outside the EU.
User Creation: To access our services, you must create a user profile. Your login credentials and profile are stored securely on our servers.
Data Security: We implement various security measures, including content filters and real-time abuse monitoring, to protect your data and ensure a safe user experience.
Limited Data Access: We only have access to your login information. We do not have access to or the ability to store your prompts or generated content from AI interactions.
Microsoft as Sub-Processor: Microsoft (Azure OpenAI) is fully GDPR-compliant. They operate under strict data protection obligations as defined in Microsoft's Products and Services Data Protection Addendum.
Data Processing
When you use our AI tools, your entered text (prompts) is sent to Microsoft Azure OpenAI for processing
This process occurs with strict data confidentiality and security protocols.
Microsoft Azure OpenAI functions as our sub-processor and is fully GDPR-compliant.
They process your prompts and generate content (outputs) without storing or using the data for purposes other than delivering the immediate service.
All data transmission between our platform and Microsoft Azure OpenAI is encrypted.
Microsoft Azure OpenAI's data center is located in Sweden, ensuring data remains within the EU.
Neither we nor Microsoft permanently store your prompts or outputs. They are kept only temporarily (up to 30 days) by Microsoft exclusively for abuse monitoring and system improvement purposes, after which they are automatically deleted.
We do not have access to your individual prompts or outputs either before or after processing.
Technical Infrastructure
Technical and Organizational Measures
When you submit a request through our service, your information is processed in a way that protects your privacy. Your requests are converted into an "anonymous identifier," which is an encrypted code that ensures we cannot track or store information about what you asked. This secure process means we don't store or monitor the session where your request is processed. Everything you do on our platform is stored locally on your device in your web browser and is accessible only to you. This ensures your data stays private and is automatically deleted when you leave our site.
Transparency in AI Use
Azure OpenAI Service generates responses or material by processing user prompts (input) and generating content (output) through completion, chat completion, image, and embedding operations. The models are stateless and don't store prompts or other text. By being "stateless," the models don't store information between interactions. This reduces the risk of bias from previous inputs affecting future outputs. It ensures the model's response is based solely on the current input, without bias from previous user data.
Prompts or other text generated through the platform are not used to train or improve the models. While Microsoft Azure OpenAI potentially stores data for a short period for security reasons, this data is not used to train or improve the models. Data is reviewed only in extremely rare cases of potentially serious abuse and is not accessible to the platform.
Azure OpenAI Service also implements ongoing advanced methods for bias correction, ensuring the models' outputs remain fair and unbiased. This ensures all users receive fair and objective responses regardless of their background or the topics they ask about.
To promote fairness, Azure OpenAI Service also works to diversify the training data used to develop AI models. By including a broad range of perspectives and experiences, it ensures AI models can understand and generate content that is relevant and inclusive for a global audience.
In line with GDPR's principles of transparency and fairness, we offer the following additional insight into our AI use:
Scope of Data Processing: Our AI models process only the text users actively enter. No additional contextual data or user behavior is collected or analyzed.
Processing Duration: All processing occurs in real-time. After generating output, input data is immediately deleted from active memory.
Third-Party Integrations
On the platform, we use carefully selected third-party integrations and sub-processors to improve functionality and user experience on our platform. We're committed to ensuring these integrations and sub-processors comply with the same high standards for data protection as the rest of our platform, in full accordance with GDPR and our own privacy policy.
Our approach to third-party integrations and sub-processors includes:
Thorough due diligence
Strict data minimization
Regular review and evaluation
Full transparency
Geographic restriction
Current third-party integrations and sub-processors include:
Microsoft Azure OpenAI (CVR: 13612870, Kanalvej 7, 2800 Kgs. Lyngby)
Purpose: Hosting of language model for AI-based text generation and analysis.
Data Processing: Occurs in data center located in Sweden.
Security Measures: Full GDPR compliance, encryption of data in transit and at rest, strict access controls.
Purpose: Advanced page builder and design tool for our WordPress platform.
Data Processing: Local processing on our hosted servers.
Security Measures: Regular security updates.
