Pickaxe is now GDPR Compliant! - GDPR Compliance Deep Dive

Today Pickaxe announced that our product is officially GDPR compliant.

Here I’d like to do a deep dive on the various different aspects of compliance, and answer any questions users have.

What Pickaxe was already doing

Pickaxe actually already had most of the ingredients for compliance. We have a transparrent and comprehensive privacy policy, which outlines the data we collect, and the reasons we need that data. Pickaxe already used industry best practices for encryption, as outlined in our terms.

Pickaxe stores all data in secure facilities based in the United States, but luckily as of this writing data localization is not required for GDPR compliance.

What has been added

Pickaxe has taken a few steps to close the loop on GDPR compliance.

1. We have removed Google Analytics altogether from pages access by logged in users (in the new system, available at pickaxe.co)
2. We have added a cookie consent banner to our home page, for logged out users to give consent for analytics cookies.
3. We retain a single internal analytics cookie provider on logged in pages, and outline in our updated Privacy Policy exactly why that cookie is essential for site functioning.
4. We have removed all analytics cookies from end user studios.
5. We now allow users of Pickaxe to delete their own accounts without contacting us via email.
6. We now allow users within the Studios to delete their own accounts without contacting us or the studio owner via email.
7. We have updated our data processing disclosures, and added a compliance commitment to our privacy policy.
8. We have added a section in our terms on tool builder’s responsibilities with regard to the use of our product.

What you can do

To our knowledge, Pickaxe is now compliant. You can help us by bringing any issues with that compliance to our attention, which we would be grateful for.

Your studios are not necessarily compliant by default. The main thing you have to do is provide a terms of service and privacy policy to your users. You can provide your own language, or simply link to our terms and privacy policy if you’d like. We have removed our analytics cookies from the studios, so the only ones remaining there are essential for the functioning of the product. You may still need to add a cookie choice popup, especially if you use analytics cookies of your own.

In Conclusion

This new version of Pickaxe (available at pickaxe.co) is just the next step in our journey towards building the best place to build, provision, and monetize AI on the internet. Many more updates are coming soon in service of that goal. In the meantime we’re excited to be on this journey together!

Thats awesome and much appreciated!! Thank you for the great work and progress.

This is great! It will help me address a lot of client concerns

This is great news. Congrats on addressing this need for listening to user feedback.

@nathaniel does this apply to the Pro Plan or in general everyone? What is meant with “Advanced Data Privacy & Security Options” mentioned under Pro Plans features?

Great question! Pickaxe still reserves the right to train on chat data generated by non-Pro customers, as outlined in the terms. This hasn’t changed, and is allowed under GDPR as long as it’s disclosed and agreed to.

So “Advanced Data Privacy & Security Options” currently translated to, we won’t train AIs on your data. As well as that we do occasionally sign addendum data processing agreements with Pro customers.

@nathaniel it’s good to know that you don’t train on Pro user’s data. I’m trying to win a project and they are pretty sensitive on these things. Does Pickaxe have any certifications such as SOC2 or ISO 27001? I couldn’t find it.

Are the knowledge bases similarly protected?

Hey! Good steps, but for EU people to be able to sell pickaxe assistants in the EU, we would probably need EU servers and data retention of the conversations. Like end users able to delete conversations, or studio makers able to say “hey, delete conversations after 1 year”, for example. Otherwise we can’t be fully GDPR compliant. thanks though!

We don’t have SOC2 or ISO 27001. The knowledge bases are stored on Amazon S3, they are similarly protected, and we never train on the data in them regardless of tier.

Hi,

This isn’t completely accurate. See above: “Pickaxe stores all data in secure facilities based in the United States, but luckily as of this writing data localization is not required for GDPR compliance.”

As far as deletion, we allow end users to delete their accounts, and retain data only as long as is required for the legitimate purposes outlined in our terms/privacy policy. So while we don’t have individual message deletion, this isn’t required, as long as users have a way to remove their data.

We may eventually add control over individual messages, but it isn’t needed for compliance!

Thanks @nathaniel. So Pickaxe will train on data “GENERATED” by AI in the Gold tier, but not on the knowledge bases. Got it!