Twenty questions, real answers.

It indexes every photo across the systems you connect — drives, websites, SharePoint, S3 — and lets you find every appearance of a given person in under a second. The output is a regulator-ready PDF with source URLs, crawl dates and confidence scores.

It is built for one job: answering Article 15 and Article 17 of the GDPR when photos are involved.

Where it always lived. We don't make copies. The connector pulls each image, generates a 512-dimensional vector representing each detected face, and stores only the vector. The image is then released.

This is Article 5(1)(c) — data minimisation — written into the architecture, not a paragraph in the privacy policy.

On a typical organisational archive, auto-confirm at ≥ 0.92 confidence yields ~99.6% precision in our internal evaluations. Anything between 0.78 and 0.91 goes to a human reviewer; anything below 0.62 is dropped before storage.

The model is one of several you can choose; we don't claim "best in the world." We claim transparent thresholds and a review queue you control.

Each face becomes its own appearance. A class photo with 24 children is indexed as 24 appearances tied to one image. When a single parent withdraws consent, the URL Proxy blurs only that face — the rest of the photo is unaffected.

The first connector takes 5–10 minutes. Initial crawl of a 100,000-image archive completes in roughly 6–10 hours; subsequent crawls are incremental and finish in minutes. You can run searches against partial coverage immediately.

Yes. Biometric data used to uniquely identify a person falls under Article 9. Processing it requires a lawful basis under Article 9(2) — typically explicit consent, or substantial public interest established in law.

Ansikt is the tool. The lawful basis is yours to establish. We provide the DPIA template, the sub-processor list and the audit log. We won't tell you whether your basis is sound — that's your DPO's job, and we won't pretend otherwise.

Yes. There's an optional subject portal: the data subject logs in, uploads a reference selfie, and sees every appearance with source URL and confidence. They can request erasure from the same screen.

The portal is part of how Ansikt makes Article 15 transparent in spirit, not just in letter.

The next crawl notices and removes the appearance. We retain a tombstone record (URL, hash, removal timestamp) for the audit log; the vector itself is deleted with verifiable receipt.

Datatilsynet (the Danish DPA) and your equivalent supervisory authority can request the hash-chained audit log directly. We'll cooperate without requiring you to coordinate the request through us — though we'd appreciate the heads-up.

No. The models are trained on licensed and public-domain datasets only, before any customer touches the product. Your vectors and your archive are never used to retrain or fine-tune the model — yours or anyone else's.

This is contractual, not just principled. The DPA forbids it.

Hetzner in Frankfurt and Falkenstein for compute and primary storage; Scaleway in Paris for object storage and backups. Both are EU companies operating in EU regions. No US sub-processors of any kind.

AES-256 at rest, with per-tenant keys. TLS 1.3 in flight, with mTLS on connector traffic. On Organisation and Sovereign tiers, customers manage their own keys; on Sovereign, optionally backed by an HSM.

Audit underway, completion expected Q2 2026. We won't claim certification we don't yet hold. Until then, we publish our control mapping and a current self-assessment under Article 32 on request.

Email security@ansikt.dk with reproduction steps. We acknowledge inside 24 hours, fix critical issues in 72, and credit reporters by name unless asked otherwise. PGP key on request.

Because a DSAR doesn't get harder when more people work it. Per-seat pricing punishes you for involving the right team — legal, HR, marketing, the DPO. The size of your archive is the cost driver, so that's what we meter.

Yes. A 30-day evaluation, scoped to one connector, capped at 50,000 images. We require a signed DPA before any indexing begins; we'll send the template the same day.

SKI 02.19 (software as a service) is in process for Danish public-sector customers. Targeted listing date is mid-2026. Talk to trust@ansikt.dk if you need a different framework — we've onboarded under one-off direct procurement before.

Not for live or investigative use. Police and security services have asked, and the answer has been no. Ansikt only searches systems the customer owns and has lawful basis to process; we don't index the open internet, and we don't enable real-time surveillance.

We do work with public-sector compliance teams in the same role they'd hire any other GDPR tooling for: answering DSARs against their own employees and applicants. That distinction matters.

Customer DPAs include a control-change clause: if Ansikt is acquired by an entity outside the EU, or by an entity that fails our internal sub-processor review, every customer can terminate without penalty and receive verifiable deletion of their vectors and logs.

We'd rather lose customers cleanly than retain them under conditions they didn't agree to.

Yes. +45 32 40 00 00, Mondays through Thursdays, 9–17 Copenhagen time. Friday afternoons are reserved for shipping. The phone is answered by an actual founder.