Security Procedures
Control and Responsibility
If a sub-processor fails to fulfill their obligations, we remain fully responsible to the data controller. We commit to informing the data controller of any planned changes regarding the addition or replacement of sub-processors with at least 30 days' notice.
Data Breach Procedures
In case of a data breach, we have implemented the following procedures:
Immediate assessment of the breach's scope and potential consequences
Notification to relevant authorities within 72 hours of discovering the breach
Direct communication to affected users via email and/or our website
Implementation of measures to limit and remedy any negative consequences
Thorough investigation of the breach's cause and implementation of preventive measures
We commit to being transparent and acting quickly to protect our users' data and rights.
Cookies and Tracking Technologies
You can manage your cookie preferences in the following ways:
Through our cookie banner, which appears when you first visit our website
By clicking 'Cookie Settings' at the bottom of our website
By changing the settings in your browser
We respect 'Do Not Track' signals from web browsers. You can also choose to block or delete cookies through your browser settings. Note that blocking certain cookies may affect the functionality of our website.
Contact and Updates
Right to Complain
As a user, you have the right to file a complaint with a data protection authority if you believe your personal data has been processed in violation of data protection law. In Denmark, the Danish Data Protection Agency serves as the national data protection authority.
Danish Data Protection Agency
Address: Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
Privacy Policy Updates
We review and update our privacy policy regularly, at least once a year or more often if there are significant changes to our data processing practices or relevant legislation. For significant changes, we will:
Post the updated policy on our website with a clear indication of the change date
In special cases, we may request renewed consent from users
We encourage our users to regularly review our privacy policy to stay informed about how we protect their personal data.
Update Notifications
For significant changes, we will inform our users via email and/or a prominent notice on our website before the changes take effect.
Versioning and Updates
We encourage you to review this policy regularly. Our privacy policy will always be updated on our website.
Last Updated: September 10, 2025
Contact Our DPO
To exercise your rights or if you have questions about our privacy policy, you're welcome to contact us. Here's our contact information to make it as easy as possible for you:
SkrivSikkert ApS collects only necessary login information (name and email).
Minimal Profile Data
Only name and email stored to support account functions
AI Anonymity Preserved
Prompts and outputs never linked to your profile and not permanently stored
30-Day Deletion
Profile data automatically deleted 30 days after account cancellation
EU Jurisdiction
All data processing in Denmark (hosting) and Sweden (AI)
Interactive Data Processing Flow
Click the button below to see the complete data processing process
Secure Login & Profile
Anonymous AI Interaction
Azure OpenAI (Sweden)
TLS 1.3 Return
Optional History & Deletion
Secure Login & Profile
User logs in with email and password. Passwords are hashed with bcrypt and never stored in plain text. Profile data (name and email) is encrypted and stored securely on Danish servers.
Legal Basis
GDPR Article 6(1)(a) – explicit consent at account creation
Data Minimization
Only essential login information – AI data not stored
Email Consent
Optional marketing consent with clear unsubscribe option
Full Transparency
Clear information about data processing and user rights
Separate Data Processing (Profile vs. AI)
Profile Data: Name and email stored encrypted on Danish servers as long as account exists AI Interactions: Prompts and outputs anonymized and deleted at session end Abuse Monitoring: Microsoft may store anonymized AI data for max 30 days User Rights: Full control over profile data including export and deletion
Technical and Organizational Measures (TOMs)
Security measures implemented in line with GDPR Article 32 – extended to handle user accounts and login.
Hosting Infrastructure
Simply.com – GDPR-certified web hosting on Danish servers
AI Processing
Microsoft Azure OpenAI (Sweden) – EU DPA and SLA
Cryptography
AES-256, TLS 1.3, and encrypted storage of profile data
Password Security
Passwords hashed with bcrypt and can never be read in plain text
Pseudonymization
AI data not linked to user profiles and deleted after session
Access Control
Multi-factor authentication and role-based access to internal systems
Staff Training
Ongoing training in data protection and security procedures
Continuous Monitoring
Abuse monitoring and real-time filters protect the platform
Regular Updates
Quarterly security updates, assessments, and audits
Incident Response
Rapid system recovery and 72-hour data breach procedures
Risk Assessments
Regular security risk assessments and preventive measures
Login Logging
Secure logging of login activity without monitoring AI interactions
Compliance Audit
Documented compliance with GDPR Article 32
GDPR Legal Basis and Compliance
Data processing is based on GDPR Article 6(1)(a) – consent at account creation. Marketing requires separate consent and has a clear unsubscribe option. AI interactions are processed under legitimate interests with full transparency.
