Compliance & Legal Framework
Our commitment to legal compliance and regulatory standards
1. Data Protection Compliance
GDPR (General Data Protection Regulation)
For users in the European Union, we ensure:
- Lawful basis for data processing (legitimate interest and consent)
- Data minimization - we collect only necessary information
- Right to access, rectify, and delete personal data
- Data portability and right to object to processing
- Privacy by design and by default
- Data Protection Impact Assessments (DPIAs) where required
CCPA (California Consumer Privacy Act)
For California residents, we provide:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we don't sell data)
- Right to non-discrimination for exercising privacy rights
- Transparent privacy practices and disclosures
Other Regional Compliance
- PIPEDA (Canada): Personal Information Protection compliance
- LGPD (Brazil): Lei Geral de Proteção de Dados compliance
- Privacy Act (Australia): Australian Privacy Principles compliance
2. AI and Content Compliance
AI Ethics and Responsible Use
- Transparent disclosure of AI-generated content
- Bias detection and mitigation in AI outputs
- Human oversight of automated content moderation
- Regular audits of AI model performance and fairness
- Compliance with emerging AI regulations (EU AI Act preparation)
Content Moderation Standards
- Proactive filtering of harmful and illegal content
- Compliance with platform content policies
- Age-appropriate content controls
- Intellectual property protection measures
- Hate speech and harassment prevention
Deepfake and Synthetic Media
- Clear labeling of AI-generated and face-swapped content
- Consent requirements for face swap functionality
- Prohibition of non-consensual intimate imagery
- Compliance with deepfake disclosure laws
3. Industry Standards & Certifications
Security Standards
SOC 2 Type II
Security, availability, and confidentiality controls
ISO 27001
Information security management systems
PCI DSS
Payment card data protection (via Creem)
OWASP
Web application security guidelines
Third-Party Audits
- Annual security audits by certified third parties
- Penetration testing and vulnerability assessments
- Privacy impact assessments for new features
- Regular compliance reviews and updates
4. Legal Framework & Jurisdiction
Governing Law
ThumbFlow AI operates under the laws of Delaware, United States as a sole proprietorship business. Our legal framework includes:
- Terms of Service governing user relationships
- Privacy Policy outlining data handling practices
- Acceptable Use Policy defining prohibited activities
- Data Processing Agreements with third-party providers
International Operations
- Cross-border data transfer safeguards
- Local law compliance in operating jurisdictions
- Standard Contractual Clauses for EU data transfers
- Adequacy decisions and certification mechanisms
5. Third-Party Provider Compliance
AI Service Providers
Primary AI Platform Providers
- SOC 2 Type II certified
- GDPR and CCPA compliant
- Data Processing Agreements in place
- Regular security audits and assessments
Natural Language Processing Provider
- SOC 2 compliant
- Data Processing Agreement executed
- API data retention policies aligned
- Privacy and security certifications
Database and Infrastructure Provider
- ISO 27001 certified
- GDPR compliant infrastructure
- Row-level security implementation
- Regular compliance audits
We maintain comprehensive due diligence processes for all AI service providers, ensuring they meet our standards for security, privacy, and regulatory compliance.
Payment Processing
- Creem payment processor is PCI DSS Level 1 certified
- End-to-end encryption for payment data
- Fraud detection and prevention systems
- Regular security assessments and audits
6. Compliance Monitoring & Reporting
Continuous Monitoring
- Automated compliance monitoring systems
- Regular policy reviews and updates
- Staff training on compliance requirements
- Incident tracking and response procedures
Transparency Reports
- Annual transparency reports on data requests
- Content moderation statistics and trends
- Security incident summaries (anonymized)
- Compliance certification status updates
7. User Rights & Requests
Data Subject Rights
You can exercise the following rights regarding your personal data:
Access
Request a copy of your personal data
Rectification
Correct inaccurate information
Erasure
Request deletion of your data
Portability
Export your data in a standard format
Restriction
Limit how we process your data
Objection
Object to certain processing activities
How to Exercise Your Rights
Email: contact@thumbflow.io
Subject: Data Subject Rights Request
Response Time: Within 30 days
Verification: We may request identity verification for security
8. Regulatory Updates & Changes
Staying Current
We actively monitor and adapt to regulatory changes:
- Regular review of emerging privacy and AI regulations
- Participation in industry working groups and standards bodies
- Legal counsel consultation on regulatory compliance
- Proactive implementation of best practices
Upcoming Regulations
- EU AI Act: Preparing for AI system compliance requirements
- UK Data Protection Act: Monitoring post-Brexit developments
- US Federal Privacy Laws: Tracking proposed federal legislation
- Sector-Specific Rules: Adapting to content platform regulations
Communication of Changes
- Email notifications of material policy changes
- In-app notifications for compliance updates
- Website announcements of regulatory changes
- Regular compliance newsletter for interested users
9. Compliance Contact Information
Legal and Compliance Team
General Contact
Email: contact@thumbflow.io
Response: 2 business days
Note: All inquiries (compliance, privacy, legal, security) handled through this email
Regulatory Authority Contacts
If you have concerns about our compliance practices, you may also contact relevant regulatory authorities:
- EU: Your local Data Protection Authority
- US: Federal Trade Commission (FTC)
- UK: Information Commissioner's Office (ICO)
- Canada: Office of the Privacy Commissioner