GDPR
Data processing, retention, subject rights, and the Crowdee data processing agreement.
Crowdee processes personal data on behalf of its customers under the General Data Protection Regulation (GDPR, Regulation 2016/679). This page describes the legal relationship between Crowdee and its customers under GDPR, what categories of data Crowdee processes and for how long, how Crowdee handles data subject rights requests, and the policies governing the transfer of data outside the European Union.
Data Controller and Processor
In the GDPR framework, Crowdee acts as a data processor on behalf of its customers. Customers are the data controllers: they determine the purposes and means of processing the content they upload to Crowdee, and they retain responsibility for ensuring that there is a lawful basis under GDPR Article 6 for that processing.
This means that when you upload files to Crowdee for verification, you are responsible for ensuring that you have the legal right to submit that content to a third-party processor. If the content contains personal data about individuals — their images, voices, or identifying information — you must have a lawful basis for processing that data, and you must ensure that your data processing obligations to those individuals are met, including any obligations under the GDPR regarding automated decision-making.
A Data Processing Agreement (DPA) is available for all paid plans. The DPA sets out the obligations of both parties in accordance with GDPR Article 28, including the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. To request a DPA, contact privacy@crowdee.ai.
What Data Crowdee Processes
| Category | Data | Retention |
|---|---|---|
| Account data | Name, email address, organisational role | Until account deletion |
| File content | Uploaded files (images, audio, video, documents, text) | Until the file is deleted by the controller |
| Enrichment metadata | Technical metadata extracted from files by the enrichment worker (EXIF, codec info, loudness levels, etc.) | Until the associated file is deleted |
| Verification results | Stage outputs, verdicts, crowd worker responses, confidence scores, audit records | Until project deletion or 5 years, whichever comes first |
| Audit logs | Timestamped records of API actions, authentication events, and admin operations | 5 years (regulatory compliance requirement) |
| Billing data | Invoices, transaction records, payment method metadata | 10 years (German commercial law, § 257 HGB) |
File content and enrichment metadata are deleted when the controller deletes the file via the API or the Platform. Deletion is permanent and is not subject to a recovery window after confirmation. Verification results associated with a project are deleted when the project is deleted.
Audit logs and billing data are subject to mandatory retention periods and cannot be deleted on request before those periods expire. These retention obligations arise from German commercial and regulatory law and are not waivable by contract.
Special Category Data
If the content you upload to Crowdee contains personal data that falls within the special categories defined in GDPR Article 9 — including biometric data used for identification purposes, health information, data revealing racial or ethnic origin, political opinions, religious beliefs, or data concerning sexual orientation — that content is subject to heightened obligations under GDPR.
You are responsible for ensuring you have an explicit consent or another valid GDPR Article 9 basis before uploading special category data to Crowdee. Crowdee does not independently verify whether uploaded content contains special category data, and does not apply any additional processing restrictions based on content type alone. If you are uncertain whether your content constitutes special category data, consult your data protection officer before uploading.
See the Identity Claim pipeline for specific GDPR considerations that apply when running identity verification workloads through Crowdee.
Data Subject Rights
Crowdee supports the exercise of data subject rights through two channels: direct requests to Crowdee, and controller-side deletion via the API.
Deletion requests: Data subjects can request deletion of personal data held by Crowdee by contacting privacy@crowdee.ai. Crowdee will coordinate with the relevant controller to action the request within the 30-day GDPR response window. Controllers can also delete individual files and their associated metadata directly via the API:
DELETE https://api.crowdee.ai/v2/files/{fileId}
X-API-Key: crw_YOUR_API_KEYNote that audit logs cannot be deleted before the 5-year retention period has expired, as these records are required to satisfy Crowdee's own regulatory obligations. If a data subject's personal data appears in an audit log, Crowdee will provide a legal basis memo explaining why the retention period precludes deletion.
Access requests: Data subjects who believe their personal data is held within a Crowdee customer's project can make a Subject Access Request to privacy@crowdee.ai. Crowdee will coordinate with the controller to facilitate the export. Controllers can also initiate a full organisation data export via the Platform under Settings → Data Export.
Rectification and portability: Corrections to account data can be made directly through the Platform. Full data portability exports are available in JSON format on request.
Transfers Outside the EU
Crowdee does not transfer customer data outside the European Union. All production infrastructure is operated from netcup GmbH data centres in Germany. No cross-border data transfers occur during file storage, enrichment processing, AI stage execution, or crowd task distribution.
The AI model used by Crowdee's verification pipelines runs locally on Crowdee-operated infrastructure in Germany. No content is sent to third-party AI APIs or cloud-hosted model providers.
No Standard Contractual Clauses (SCCs) or adequacy decisions are required in connection with Crowdee's data processing. All data flows are EU-to-EU and fall under GDPR directly. For a full list of Crowdee's sub-processors, see crowdee.ai/subprocessors.
How is this guide?
EU AI Act
AI system documentation, human oversight mechanisms, and transparency obligations.
Infrastructure & Security
Hosting, data residency, encryption, and NIS2 security posture.