Consent-Based
Active consent at registration – can be withdrawn at any time
Data Minimization
Only necessary information for login and billing
Non-Automated Decisions
AI delivers suggestions – user makes the decision
DPIA Assessment
Data protection impact assessment completed – no full DPIA required
EU-Limited Processing
No third-country transfers – hosting in DK and AI in SE
Data Subject Rights (Chapter III)
Article 15 – Right of Access: Full access to your profile information Article 16 – Right to Rectification: Update your information directly in the account Article 17 – Right to Erasure: Data deleted within 30 days after cancellation Article 20 – Data Portability: Export your data in structured format Article 21 – Right to Object: Unsubscribe from marketing at any time Article 7 – Withdrawal of Consent: Can be done without reason through account settings
Data Retention and Deletion
User Accounts: Stored as long as account is active After Cancellation: Profile data deleted within 30 days AI Interactions: Automatically deleted from browser after session Microsoft Monitoring: Up to 30 days anonymous storage for security purposes Login Logs: Stored for maximum 90 days for system integrity Marketing Preferences: Updated immediately upon unsubscribe
Frequently Asked Questions
No, our AI models are not trained on your data. This is documented in our privacy policy under "Transparency in AI Use": "Prompts or other text generated through the platform are not used to train or improve the models."
This means when you use our tools to translate, summarize, or proofread copyrighted material, the text is:
Only used to deliver the immediate service
Not part of the model's training data
Not accessible to other users
Automatically deleted after processing
You can safely use all our tools with copyrighted material without concern for copyright infringement.
All your data stays within EU borders:
Web Hosting: Denmark (with Simply.com)
AI Processing: Sweden (Microsoft Azure OpenAI data center)
No data transfers to countries outside the EU
Yes, SkrivSikkert is fully GDPR-compliant. We:
Operate under Danish and EU data protection law
Have a dedicated Data Protection Officer (DPO)
Use only GDPR-certified partners (Simply.com and Microsoft Azure OpenAI)
Have completed a data protection impact assessment
Implement privacy-by-design principles
Comply with all GDPR requirements for data minimization, pseudonymization, and user rights
We're recommended for Danish educational institutions, which highlights our focus on safe use in the education sector.
SkrivSikkert ApS: Does NOT have access to your prompts or AI-generated outputs
Microsoft Azure OpenAI: Processes data only to deliver the service - no access during normal operation
Other Users: Have NO access to your data
We have comprehensive data breach procedures:
Immediate assessment of breach scope
Notification to the Data Protection Agency within 72 hours
Direct communication to affected users
Implementation of measures to limit consequences
Thorough investigation and preventive action
However: Due to our data minimization practices (no permanent storage of prompts/outputs), the risk of a meaningful data breach is extremely low, as we simply don't have data to lose.
We have comprehensive security measures in place:
Technical Measures:
Encryption of data during transmission and storage
Anonymization through encrypted identifiers
Multi-factor authentication for sensitive system access
Regular security updates
Automatic content filters and abuse monitoring
Organizational Measures:
Strict access controls
Ongoing staff training in data protection
Regular security assessments and audits
Dedicated Data Protection Officer (DPO)
We designed our platform specifically with the education sector and protection of minors' data in mind:
No Personal Identification:
No user logins on the main platform
No collection of personally identifiable information
Complete anonymity for all users
Local Data Processing:
All user activity processed only in browser's local memory
Data doesn't leave the user's device (except encrypted AI communication)
Automatic deletion at session end
Special Considerations for Minors:
No profiling or tracking of user behavior
No risk of students' work becoming visible to others
Teachers and students can use the tool without GDPR concerns
This ensures the platform can be used safely in all educational contexts, from elementary school through higher education.
