I decided to finally clean up an old account on CivitAI (https://civitai.com/). Nothing unusual - I just wanted to exercise my right to be forgotten, the one I heard about so much on Reddit before, being a regular lurker.
I sent them a polite email citing Article 17 GDPR. Gave them enough info to find me (email, username, first login date, payment history). Didn’t use my real name, didn’t log in - partly because I didn’t want to trigger Cloudflare’s fingerprinting again.
Their reply?
“When users delete their account, this action is permanent, since we delete any and all data associated with that account.”
Maybe? There’s no way to verify their claim without re-engaging. No public deletion policy (https://civitai.com/content/privacy). No confirmation. No alternative. Only if you log in to do it. Which means triggering Cloudflare’s tracking system again.
I shouldn’t have to expose myself to surveillance just to ask to be forgotten.
Honestly, I was taken aback a little. But fair enough, I thought. I still have a shield for myself - let’s escalate.
I filed with the Irish Data Protection Commission (DPC) - mostly because they accept anonymous, English requests.
They closed my case within days with this:
You’re from Ukraine. Not our problem.
No discussion of whether CivitAI targets EU users (they do!). No interest in the fact they process personal data globally. Didn’t even ask if I was in the EU at that time. Just a flat rejection based on my location.
Fine. Maybe NGOs can help?
I contacted:
- Access Now
- EDRi
- Digitalcourage
- epicenter.works
- Even tried the UK ICO (turns out, CivitAI blocks UK users now, so no luck there)
Out of all of them, only epicenter.works replied - twice - telling me to contact noyb.
Which is silly, because I already did. Over a month ago. Still no reply.
So here I am.
I did everything I could - correctly, thoroughly, and in good faith. But all I got in return is silence, deflection, bureaucracy.
Don’t get me wrong - I still believe in the idea of GDPR. I want to believe in it. But the enforcement? It’s a paper tiger. All bark, no bite. And worst of all, it doesn’t even have self-respect - happy to roll over the moment someone shows up without an EU passport.
This wasn’t about being petty or creating drama. I just wanted to get in control of my data, as was promised by the GDPR declaration.
But apparently, even that is too much to ask.
Anyway, vent over. Just wanted to share this so others don’t waste months chasing rainbows like I did.
And maybe - just maybe - someone at noyb, DPC, or CivitAI will finally read it and feel ashamed enough to act.
P.S. Why I’m posting it here:
- I think it fits this community topic
- This post was removed from r/gdpr by moderators
- Some subreddits ignored my request to approve this post on their subreddits
- r/privacy requires karma to post
- I was shadowbanned by Reddit for no apparent reason
- Similar post saw zero reaction on Mastodon instance
- Twitter & Bluesky requires solving a captcha that I’m incapable of solving
In addition, since the initial post on Reddit and Mastodon weeks ago, I’ve sent emails to various privacy oriented news outlets and public organizations, but I was ignored by all, but EFF which replied “we can’t help you”.
EDIT: To clarify a recurring point: GDPR does not require you to be an EU citizen or resident to be protected.
Under Article 3(2), it applies to any company that offers goods/services to people in the EU - even if the user is from Ukraine, the US, or elsewhere. if anyone think I’m in wrong, please provide source. I don’t see what I’m doing wrong here.
Proof (screenshots)
My GDPR request sent to support@.
Reasserting rights after their first refusal.
“Use the button.” No erasure guarantee.
Irish DPC closes case based on nationality.
Let me kindly ask you this. If you’re an EU citizen yourself, how do you feel about EU not doing anything about foreign company that is doing business with EU citizens, yet, does not respect GDPR (despite saying so on their website in a pop-up text)?
While this is about my own data - I agree, it is also about EU own authority and self-respect as well.
I’m not EU citizen, but this doesn’t change the fact that civitai breaking the law on EU territory. What guarantees do you have they won’t reject your, or anyone else GDPR request next time?
How does your story show that they don’t respect GDPR though? I’m not saying they do, but I don’t see it in what you wrote. You told them to delete your data and they replied that they already do when you delete your account.
Where is the problem?
Apparently they did not delete their account because they don’t want to log in to do that.
Still, they can’t know if the service in question would have treated an EU resident differently.
I don’t see how they were treated wrongly, EU citizen or not. They offer a way to delete their data, I don’t think that having to log in is an obstacle.
I happen to think it is, and indeed the GDPR sees it the same way. For EU residents. They have to delete your data if you ask them to, no special form requirements.
I may have forgotten my password, they may require additional personal data to let me log in again (which is why my PayPal account is still not deleted) their shitty page might be not loading in my browser of choice, or they recently decided I may not visit it with an ad blocker. It’s just a hoop to jump through to try and make people sigh and just not bother. In OP’s case they want to avoid additional third party tracking on the site, and that’s 100% valid.
That’s fair, but did they refuse? They offered a way that probably works fine for most people. OP did not send a reply saying they are unable to use it or indicating any problem with their response whatever, so from their point of view they successfully helped OP with their enquiry and OP did not ask for anything further.
For all we know if OP replied they can’t log in they would delete it for them no problem. Or they wouldn’t, but we don’t know that.
Maybe I misunderstood, but it seems like in your screenshots that they provided a simply guide for you to delete all of your data?
And about the Irish authorities, I can’t really see how you expected them to help you, when you’re not from there. And not even at least from the EU.
I think they did actually answer you nicely, even suggesting what you should do instead.
Yes, they did send a guide: “Go to Account Settings and click ‘Delete account’.”
But here’s what’s missing:
And while I’m not from the EU: CivitAI targets EU users (EUR pricing, no geo-blocking, GDPR banner). So GDPR does apply - and the Irish DPC is the lead authority (like for Meta or TikTok). Their reply wasn’t unkind - it was procedural. And that’s the problem - when enforcement only happens for people with the right address or right passport, the law becomes optional for the powerful.
This isn’t just about my own data alone.