AfiniTwin

Legal compliance explained

Almost no one in the AI personalization space has this page. Doing it well is pure differential value. This is NOT decoration: it's what separates AfiniTwin from competitors who haven't done their homework.

Product position in the AI Act

EU Regulation 2024/1689 (AI Act) classifies AI systems into four risk categories. AfiniTwin Portable is positioned at limited risk (Art 50 — transparency obligations), not high-risk or prohibited practice.

  • NOT a high-risk system (Annex III): not used for decisions about employment, education, credit, justice, migration, or essential services.
  • Does NOT process automated decisions (GDPR Art 22): the profile informs the behavior of the AI in a conversation, does not make decisions that significantly affect the subject.
  • Does NOT perform social scoring or employability/risk assessment (AI Act Art 5).
  • Does NOT infer special-category data from GDPR Art 9 without legal basis.
  • Meets transparency (Art 50): the meta-prompt declares that the content is AI-generated with a personalized profile.

Internal red lines (what we do NOT do)

  1. Do NOT offer "Therapy" mode or mention therapeutic functions. Sensitive modes (CRITIC, MIRROR) carry disclaimers about not replacing qualified professionals.
  2. Do NOT offer legal, medical, financial, or psychological advice. If the user asks, the LLM declines and refers.
  3. Do NOT offer voice imitation of third parties (only the user themselves in VOICE mode).
  4. Do NOT infer third-party profiles (TRANSLATOR mode does not psychoanalyze the sender).
  5. Do NOT use the profile to infer special-category data from GDPR Art 9.
  6. Do NOT market to employers / educational institutions to evaluate third parties.
  7. Mandatory transparency in every output.

Materialized GDPR rights

  • Access (Art 15): the ANALYST mode and the full JSON download materialize this right.
  • Portability (Art 20): structured JSON in machine-readable format.
  • Rectification (Art 16): you recompile layers in Mi IA; subsequent Twins reflect the changes.
  • Erasure (Art 17): on user request, within 30 days.
  • Objection (Art 21): you stop buying Twins. Already-issued ones are not retroactively generated.
  • Not being subject to automated decisions (Art 22): does NOT fully apply because the product doesn't make automated decisions. Still declared explicitly.

Product DPIA

Annex to Afini's general DPIA. Covers data flow, identified risks (downloaded-file leakage, indirect inference by third parties, VOICE mode used for fraud, MIRROR mode in vulnerable profiles, obsolete immutable snapshot, employer misuse), and mitigation measures.

General DPIA. (legal/dpia-twin-portable-2026.md)

DPA for integrators

For B2B clients who want to integrate AfiniTwin into corporate flows, a specific Data Processing Agreement is signed. Contact: legal@afini.ai.

External audit

For now, statement of intent. When external audit happens, results will be published here.

Acceptable use policy

Five user commitments at purchase: do not resell, do not impersonate third parties with VOICE mode, do not use the Twin for decisions about third parties, do not substitute a qualified professional, do not hold Afini responsible for consequences of injecting the file in third-party platforms.

Full text at legal/twin-aup-2026.md of the repo.

AfiniTwin — AI Act + GDPR compliance