Introduction and Commitments
Introduction
This privacy policy describes how SkrivSikkert ApS ("Skrivsikkert.dk," "us," "our," "we") protects and processes your personal data when you use our services through our website for grammar correction, translations, and general interactions with the AI models we offer. We handle your personal data in line with this privacy policy and applicable law, including the EU's General Data Protection Regulation (GDPR) and the Danish Data Protection Act. Skrivsikkert.dk is the data controller for your personal data, and questions about personal data can be directed to us using the contact information provided later in this document.
At SkrivSikkert.dk, we designed our platform in line with GDPR (Regulation No. 2016/679 of April 27, 2016) and the Data Protection Act. This commitment is an ongoing process where we dedicate ourselves to developing our services with a focus on data protection and user privacy.
Our primary goal is to respect and protect our users' privacy. With our login feature, you can access extended functions such as user history while we maintain the highest standards for data protection. We collect only the information strictly necessary to deliver the service, and all AI interactions remain anonymous. Our approach ensures your data is processed securely and in line with GDPR.
The application you interact with is built in WordPress and hosted on a web server with the Danish-owned company Simply. The web server is located in Denmark and is GDPR-certified. Our language model is developed by Microsoft (Azure OpenAI), and our data center is located in Sweden. Therefore, no data transfer occurs to countries outside Europe.
When you submit a request through our service, your information is processed in a way that protects your privacy. Your requests are converted into an "anonymous identifier," which is an encrypted code that ensures we cannot track or store information about what you asked. This secure process means we don't store or monitor the session where your request is processed. Everything you do on our platform is stored locally on your device in your web browser and is accessible only to you. This ensures your data stays private and is automatically deleted when you leave our site. We guarantee your data security and protect your privacy this way.
Agreements with Schools
We offer business agreements for schools that want to integrate SkrivSikkert into their teaching. If you're interested in exploring how SkrivSikkert can support learning in your classroom or help students with dyslexia, don't hesitate to contact us at hello@spellbright.ai for more information. Our focus on making SkrivSikkert safe to use in education can be seen in how we're recommended by the Center for IT in Education (CIU) to all directors at vocational schools and high schools across the country.
Learn more about our prices for business subscriptions for schools on our business order page. For orders of over 100 subscriptions, we offer special pricing. Contact us at hello@spellbright.ai or +45 36 20 97 37 for a customized quote.
Data Processing and Legal Basis
We process your personal data in line with GDPR based on the following legal grounds:
Legal Basis for Data Processing
Consent (Art. 6.1.a) – For optional features like history
Contract (Art. 6.1.b) – To deliver our services
Legal Obligation (Art. 6.1.c) – Bookkeeping and legal requirements
Legitimate Interests (Art. 6.1.f) – System security and improvements
Protecting Your Data
We only process the text you enter and don't collect personally identifiable information unless you specifically provide it to us.
All interactions with our AI models are processed anonymously.
We use pseudonymization to prevent tracking and permanent storage of your personal data.
User History and Control
History Feature: You have the option to view your usage history on the platform, showing your previous interactions with our AI tools.
Full Control: This history feature can be turned off at any time in your account settings if you prefer your interactions not be saved.
Instant Deletion: You can delete your entire history with a single click, permanently removing all saved interactions from our systems.
We ensure all data processing is necessary and proportional. If certain information is required to use a service, we clearly inform you.
Marketing and Communication
We may send you communications about our services based on the following legal grounds:
Necessary Service Communication (Contract Basis)
Security updates
Important changes to the service
Account-related notifications
Marketing (Consent or Legitimate Interests)
Product news and features
Tips for optimal service use
Relevant offers
You can unsubscribe from marketing communications at any time.
Legitimate Interest
We may process your contact information for direct marketing based on our legitimate interest in informing about service updates. This includes only:
Email address and name
Your service preferences
We don't combine this information with data from third parties.
Unsubscribing from Marketing
You can unsubscribe from marketing at any time by:
Clicking "unsubscribe" at the bottom of our emails
Contacting us at gdpr@spellbright.ai
You'll still receive important service notifications about your account and security updates.
