GDPR Policy
Last updated: March 2026
This policy explains how Trio — AI 2 Design, a product of ai2.design, operated by BEY AGENCY LTD ("Trio," "we," "us") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR for users in the European Economic Area (EEA), European Union (EU), and United Kingdom (UK). This policy supplements our Privacy Policy with additional information specific to your rights under European data protection law.
1. Our Commitment to GDPR
This policy explains how Trio — AI 2 Design ("Trio," "we," "us") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR for users in the European Economic Area (EEA), European Union (EU), and United Kingdom (UK).
This policy supplements our Privacy Policy with additional information specific to your rights under European data protection law.
2. Data Controller
Data Controller:
BEY AGENCY LTD (trading as ai2.design)
Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
Company Number: 16435596
Email: hello@ai2.design
If you have questions about how your data is processed, contact us at the address above.
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Account creation & authentication | Performance of a contract — necessary to provide the Service you requested | Art. 6(1)(b) |
| Subscription billing via Stripe | Performance of a contract — necessary to process your payment | Art. 6(1)(b) |
| Usage tracking (daily counters) | Legitimate interest — enforce plan limits and prevent abuse | Art. 6(1)(f) |
| Session management (device info, IP) | Legitimate interest — security and unauthorized access prevention | Art. 6(1)(f) |
| Transactional emails (password reset, billing) | Performance of a contract — necessary for account operation | Art. 6(1)(b) |
| Marketing emails (weekly digest) | Consent — opt-in only, withdrawable at any time | Art. 6(1)(a) |
| Usage limit warning emails | Legitimate interest — inform you about approaching limits | Art. 6(1)(f) |
| Audit logs | Legitimate interest — security monitoring and abuse prevention | Art. 6(1)(f) |
| Cookie usage (website) | Consent — via cookie consent banner | Art. 6(1)(a) |
Legitimate Interest Assessment
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights:
- Usage tracking: We count prompts per day, not their content. This minimal data collection is necessary to enforce plan limits and is proportionate to the purpose.
- Session management: Device type and IP address are standard security measures. We retain only what's needed for active session management and remove data when sessions end.
- Audit logs: Limited to action types and timestamps. No prompt content or design data is logged.
4. Data We Process
4a. Personal Data Categories
| Category | Examples | Retention |
|---|---|---|
| Identity data | Display name, email, avatar URL | Until account deletion |
| Account data | Tier, subscription status, billing interval | Until account deletion |
| Usage data | Daily prompt counts, tool call counts | 12 months (then aggregated) |
| Session data | Device type, IP address, last active time | Until session ends + 30 days |
| Financial data | Stripe customer ID, invoice records | As required by tax law (typically 7 years) |
| Communication data | Notification preferences | Until account deletion |
| Team data | Team membership, role, invite status | Until team removal or account deletion |
4b. Special Category Data
We do not process any special category data (Article 9) such as: racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric or genetic data, health data, or sexual orientation.
4c. Data We Never Process
- • Your prompt text
- • Your Figma design content
- • Reference images you attach
- • Generated code output
- • Any content from your Figma files
5. Your Rights Under GDPR
As an EU/EEA/UK resident, you have the following rights:
5a. Right of Access (Article 15)
You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request in a commonly used electronic format.
How to exercise: Use the "Download My Data" button in your dashboard, or email hello@ai2.design.
5b. Right to Rectification (Article 16)
You can correct inaccurate personal data at any time through your profile settings. For data you cannot edit directly, contact us and we will update it within 30 days.
5c. Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your account and all associated personal data. Upon request:
- • We will delete your account, profile, usage data, session data, and audit logs
- • We will instruct Stripe to delete your customer record (subject to Stripe's legal retention requirements)
- • We will remove your team memberships
- • Data required by law (e.g., invoice records for tax compliance) will be retained only as long as legally required, then deleted
How to exercise: Use the "Delete Account" button in your dashboard, or email hello@ai2.design.
Timeframe: Account deletion will be processed within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently purged.
