GDPR & Privacy

Data protection and privacy compliance

Privacy-First Growth Hacking: How to Personalise Without Being Creepy

Third-party cookies are dead, browser tracking is gutted, and regulators are fining companies hundreds of millions for getting consent wrong. But personalisation still works - it just needs a different foundation. This post covers consent-based personalisation, server-side tracking architecture, first-party and zero-party data strategies that actually perform, and the practical Rails code to make it all work across the DACH market. Real examples from four products serving Austrian, German, and Swiss users, with jurisdiction-aware consent handling built in.

eCommerceeCommerceDSGVOGDPRGrowth HackingGrowth HackingMachine LearningMachine LearningMarketing AutomationMarketing Automation

AI Compliance for the DACH Market

If you're building AI-powered SaaS for the DACH market, you're not dealing with one regulatory framework. You're dealing with at least five: the EU AI Act (directly applicable in Austria and Germany), GDPR (enforced differently by each country's DPA), Austria's Digital Austria Act 2.0 and KI-Servicestelle, Germany's KI-MIG implementation law and Bundesnetzagentur oversight, and Switzerland's entirely separate FADP with its own rules on AI, profiling, and personal liability. This post maps the specific nuances for Austrian, German, and Swiss businesses, shows where the regulations overlap and where they diverge, and provides the practical architecture decisions that let you ship AI features across all three markets from a single Rails codebase.

KIAIDACHDACHDSGVOGDPRMachine LearningMachine LearningSaaSSaaS

Building GDPR-Compliant AI Features in Your SaaS

A developer's practical walkthrough of Data Processing Agreements, Privacy by Design, and Data Protection Impact Assessments for AI features. Not the legal theory, the actual Rails code and architecture decisions you need to make before shipping AI features to production. With real examples from four production Ruby on Rails applications: GrowCentric.ai (marketing optimisation), Stint.co (marketing dashboard), Regios.at (regional platform), and Auto-Prammer.at (automotive marketplace on Solidus).

KIAIDSGVOGDPRMachine LearningMachine LearningMarketing AutomationMarketing AutomationSaaSSaaS

GDPR and AI: The "Right to Be Forgotten" Now Means "Unlearning"

When GDPR's Article 17 was written, 'erasure' meant deleting a row from a database. In 2026, it means something far more complicated. If a user's data was used to train an AI model, deleting the database record isn't enough. The data has been absorbed into model weights, influencing predictions for every subsequent user. The EDPB has made right to erasure its coordinated enforcement priority for 2025-2026, with 30 data protection authorities investigating how organisations handle deletion requests. And the Italian DPA already fined OpenAI 15 million euros for, among other things, failing to handle training data properly under GDPR. This post explains what machine unlearning is, why it's a nightmare for developers, and what practical architectural decisions you can make right now to avoid the problem in the first place.

KIAIData ScienceData ScienceDSGVOGDPRMachine LearningMachine LearningSaaSSaaS

The EU AI Act Kicks In August 2026: What SaaS Builders Need to Know

The EU AI Act's biggest enforcement date is August 2, 2026. That's less than five months away. High-risk AI system obligations, transparency rules, and the full enforcement framework all go live on that date. If you build SaaS products that use AI and serve European customers, this directly affects you. This post explains the four risk tiers, how to figure out which one your product falls into, what the obligations actually mean in practice, and what you should be doing right now. No legal jargon. Practical guidance from someone building AI-powered SaaS for the European market.

KIAIDACHDACHeCommerceeCommerceDSGVOGDPRSaaSSaaS

The NIS2 Directive Explained: What SaaS and eCommerce Businesses Actually Need to Do

The NIS2 Directive is now active across the EU, covering SaaS providers, cloud platforms, online marketplaces, and digital service providers. Fines reach up to 10 million euros. If you run a SaaS platform or ecommerce business serving EU customers, here is what you need to know and what you need to do.

eCommerceeCommerceDSGVOGDPRMarketing AutomationMarketing AutomationSaaSSaaS

The EU Cyber Resilience Act Is Coming: What It Means, Who Needs to Prepare, and How I Can Help

The EU Cyber Resilience Act entered into force in December 2024, with reporting obligations kicking in September 2026 and full enforcement by December 2027. If you build, sell, or distribute software or connected products in the EU, this affects you. Here is what you need to know, what you need to do, and how a Growth Hacker and SaaS developer with cybersecurity experience can help you get compliant.

eCommerceeCommerceDSGVOGDPRMarketing AutomationMarketing AutomationSaaSSaaS