Marketing Data Retention
Your communication preferences are stored as long as your account is active. Upon unsubscription or account deletion, this data is removed within 30 days.
Security and Data Protection
Anonymity: All AI interactions are processed anonymously.
Security Measures
End-to-end encryption
Strict access controls
Regular security audits
24/7 monitoring
Automatic system recovery
Ongoing staff training
Data Centers: All data is processed within the EU. We never transfer personal data outside EU jurisdiction.
Security Standards and Certifications
We maintain the highest security standards through:
Encryption Standards:
Data in transit: TLS 1.3
Data at rest: AES-256-GCM encryption
Key management: Hardware Security Modules for secure storage
Certificates: SSL certificates with minimum 2,048-bit RSA
Network Security:
Web Application Firewall with real-time protection
DDoS protection through Cloudflare
Intrusion detection and prevention
Geographic filtering and rate limiting
System Security:
Continuous vulnerability scanning
Centralized security monitoring
Compliance and Audit:
Regular internal security audits
Documented information security system
Sub-Processors
We work only with carefully selected sub-processors who comply with GDPR. All sub-processors are contractually required to maintain the same high security standards as we do.
Data Confidentiality and Security
Your data when using the AI tools, including entered text (prompts) and generated content (outputs) from the AI models we offer, is processed with strict confidentiality and security protocols. This data:
Is not accessible to other customers
Is not accessible to OpenAI
Is not accessible to SkrivSikkert employees
Is not used to improve OpenAI models
Is not used to improve Microsoft's or third parties' products or services
Is not automatically used to improve Azure OpenAI models
No data transfer occurs to jurisdictions outside the EU
Storage and Deletion
Microsoft may store encrypted prompts and outputs for up to 30 days for security and abuse monitoring. We don't have access to this data, which is reviewed by Microsoft only in rare cases when automatically flagged as potentially harmful content. Data is not linked to personal identifiers such as IP addresses.
Data Minimization
We take the principle of data minimization very seriously. This means we only collect and process the personal data absolutely necessary to deliver our services. Our approach to data minimization includes:
Limited Data Collection: We collect only information directly related to using our AI tools
Anonymization: Where possible, we anonymize data to remove personally identifiable information
Automatic Data Deletion: We've implemented automatic processes to delete data no longer necessary
Regular Data Review: We regularly review our data stores to identify and remove unnecessary data
Privacy by Design: Our systems are designed from the ground up with data minimization in mind
Built-in Data Protection
We've implemented data protection as a core principle throughout our platform:
Technical Security Measures:
AES-256 encryption for data at rest, TLS 1.3 for data in transit
Rate limiting and DDoS protection on all endpoints
Data Protection Technologies:
Differential privacy: Statistical noise to protect individual data in analyses
Pseudonymization: Systematic replacement of identifiable data
Data masking: Concealing sensitive data in test and development environments
Encrypted data processing: Processing data without decryption where possible
Default Privacy Settings:
Minimal data collection
Marketing requires active opt-in
Maximum privacy protection as default
Data Retention Periods
We have clear policies for data retention to ensure we only keep personal data as long as necessary:
User Accounts and Profile Information:
Stored as long as the account is active
Deleted within 30 days after request for account cancellation
AI Interactions (Prompts and Outputs):
If history feature is enabled: Stored as long as the user wants and can be deleted at any time with a single click
If history feature is disabled: Not permanently stored by SkrivSikkert
Automatically deleted from our systems at the end of each browser session (if history is disabled)
May potentially be stored by Microsoft Azure OpenAI for up to 30 days as part of their security procedures, but this data is not accessible to us and is reviewed only in extremely rare cases
Login Information:
Stored securely as long as the account is active
Encrypted and anonymized after 12 months of inactivity
Technical Log Files:
Stored for up to 90 days to ensure system integrity and security
Do not contain personally identifiable information
Payment Data:
Transaction history: Stored for 5 years in line with bookkeeping law
Card information: Never stored on our servers (handled directly by Stripe)
Subscription information: Stored as long as subscription is active plus 5 years
Support Requests:
Email correspondence: Stored for up to 1 year after resolution
Used for quality assurance and customer service improvement
We regularly review our data retention practices to ensure we comply with GDPR's storage limitation principle. If you have specific questions about storage of your data, you're welcome to contact our DPO.
