See my other comments for details.
P.S. it’s a shame I’m being constantly attacked in a privacy dedicated community, for simply reporting my own, sad experience with GDPR.
Yes, they did send a guide: “Go to Account Settings and click ‘Delete account’.”
But here’s what’s missing:
And while I’m not from the EU: CivitAI targets EU users (EUR pricing, no geo-blocking, GDPR banner). So GDPR does apply - and the Irish DPC is the lead authority (like for Meta or TikTok). Their reply wasn’t unkind - it was procedural. And that’s the problem - when enforcement only happens for people with the right address or right passport, the law becomes optional for the powerful.
This isn’t just about my own data alone.
You’re describing how it works in practice - not how it’s written in law. GDPR protects data subjects in the EU, and applies to companies targeting the EU - not just EU passport holders. The real issue isn’t my location - it’s that CivitAI ignores the law, and regulators let them - until an EU citizen complains.
This creates a geographic lottery: if you’re physically in the EU when you complain, you get enforcement. If you’re not - even as an EU citizen abroad - you get dismissed. This is essentially a VIP lane despite claiming otherwise.
Let me kindly ask you this. If you’re an EU citizen yourself, how do you feel about EU not doing anything about foreign company that is doing business with EU citizens, yet, does not respect GDPR (despite saying so on their website in a pop-up text)?
While this is about my own data - I agree, it is also about EU own authority and self-respect as well.
I’m not EU citizen, but this doesn’t change the fact that civitai breaking the law on EU territory. What guarantees do you have they won’t reject your, or anyone else GDPR request next time?
Maybe I can? I’m not sure I understand the question. However, I don’t think I want to. This likely would require logging in. I haven’t logged since I sent that GDPR request.
Hopefully soon you’ll be counted among us, but until then there isn’t much a GDPR officer could help you with.
Thank you.
But I’m not sure why you would expect the GDPR to cover you as a non-EU citizen?
Because GDPR itself says I can:
https://gdpr-info.eu/art-3-gdpr/
Fair point, and I get why it might look that way.
But here’s the thing. CivitAI doesn’t block EU users. It used EUR pricing, English (the EU’s lingua franca), their current pop-up says they’re privacy and GDPR compliant (somehow), and infrastructure that logs EU traffic (Cloudflare EU nodes). The Irish DPC is their de facto lead authority - that’s why Meta, Google, and TikTok all get fined by them.
So when they dismiss my complaint with “you’re from Ukraine” - without even asking if I was in the EU when I used the site, or whether CivitAI targets EU users - it’s not legal analysis. It’s triage. And in that triage, non-EU users get deprioritized - no matter what the law says.
I’m not arguing theory. I’m reporting what happened:
Thanks for your reply. However, GDPR applies to U.S. companies like CivitAI if they target EU users - which they do (EUR pricing, no geo-blocking, Cloudflare tracking in EU).
The Irish DPC’s rejection wasn’t based on law - it was a de facto policy choice to ignore non-EU complainants.
My point wasn’t “I want my data deleted” - it was:
If GDPR only protects people with EU passports, then it’s not universal rights - it’s privilege with a privacy logo.
This is why all users, all people online who care about privacy, must maintain proactive defense of their data. There are no data police to lock up the bad guys. Once your data is gone its gone for good. It must be protected before it’s lost, not after.
I agree, proactive defense is a must. But we also need to name when the shields we’re told exist… don’t. I often read about GDPR power on reddit and fediverse, so I was expecting it will protect me if not in a lawful shape, at least by its mere existence by being a deterrent. If I knew how it will turn out, I would be more cautious.
Maybe I’m just bad with words, so let me try to explain my point better: GDPR isn’t triggered by location - it’s triggered by CivitAI’s targeting of the EU (EUR pricing, no geo-blocking, Cloudflare EU infrastructure, etc). Article 3(2) + EDPB Guidelines §21 make this clear - and the Irish DPC skipped that analysis entirely.
I’ve already covered this in other comments (and added a clarification to the post itself), so if you’d like to continue the discussion (or anyone else who might be reading this reply), I’d appreciate it if you could ground your points in primary sources - e.g., the GDPR text, EDPB guidance, or official DPC precedent, rather than common misunderstanding.
I’m not trying to win an argument nor asking for more than it’s written in the law itself.