5d. Right to Data Portability (Article 20)
You can request your data in a structured, commonly used, machine-readable format (JSON). This includes:
- • Profile information
- • Usage history
- • Subscription data
- • Team membership data
- • Notification preferences
How to exercise: Use "Download My Data" in your dashboard or email hello@ai2.design.
5e. Right to Restrict Processing (Article 18)
You can request that we restrict processing of your data while:
- • We verify the accuracy of contested data
- • We assess whether our legitimate interests override your rights
- • You need the data for legal claims but don't want it deleted
During restriction, we will store but not process your data (except for storage and legal claims).
5f. Right to Object (Article 21)
You can object to processing based on legitimate interest at any time. We will stop processing unless we demonstrate compelling legitimate grounds.
You can object to:
- • Usage tracking beyond what's necessary for plan limits
- • Marketing or promotional communications
- • Usage analytics for product improvement
How to exercise: Email hello@ai2.design with the specific processing you object to.
5g. Right to Withdraw Consent (Article 7)
Where processing is based on consent (marketing emails, cookies), you can withdraw consent at any time:
- • Marketing emails: Unsubscribe link in every email, or toggle off in Settings
- • Weekly digest: Toggle off in Settings → Notification Preferences
- • Cookies: Adjust cookie preferences via the cookie banner
Withdrawing consent does not affect the lawfulness of processing before withdrawal.
5h. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
6. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA/UK. We ensure adequate protection through:
| Transfer | Mechanism | Destination |
|---|---|---|
| Supabase (database) | Standard Contractual Clauses (SCCs) | Cloud infrastructure |
| Stripe (payments) | Stripe's GDPR compliance program, SCCs | US (Privacy Shield successor) |
| Anthropic (AI processing) | SCCs, Anthropic's data processing terms | US |
We only transfer data to third parties that provide adequate protection as defined by GDPR Chapter V. Where no adequacy decision exists, we rely on SCCs approved by the European Commission.
7. Data Protection Impact Assessment (DPIA)
We have conducted a DPIA for the following processing activities:
| Activity | Risk Level | Mitigations |
|---|---|---|
| AI prompt processing (via Anthropic) | Medium | Prompts not stored by us; Anthropic's no-training policy; local server processing |
| Usage tracking | Low | Counters only (no content); RLS protects cross-user access |
| Session management | Low | Standard security measure; automatic cleanup; IP anonymization option |
| Payment processing | Low | Delegated entirely to Stripe (PCI DSS compliant) |
8. Data Processing Agreements (DPAs)
We maintain Data Processing Agreements with all sub-processors:
| Sub-Processor | Service | DPA Status |
|---|---|---|
| Supabase | Database, authentication | Active |
| Stripe | Payment processing | Active |
| Anthropic | AI model processing | Active |
Enterprise customers can request copies of our DPAs or execute custom DPAs. Contact hello@ai2.design.
9. Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach (GDPR Article 33)
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay (GDPR Article 34)
- Our notification will include: the nature of the breach, categories and approximate number of affected users, likely consequences, and measures taken or proposed to address the breach
10. Cookies and Tracking
Our website uses cookies as described in our Cookie Policy. Under GDPR, we:
- • Obtain consent before placing non-essential cookies
- • Provide a clear cookie banner with accept/reject options
- • Allow granular cookie preferences
- • Do not use cookie data for advertising or third-party tracking
11. Automated Decision-Making
Trio uses AI to generate designs based on your prompts. This processing:
- • Is not automated decision-making with legal or similarly significant effects (Article 22)
- • Does not make decisions about your access, pricing, or service level based on profiling
- • Does not evaluate personal aspects of you as an individual
Plan limit enforcement is rule-based (counter-based), not AI-driven.
12. Children
We do not knowingly process personal data of children under 16 (or under 13 in UK). If we become aware that we have collected data from a child, we will delete it promptly.
13. Contact for GDPR Inquiries
- Company: BEY AGENCY LTD (trading as ai2.design)
- Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
- Company Number: 16435596
- Email: hello@ai2.design
- Subject line: "GDPR Request — [Your Right]"
- Response time: Within 30 days (extendable by 60 days for complex requests, with notification)
Questions about GDPR?
Contact our privacy team at hello@ai2.design