User Rights and GDPR
User Rights Under GDPR
You have the following rights:
Access: See what personal data we process
Rectification: Correct errors in your information
Erasure: Have your data deleted ("right to be forgotten")
Restriction: Limit our processing of your data
Data Portability: Receive your data in a machine-readable format
Object: Object to processing
History Control: View, turn off, or delete your history with one click
To exercise your rights, contact us at gdpr@spellbright.ai.
Note: Due to our limited data retention, we cannot recover deleted prompts or AI-generated content.
Consent
We only obtain consent through active actions - never pre-checked boxes. Your consent is documented with time and content, and you can withdraw it at any time through your account or by contacting us.
Data Portability
You can request a copy of your personal data in a structured, machine-readable format. We fulfill requests within 30 days.
GDPR Compliance
We ensure full GDPR compliance through:
Data processing agreements with all vendors
All data remains within the EU
Full user control over personal data
Strong encryption and security controls
Anonymous processing of AI interactions
Regular security audits
Rapid notification in case of data breach
Technical restrictions preventing data transfer outside the EU
International Data Transfers
We don't transfer personal data outside the EU/EEA. Should future transfers become necessary, we will:
Obtain your explicit consent
Use EU standard contractual clauses
Ensure adequate level of protection
Inform you 30 days before the change
Risk Assessment and AI Transparency
Impact Assessment
We've conducted an initial analysis of our data processing. The analysis shows our current practices don't require a full DPIA, as we:
Have limited retention of personal data
Don't make automated decisions with significant impact
Have implemented strong security measures
We've still implemented extra protection:
Strengthened encryption
Strict access controls
Ongoing staff training
Continuous security monitoring
We regularly review our risk assessment and conduct a full DPIA if our data processing changes significantly.
Automated Decision-Making
Our AI system doesn't make automated decisions with legal or significant consequences.
The system:
Only generates suggestions and recommendations
Leaves all decisions to you
Clearly informs you're interacting with AI
We fully comply with GDPR Article 22 on automated decisions.
Platform and Technical Architecture
Hosting: GDPR-certified data center in Denmark (Simply.com)
AI Processor: Microsoft Azure OpenAI with servers in Sweden
Data Transfer: No transfer outside the EU
How It Works
Account Creation: Your login credentials are stored securely on our servers
AI Processing: Your text is sent encrypted to Microsoft Azure OpenAI
Data Security: End-to-end encryption and real-time monitoring
Data Limitation: We only have access to login information, not your AI interactions
Technical Security Measures
Your data is processed with maximum security:
Anonymous identifiers replace personal data
Local browser storage automatically deleted at session end
We cannot track or store your requests
All data remains private and under your control
AI Transparency
How Our AI Works:
Our AI models are "stateless" - they don't store information between conversations. Each interaction is completely new and independent, ensuring previous inputs don't influence future responses.
AI Model Information and Limitations
Model Type: We use advanced language models through Microsoft Azure OpenAI, among the most secure and GDPR-compatible solutions on the market.
Known Limitations:
AI models can produce inaccurate or outdated information
Outputs should always be verified for critical applications
Models don't have real-time internet access or current events
Cultural and linguistic nuances can sometimes be misinterpreted
Complex professional topics require human expert verification
Human Oversight and Quality Assurance
No Automated Decisions: Our AI doesn't make decisions with legal or significant consequences
Quality Control: Regular spot checks of AI outputs to ensure quality
User Reporting: Option to report problematic outputs directly in the interface
Ongoing Improvements: Systematic collection of anonymized feedback to improve the service
Bias Handling and Fairness
We actively work to ensure fair and unbiased AI through:
Ongoing monitoring for potential biases
Inclusive and respectful responses to all users
Clear ethical guidelines for AI use
Transparent communication about AI limitations
Your prompts and outputs are never used to train or improve AI models. Microsoft may review data in rare cases of suspected serious abuse but has no access to your data during normal operation.
