GDPR is your friend, craft ai is there to make sure of it!


Clodéric Mars
Apr 28, 2018 Column

GDPR is your friend, craft ai is there to make sure of it!

These days, in the European AI ecosystem, the proportion of conversations revolving around GDPR tends quickly towards 100%. As a matter of fact on the 25th of May the General Data Protection Regulation will become enforceable in the European Union. As an AI technology provider it is important that our product is fully compatible with the regulation and that it enables our customers to simply & fully follow it. So what is this regulation about and how craft ai makes it easy to enforce?

Personal data

Let’s start by stating the, maybe, obvious: craft ai is not in the business of monetizing data. craft ai processes the data that is sent through its API to produce predictive models. Only the data needed to compute those models is kept and craft ai does not claim ownership over it.

By design, craft ai is about learning predictive models at the individual level, be it a person, a household, a building or, ..., a trash bin. This means data that transit through craft ai is identified as being related to a single unit, which can be a risk if such data can be used to directly or indirectly identify the person. However, because craft ai algorithms are designed to learn individual behaviors, they do not need demographic data to work.

For example, to continuously learn a predictive model of a given building water consumption there is no need to know its number of bathrooms, its address, the socio professional categories of its occupants or even their ages, names or social security numbers; only data relevant to the water consumption behavior matters: metering, weather and maybe occupation schedule. This data can be sensitive and should be treated with care but can’t be used to identify said building, it can be argued these are not indeed personal data. The only technical requirement is an identifier that can only be correlated by the API user to what it identifies. In other words, data sent to craft ai are pseudonymised.

Right to data

The most important philosophy behind GDPR is that anyone should be able to manage their personal data. This translates into three principles: right to access, right to be forgotten and data portability.

As an API, craft ai was designed to be symmetrical, everything that can be sent, can be retrieved and deleted. Which means every piece of data you send can be consulted and deleted if you so desire. Furthermore all the exchanged data are structured in familiar and simple to understand json (yes even the learned predictive models, explainable ai for the win!). These properties means any API customer can easily offer full control over their data to their end users.

Some other aspects of the regulation are still debated. What are the effects of the right to be forgotten on machine learning techniques: do you need to retrain a model without the data of the individual who’d like it to be erased? Does the regulation enforces a right of explanation of automated decision making? In either cases craft ai is ready for it, our individual level machine learning means that the data of one user can be destroyed without affecting the others and the key characteristic of our algorithms is to be explainable.

Using data, but for what?

The last major aspect of GDPR is letting the user opt-in to the usage of its data. We can’t help on this front at craft ai, however this is much aligned with our core belief: obtaining the user opt-in is about providing value to them. It is much easier to ask for, let’s say, the data generated by a Smart Home if it’s about improving the security, the energy consumption or the comfort of the occupants. In short, it’s not about the data, it’s about the service! A production-ready AI solution such as craft ai is key to design and deliver such service quickly.


GDPR does not have to be a source of anxiety for businesses, at craft ai we’ve designed our product to help our customers easily enforce it.

Full access to your data & data pseudonymization

  1. The craft ai API gives complete and direct access to the end-user data, it can be consulted and deleted without any impact on other end-users. Furthermore the data that is collected by craft ai is non-demographic.
  2. Any end-user data sent to craft ai is pseudonymized, only the API customer that sent it can correlate it to the actual end-user.

Now that this is settled, let’s continue our journey towards the cognitive automation of all processes!