I decided to finally clean up an old account on CivitAI (https://civitai.com/). Nothing unusual - I just wanted to exercise my right to be forgotten, the one I heard about so much on Reddit before, being a regular lurker.
I sent them a polite email citing Article 17 GDPR. Gave them enough info to find me (email, username, first login date, payment history). Didn’t use my real name, didn’t log in - partly because I didn’t want to trigger Cloudflare’s fingerprinting again.
Their reply?
“When users delete their account, this action is permanent, since we delete any and all data associated with that account.”
Maybe? There’s no way to verify their claim without re-engaging. No public deletion policy (https://civitai.com/content/privacy). No confirmation. No alternative. Only if you log in to do it. Which means triggering Cloudflare’s tracking system again.
I shouldn’t have to expose myself to surveillance just to ask to be forgotten.
Honestly, I was taken aback a little. But fair enough, I thought. I still have a shield for myself - let’s escalate.
I filed with the Irish Data Protection Commission (DPC) - mostly because they accept anonymous, English requests.
They closed my case within days with this:
You’re from Ukraine. Not our problem.
No discussion of whether CivitAI targets EU users (they do!). No interest in the fact they process personal data globally. Didn’t even ask if I was in the EU at that time. Just a flat rejection based on my location.
Fine. Maybe NGOs can help?
I contacted:
- Access Now
- EDRi
- Digitalcourage
- epicenter.works
- Even tried the UK ICO (turns out, CivitAI blocks UK users now, so no luck there)
Out of all of them, only epicenter.works replied - twice - telling me to contact noyb.
Which is silly, because I already did. Over a month ago. Still no reply.
So here I am.
I did everything I could - correctly, thoroughly, and in good faith. But all I got in return is silence, deflection, bureaucracy.
Don’t get me wrong - I still believe in the idea of GDPR. I want to believe in it. But the enforcement? It’s a paper tiger. All bark, no bite. And worst of all, it doesn’t even have self-respect - happy to roll over the moment someone shows up without an EU passport.
This wasn’t about being petty or creating drama. I just wanted to get in control of my data, as was promised by the GDPR declaration.
But apparently, even that is too much to ask.
Anyway, vent over. Just wanted to share this so others don’t waste months chasing rainbows like I did.
And maybe - just maybe - someone at noyb, DPC, or CivitAI will finally read it and feel ashamed enough to act.
P.S. Why I’m posting it here:
- I think it fits this community topic
- This post was removed from r/gdpr by moderators
- Some subreddits ignored my request to approve this post on their subreddits
- r/privacy requires karma to post
- I was shadowbanned by Reddit for no apparent reason
- Similar post saw zero reaction on Mastodon instance
- Twitter & Bluesky requires solving a captcha that I’m incapable of solving
In addition, since the initial post on Reddit and Mastodon weeks ago, I’ve sent emails to various privacy oriented news outlets and public organizations, but I was ignored by all, but EFF which replied “we can’t help you”.
EDIT: To clarify a recurring point: GDPR does not require you to be an EU citizen or resident to be protected.
Under Article 3(2), it applies to any company that offers goods/services to people in the EU - even if the user is from Ukraine, the US, or elsewhere. if anyone think I’m in wrong, please provide source. I don’t see what I’m doing wrong here.
Proof (screenshots)
My GDPR request sent to support@.
Reasserting rights after their first refusal.
“Use the button.” No erasure guarantee.
Irish DPC closes case based on nationality.
Seriously, just log in, delete account, move on with your life.
- There’s no verified ‘delete’ button - only a claim, which isn’t supported by their own privacy policy.
- Logging in means re-triggering Cloudflare tracking. I shouldn’t need to be surveilled to be forgotten.
See my other comments for details.
P.S. it’s a shame I’m being constantly attacked in a privacy dedicated community, for simply reporting my own, sad experience with GDPR.
Dude nobody is attacking you. We’ve all given you the solution, the solution is there. I personally believe that you’re making an unnecessary storm in a glass of water, and not even for us, but for yourself.
Privacy is super important, but not at the expense of your mental health. The sooner you get rid of that account, and never touch that site again, and love on, the better off you’ll be, that’s all it is.
I mean… let’s set aside that you are not even covered by GDPR.
Didn’t use my real name, didn’t log in - partly because I didn’t want to trigger Cloudflare’s fingerprinting again.
“When users delete their account, this action is permanent, since we delete any and all data associated with that account.”
I feel like you’re making a mountain out of a molehill.
Practically, if you want to delete your account, you just log in and delete your account. If you are worried about cloudflare fingerprinting, well, use the same tools you’d use to resist it anywhere else on the web.
CivitAI doesn’t make it difficult like a lot of services do, which is what GDPR is aiming to cover her. Technically it’d be a violation if you were even covered, but it doesn’t really feel like the purpose of the law? And it says absolutely nothing about protecting you from Cloudflare fingerprinting.
This thread is a dumpster fire, engage at your peril
But… You are from a country out of the EU?
Our rights didnt come for free.
I also cant execute rights from Norway when I’m not from there. I cant demand to use their public systems if I’m not a citizen and pay taxes to them.
I 100% agree that everyone SHOULD have this right. But your country didnt vote for them for many years (not counting the years after 2022 ofc. That’s a whole other awful topic for you guys, and I feel for you guys)
Let me kindly ask you this. If you’re an EU citizen yourself, how do you feel about EU not doing anything about foreign company that is doing business with EU citizens, yet, does not respect GDPR (despite saying so on their website in a pop-up text)?
While this is about my own data - I agree, it is also about EU own authority and self-respect as well.
