kind_neighborhood
- 1 Post
- 9 Comments
- There’s no verified ‘delete’ button - only a claim, which isn’t supported by their own privacy policy.
- Logging in means re-triggering Cloudflare tracking. I shouldn’t need to be surveilled to be forgotten.
See my other comments for details.
P.S. it’s a shame I’m being constantly attacked in a privacy dedicated community, for simply reporting my own, sad experience with GDPR.
Yes, they did send a guide: “Go to Account Settings and click ‘Delete account’.”
But here’s what’s missing:
- No confirmation that data is erased (beyond their claim)
- No transparency about what gets deleted (e.g. public uploads, logs, backups)
- No way to verify it without logging back in - which triggers Cloudflare’s fingerprinting CAPTCHA
- According to GDPR Article 12(1) and Recital 64, I shouldn’t need to re-authenticate - and re-expose myself to surveillance just to invoke my right to erasure under Article 17. GDPR requires controllers to facilitate the exercise of rights (Art. 12(2)). Forcing me to log in - and re-trigger Cloudflare’s tracking - to delete my data is the opposite of facilitation. I offered multiple verification points (email, payment history, username). They didn’t even ask for more - they just refused.
And while I’m not from the EU: CivitAI targets EU users (EUR pricing, no geo-blocking, GDPR banner). So GDPR does apply - and the Irish DPC is the lead authority (like for Meta or TikTok). Their reply wasn’t unkind - it was procedural. And that’s the problem - when enforcement only happens for people with the right address or right passport, the law becomes optional for the powerful.
This isn’t just about my own data alone.
You’re describing how it works in practice - not how it’s written in law. GDPR protects data subjects in the EU, and applies to companies targeting the EU - not just EU passport holders. The real issue isn’t my location - it’s that CivitAI ignores the law, and regulators let them - until an EU citizen complains.
This creates a geographic lottery: if you’re physically in the EU when you complain, you get enforcement. If you’re not - even as an EU citizen abroad - you get dismissed. This is essentially a VIP lane despite claiming otherwise.
Let me kindly ask you this. If you’re an EU citizen yourself, how do you feel about EU not doing anything about foreign company that is doing business with EU citizens, yet, does not respect GDPR (despite saying so on their website in a pop-up text)?
While this is about my own data - I agree, it is also about EU own authority and self-respect as well.
I’m not EU citizen, but this doesn’t change the fact that civitai breaking the law on EU territory. What guarantees do you have they won’t reject your, or anyone else GDPR request next time?
Hopefully soon you’ll be counted among us, but until then there isn’t much a GDPR officer could help you with.
Thank you.
But I’m not sure why you would expect the GDPR to cover you as a non-EU citizen?
Because GDPR itself says I can:
https://gdpr-info.eu/art-3-gdpr/
Fair point, and I get why it might look that way.
But here’s the thing. CivitAI doesn’t block EU users. It used EUR pricing, English (the EU’s lingua franca), their current pop-up says they’re privacy and GDPR compliant (somehow), and infrastructure that logs EU traffic (Cloudflare EU nodes). The Irish DPC is their de facto lead authority - that’s why Meta, Google, and TikTok all get fined by them.
So when they dismiss my complaint with “you’re from Ukraine” - without even asking if I was in the EU when I used the site, or whether CivitAI targets EU users - it’s not legal analysis. It’s triage. And in that triage, non-EU users get deprioritized - no matter what the law says.
I’m not arguing theory. I’m reporting what happened:
- I made a lawful request
- They refused to engage
- DPC closed it in several days
- NGOs went silent
- If GDPR only protects people inside the EU’s borders - not people targeted by companies operating in the EU, then it’s not universal rights. It’s a walled garden. Maybe there are no data police. But someone still has to file the missing persons report.
Thanks for your reply. However, GDPR applies to U.S. companies like CivitAI if they target EU users - which they do (EUR pricing, no geo-blocking, Cloudflare tracking in EU).
The Irish DPC’s rejection wasn’t based on law - it was a de facto policy choice to ignore non-EU complainants.
My point wasn’t “I want my data deleted” - it was:
- Article 17 exists
- I followed it
- They refused
- Regulators looked away
If GDPR only protects people with EU passports, then it’s not universal rights - it’s privilege with a privacy logo.
This is why all users, all people online who care about privacy, must maintain proactive defense of their data. There are no data police to lock up the bad guys. Once your data is gone its gone for good. It must be protected before it’s lost, not after.
I agree, proactive defense is a must. But we also need to name when the shields we’re told exist… don’t. I often read about GDPR power on reddit and fediverse, so I was expecting it will protect me if not in a lawful shape, at least by its mere existence by being a deterrent. If I knew how it will turn out, I would be more cautious.
Maybe I’m just bad with words, so let me try to explain my point better: GDPR isn’t triggered by location - it’s triggered by CivitAI’s targeting of the EU (EUR pricing, no geo-blocking, Cloudflare EU infrastructure, etc). Article 3(2) + EDPB Guidelines §21 make this clear - and the Irish DPC skipped that analysis entirely.
I’ve already covered this in other comments (and added a clarification to the post itself), so if you’d like to continue the discussion (or anyone else who might be reading this reply), I’d appreciate it if you could ground your points in primary sources - e.g., the GDPR text, EDPB guidance, or official DPC precedent, rather than common misunderstanding.
I’m not trying to win an argument nor asking for more than it’s written in the law itself.