Data Protection Impact Assessment (DPIA)

1. Scope and legal obligation

Article 35 GDPR mandates a DPIA whenever processing — by its nature, scope or purposes — is likely to result in a high risk to the rights and freedoms of natural persons. Afini.ai processes special categories of data (Art. 9 GDPR: psychological traits, values, attachment, humour, time orientation, life context) and applies automated algorithms to them. This DPIA is therefore a living document: it is reviewed at least annually and whenever a new layer, a new model or a substantive change in the legal basis is introduced.

2. Data map

Identification (email, language), payment data (handled by Stripe — Bilbao AI never stores PAN or banking data), psychometric questionnaire responses, conversations with the AI, declared layers (vital, rhythms, trajectory, hobbies, etc.), LLM proxy usage metrics and audit events. Processors: Stripe (payments), Anthropic (LLM under DPA — processes only, never trains on your content), Resend (transactional email), Holded (Spanish e-invoicing TicketBAI), Railway (European hosting), Cloudflare (CDN/WAF), Sentry (European error monitoring).

3. Identified risks

• Sensitive inference risk: combining layers may reveal psychological states the user did not explicitly declare.
• Re-identification risk: pseudonymised data could be linked back to the subject if cross-referenced with external sources.
• Secondary use risk: third parties might use the AfiniTwin or narratives for purposes other than those consented to.
• Algorithmic bias risk: LLM models could reproduce biases when interpreting the profile.
• International transfer risk: although the main processing is European, Anthropic's API processes content under a DPA with EU Standard Contractual Clauses (SCCs).

4. Mitigations

• Encryption in transit (TLS 1.2+) and at rest (AES-256) across all layers; database segregation in European infrastructure (Railway eu-west).
• Granular and revocable consent per layer with an audit trail for each change (see the Consents tab in your dashboard).
• Minimisation: each AI conversation only receives the strictly necessary subset of the profile; content is never used to train models.
• Bias audits on proxy prompts and periodic human review of generated narratives.
• Aggressive anonymisation in logs and metrics: salted IP hashes, no conversation content, limited retention (90 days in Sentry, 30 days in application logs).
• Documented breach notification procedure (Art. 33 GDPR) within 72 hours with full chain of custody.

5. Review and governance

The DPIA is reviewed at least once a year and mandatorily whenever a new layer, a new model or a high-impact feature (e.g. third-party export) is introduced. The Data Controller approves each review and the date is logged in the Security File. Professional users and companies may request access to the extended summary upon signing a confidentiality agreement.