Join waitlist
GDPR compliance

The two articles that put photos on your 30-day clock.

Ansikt is built around Article 15 and Article 17. The same index that answers one also answers the other. Here's how the law lines up with the product.

01 · The two articles

Right to access. Right to erasure.

15 Article 15 · Right of access

"What photos do you have of me?"

The data subject can ask for a complete copy of personal data you hold about them. Photos containing their face count. You have 30 days to answer, and the answer must be complete.

Ansikt → complete answer in < 1 second
17 Article 17 · Right to erasure

"Delete every photo of me."

When the lawful basis falls away, the data subject can ask you to remove every appearance. You must locate every copy across every system, and prove you did.

Ansikt → find · route · prove
02 · How Ansikt maps to the law

Each obligation, the surface that handles it.

Article
What the law asks
How Ansikt answers
Art. 5(1)(a)
Lawfulness, fairness, transparency
Process personal data lawfully and transparently. Tell the subject what you're doing.
Audit log of every search and export, with operator and reason. Subject portal shows where their face appears.
Art. 5(1)(c)
Data minimisation
Only the data you actually need. No more.
We store one 512-dim vector per face. The original image stays at the source. We never make copies.
Art. 15
Right of access
A complete copy of all personal data on a 30-day clock.
Reference photo or identity → every appearance, every source URL, exportable as a signed PDF.
Art. 17
Right to erasure
Locate and delete every appearance. Prove it was done.
Per-source removal tasks routed to owners. Status tracked. Final audit report attached to the subject's record.
Art. 25
Privacy by design
Bake privacy into the system, not on top of it.
Read-only connectors. EU-only infrastructure. No third-party model providers. URL proxy with face blurring.
Art. 30
Records of processing
Maintain records of what you process, why, and for whom.
Tamper-evident, hash-chained log. SIEM-ready stream. Exportable for the DPA on request.
Art. 32
Security of processing
Appropriate technical and organisational measures.
AES-256 at rest. TLS 1.3 in flight. SCIM identity. EU jurisdiction only. ISO 27001 in progress.
03 · Honest about the edges

What Ansikt doesn't do for you.

A tool can find photos. It cannot make legal judgments for you. Here's where the work stays yours.

We do

Find every appearance across the systems you connect, with audit trail.

We don't

Decide whether your lawful basis for processing is still valid.

We do

Route removal tasks to the owners of each source, with status tracking.

We don't

Push deletes to your sources without your operator confirming.

We do

Generate a regulator-ready PDF export of every appearance and how it was found.

We don't

Replace your DPO. Legal review of each response stays with your team.

Note for DPOs

A DPIA template, ready to fill in.

Every Ansikt deployment ships with a Data Protection Impact Assessment template — eight sections, a five-row risk matrix, three signature blocks. Aligned with the Datatilsynet template and pre-populated with what Ansikt does, so you only fill in what's specific to you. Free, CC-BY licensed, no email required.