Data Processing Principles
Scope: We only process text you actively enter
Duration: Real-time processing with instant deletion from active memory
Improvement: Continuous development focused on data protection and ethics
Third Parties and Vendors
Third-Party Integrations and Sub-Processors
We use the following carefully selected vendors to deliver our services.
Microsoft Azure OpenAI
Purpose: AI text generation and language models
Data Processing: Data center in Sweden
Security: Full GDPR compliance, end-to-end encryption
Simply.com
Purpose: Web hosting
Data Processing: Servers in Denmark
Security: GDPR-certified data center
WordPress & Elementor Pro
Purpose: Website platform and design
Data Processing: Local on our servers
Security: Regular updates
Stripe
Purpose: Payment processing
Data Processing: We never have access to full card information
If a sub-processor fails to fulfill their obligations, we remain fully responsible to the data controller. We commit to informing the data controller of any planned changes regarding the addition or replacement of sub-processors with at least 30 days' notice.
Data Breach Procedures and Security
Data Breach Procedures
In case of a data breach, we have implemented the following detailed procedures:
Immediate Response (0-24 hours)
Detection and Containment: Immediate identification and limitation of the breach
Initial Assessment: Determining the breach's scope, affected data systems, and potentially affected users
Crisis Team Activation: Convening data protection team and relevant technical experts
Authority Notification (24-72 hours)
Data Protection Agency: Notification within 72 hours of becoming aware of the breach
Documentation: Detailed documentation of the breach's nature, scope, and preliminary remediation measures
User Notification (Without Undue Delay)
Risk Assessment: If the breach likely poses high risk to users' rights and freedoms
Direct Communication: We contact affected users via email, prominent website notice, and potentially SMS for critical security breaches
Information We'll Give You
In case of a data breach, we'll inform you about:
Time of the breach
Categories of affected personal data
Likely consequences of the data breach
Measures we've taken or plan to take
Contact information for our Data Protection Officer (DPO)
Recommended actions you can take (e.g., changing password)
Follow-Up Actions
Thorough Investigation: Complete technical and procedural review
Implementation of Improvements: Security measure updates based on learnings
Follow-Up: Ongoing communication with affected users about progress
Our Commitments
We commit to full transparency throughout the process
All data breaches are documented internally, regardless of whether they must be reported
We conduct annual data breach simulations to test our readiness
We maintain a data breach management plan updated quarterly
User Responsibility and Security
As a user of our service, you also have a responsibility to protect your personal data:
Keep your login credentials confidential and never share them with others
Use strong and unique passwords
Log out of your account when finished, especially on shared or public devices
Regularly update your personal information
Be mindful of what information you share through our platform
Report suspicious activity or unauthorized access immediately
Recommended Security Practices
Strong Passwords:
Minimum 12 characters
Combination of uppercase and lowercase letters, numbers, and special characters
Unique password not used elsewhere
Consider using a password manager
Phishing Protection:
We never send emails asking for your password
Always verify sender address (must end with @skrivsikkert.dk)
Be skeptical of unexpected links or attachments
Contact us directly if you're unsure whether a communication is genuine
By following these guidelines, you help us maintain the security and integrity of our service.
Complaint Access and Contact
Right to Complain
As a user, you have the right to file a complaint with a data protection authority if you believe your personal data has been processed in violation of data protection law. In Denmark, the Danish Data Protection Agency serves as the national data protection authority.
If you want to complain about our processing of your personal data, you can direct your inquiry to:
Danish Data Protection Agency
Address: Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
Privacy Policy Updates
We review and update our privacy policy regularly, at least once a year or more often if there are significant changes to our data processing practices or relevant legislation. For significant changes, we will:
Post the updated policy on our website with a clear indication of the change date
Send an email notification to registered users about the changes
In special cases, we may request renewed consent from users
We encourage our users to regularly review our privacy policy to stay informed about how we protect their personal data.
Update Notifications
For significant changes, we'll inform our users via email and/or a prominent notice on our website before the changes take effect.
Versioning and Updates
We encourage you to review this policy regularly. Our privacy policy will always be updated on our website.
Last Updated: November 24, 2025
Contact
For questions about data protection or exercising your rights:
Privacy Policy
Articles