AfiniTwin: documented AI Act + GDPR compliance

AfiniTwin sits in limited risk of the EU AI Act (Regulation 2024/1689). It’s not a high-risk system under Annex III: not used for credit scoring, employment, critical infrastructure, or regulated education. The main obligation for a limited-risk system is transparency (Art. 50): the user must know they’re interacting with AI. AfiniTwin meets it by construction — the whole system is public.

The detailed argument, article by article, is in the public DPIA. We update it whenever functional scope changes.

As important as what AfiniTwin does is what it doesn’t. Five declared red lines:

• No automated decisions with legal or similarly significant effects (GDPR Art. 22). AfiniTwin produces context a human consumes and decides upon.
• No inference of special category data (GDPR Art. 9): racial origin, political opinions, religion, biometric data, health data. If the user voluntarily declares them, they are not auto-processed.
• No advertising profiling. AfiniTwin is not monetised via ads, not sold to third parties. The only transaction is purchasing the package.
• No stigmatising classification. The profile describes validated psychometric traits, not DSM labels or reductive «types».
• No data persistence on the external LLM side beyond the conversation. The user controls which LLM and under what policy — AfiniTwin has no visibility into that.

GDPR grants rights that are here operationalised, not just listed in a PDF:

• Access: a full copy of your profile is always accessible in your panel.
• Rectification: you can recalibrate any dimension whenever you want (free forever).
• Erasure: deleting your account removes the profile on Afini’s side. Historical snapshots are kept only if explicitly requested and erased with your account.
• Portability: the structured JSON format is expressly designed to port your data to another system.
• Objection and restriction: you can pause processing without cancelling your account.

We ran a Data Protection Impact Assessment (DPIA) and published it in full before launch. The AfiniTwin Portable DPIA declares:

• Legal basis for processing (GDPR Art. 6.1.b — contract performance).
• Categories of data processed and minimisation applied.
• Identified risks and mitigation measures.
• Proportionality and necessity analysis.
• Stakeholder consultation and informed consent.

If your organisation integrates AfiniTwin via the B2B API or deploys it for employees, we offer a signed Data Processing Agreement (DPA, GDPR Art. 28) in six languages, no opaque clauses. The public template is available for legal review.

The DPA covers subprocessors, international transfers (current SCCs), breach notification and audit terms. If your compliance asks for reasonable modifications, we negotiate at no extra fee.