Tags

What goes into the model: scraped corpora, customer data, fine-tuning sets, and the rights that follow.

• A customer asks 'what does your AI know about me?' How to answer an Article 15 request when you ship LLM features
• Right to erasure when your AI used the data: what's actually deletable in 2026
• Do you need a DPIA for your AI feature? A practical check

AI tools your team is already using without telling you — the procurement gap, the privacy gap, and how to surface them.

• Otter, Fireflies, Zoom AI Companion: when meeting transcription becomes a confidentiality breach
• How to write an AI acceptable use policy for your team
• Your employee pasted client data into ChatGPT. Now what

Patterns where personal data leaves your trust boundary through an AI feature, and what to do in the first 72 hours.

• Your AI feature just leaked customer data. The first 72 hours, hour by hour
• Prompt injection in production: how to defend what you've shipped
• Your employee pasted client data into ChatGPT. Now what

Privacy and compliance issues specific to ChatGPT and the OpenAI consumer surface — including the moments employees paste things they should not.

• Sending data to OpenAI, Anthropic, or Google? The 2026 state of EU-US AI transfers
• Your employee pasted client data into ChatGPT. Now what

When customer data flows into an AI feature: the consent question, the contractual question, and the breach-notification question.

• Otter, Fireflies, Zoom AI Companion: when meeting transcription becomes a confidentiality breach
• Your employee pasted client data into ChatGPT. Now what

Data processing agreements with AI vendors: what to look for, what to push back on, and the clauses most teams miss.

• When you call OpenAI, who actually processes your data? The AI sub-processor cascade
• Sending data to OpenAI, Anthropic, or Google? The 2026 state of EU-US AI transfers

Internal AI acceptable-use policies — the rules you write so your team knows what they can paste and where.

• How to write an AI acceptable use policy for your team
• Your employee pasted client data into ChatGPT. Now what

The cascade of vendors sitting under your AI provider, and the disclosure obligations that follow them down the stack.

• When you call OpenAI, who actually processes your data? The AI sub-processor cascade
• A customer asks 'what does your AI know about me?' How to answer an Article 15 request when you ship LLM features

Due diligence checklists for picking an AI provider — what to ask, what to compare, and what to refuse to sign.

• When you call OpenAI, who actually processes your data? The AI sub-processor cascade
• Otter, Fireflies, Zoom AI Companion: when meeting transcription becomes a confidentiality breach

Logging, observability, and audit trails for AI systems — without turning your monitoring into the next privacy incident.

• Your AI feature just leaked customer data. The first 72 hours, hour by hour
• Prompt injection in production: how to defend what you've shipped

Cross-border data flows after Schrems II and the 2023 Adequacy Decision — TIAs, SCCs, and where the AI providers actually sit.

• When you call OpenAI, who actually processes your data? The AI sub-processor cascade
• Sending data to OpenAI, Anthropic, or Google? The 2026 state of EU-US AI transfers

Vector embeddings and the GDPR question of whether they qualify as personal data once you can re-identify someone from them.

• Right to erasure when your AI used the data: what's actually deletable in 2026

Autonomous AI agents that read, write, and act on production data — and the access-control problems they create.

• Prompt injection in production: how to defend what you've shipped

AI in HR, recruitment, monitoring, and performance — where employee data meets automated decision-making.

• How to write an AI acceptable use policy for your team

Data subject access requests against AI stacks — what you have to find, how to explain it, and how to meet the one-month clock.

• A customer asks 'what does your AI know about me?' How to answer an Article 15 request when you ship LLM features

GDPR Article 17 against trained models: vector stores, fine-tuned weights, and what 'erasure' actually means in an AI context.

• Right to erasure when your AI used the data: what's actually deletable in 2026

When an AI feature triggers a Data Protection Impact Assessment, and what a defensible DPIA looks like in practice.

• Do you need a DPIA for your AI feature? A practical check

The 72-hour clock under GDPR Article 33 and how it interacts with breaches that happen at your AI provider, not at you.

• Your AI feature just leaked customer data. The first 72 hours, hour by hour

Adversarial inputs that turn a helpful LLM into a confused deputy — and the data exfiltration paths they open.

• Prompt injection in production: how to defend what you've shipped

Where your AI provider actually stores and processes data, and how that interacts with sovereignty and adequacy regimes.

• Sending data to OpenAI, Anthropic, or Google? The 2026 state of EU-US AI transfers