I’m not EU citizen, but this doesn’t change the fact that civitai breaking the law on EU territory. What guarantees do you have they won’t reject your, or anyone else GDPR request next time?How does your story show that they don’t respect GDPR though? I’m not saying they do, but I don’t see it in what you wrote. You told them to delete your data and they replied that they already do when you delete your account.
Where is the problem?
Apparently they did not delete their account because they don’t want to log in to do that.
Still, they can’t know if the service in question would have treated an EU resident differently.
I don’t see how they were treated wrongly, EU citizen or not. They offer a way to delete their data, I don’t think that having to log in is an obstacle.
I happen to think it is, and indeed the GDPR sees it the same way. For EU residents. They have to delete your data if you ask them to, no special form requirements.
I may have forgotten my password, they may require additional personal data to let me log in again (which is why my PayPal account is still not deleted) their shitty page might be not loading in my browser of choice, or they recently decided I may not visit it with an ad blocker. It’s just a hoop to jump through to try and make people sigh and just not bother. In OP’s case they want to avoid additional third party tracking on the site, and that’s 100% valid.
That’s fair, but did they refuse? They offered a way that probably works fine for most people. OP did not send a reply saying they are unable to use it or indicating any problem with their response whatever, so from their point of view they successfully helped OP with their enquiry and OP did not ask for anything further.
For all we know if OP replied they can’t log in they would delete it for them no problem. Or they wouldn’t, but we don’t know that.
Maybe I misunderstood, but it seems like in your screenshots that they provided a simply guide for you to delete all of your data?
And about the Irish authorities, I can’t really see how you expected them to help you, when you’re not from there. And not even at least from the EU.
I think they did actually answer you nicely, even suggesting what you should do instead.
Yes, they did send a guide: “Go to Account Settings and click ‘Delete account’.”
But here’s what’s missing:
- No confirmation that data is erased (beyond their claim)
- No transparency about what gets deleted (e.g. public uploads, logs, backups)
- No way to verify it without logging back in - which triggers Cloudflare’s fingerprinting CAPTCHA
- According to GDPR Article 12(1) and Recital 64, I shouldn’t need to re-authenticate - and re-expose myself to surveillance just to invoke my right to erasure under Article 17. GDPR requires controllers to facilitate the exercise of rights (Art. 12(2)). Forcing me to log in - and re-trigger Cloudflare’s tracking - to delete my data is the opposite of facilitation. I offered multiple verification points (email, payment history, username). They didn’t even ask for more - they just refused.
And while I’m not from the EU: CivitAI targets EU users (EUR pricing, no geo-blocking, GDPR banner). So GDPR does apply - and the Irish DPC is the lead authority (like for Meta or TikTok). Their reply wasn’t unkind - it was procedural. And that’s the problem - when enforcement only happens for people with the right address or right passport, the law becomes optional for the powerful.
This isn’t just about my own data alone.
You’re from Ukraine. Not our problem.
This the only point that matter. You location current not in EU, GDPR not apply to you.
It nice many company accept wave GDPR in face and react as if EU, but not require to.
NGO maybe not care because limited resource, cannot help all.
Will read proof later and maybe suggest other action.
You’re correct that no one cares about 1) users, 2) the GDPR, 3) the prospect of €5 million fines 10 years from now under the GDPR. If there’s any way around that, such as you not being physically in the EU when sending this email, or the company not being based in the EU, then it’s an excuse for everyone not to care. Truthfully, the Irish DPC is correct - you and this company are not subject to EU laws any more than had the President of Mexico sending this email. GDPR will not help you until you cross the border into Poland to send the email.
In case it helps, I went through the list of US data brokers, one by one removing my spouse and me from their lists. A lot of time it came down to the same thing, blast emailing support@whatever.com and making the request. 2-6 weeks later, I might get a response. Many required going back over and over to jump through hoops. I still have no guarantee the data is deleted, and in many cases it’s not deleted but just “not published.”
This is why all users, all people online who care about privacy, must maintain proactive defense of their data. There are no data police to lock up the bad guys. Once your data is gone its gone for good. It must be protected before it’s lost, not after.
Thanks for your reply. However, GDPR applies to U.S. companies like CivitAI if they target EU users - which they do (EUR pricing, no geo-blocking, Cloudflare tracking in EU).
The Irish DPC’s rejection wasn’t based on law - it was a de facto policy choice to ignore non-EU complainants.
My point wasn’t “I want my data deleted” - it was:
- Article 17 exists
- I followed it
- They refused
- Regulators looked away
If GDPR only protects people with EU passports, then it’s not universal rights - it’s privilege with a privacy logo.
This is why all users, all people online who care about privacy, must maintain proactive defense of their data. There are no data police to lock up the bad guys. Once your data is gone its gone for good. It must be protected before it’s lost, not after.
I agree, proactive defense is a must. But we also need to name when the shields we’re told exist… don’t. I often read about GDPR power on reddit and fediverse, so I was expecting it will protect me if not in a lawful shape, at least by its mere existence by being a deterrent. If I knew how it will turn out, I would be more cautious.
The GDPR isn’t universal. It applies to EU and EEA residents only, it’s an EU regulation. Ukraine isn’t in either. Don’t take it personally, doesn’t apply to me either. Wish it did.
The EU isn’t the world police. Expecting them to enforce their laws in a case where none of the involved parties are in the EU is odd.
And the GDPR isn’t a universal right, it’s a right of EU citizens. Similarly, the US’ First Amendment right to free speech won’t save you from hate speech charges in Germany. Heck, it won’t do that even if you’re a US citizen, so long as the offense is on German soil.
Fair point, and I get why it might look that way.
But here’s the thing. CivitAI doesn’t block EU users. It used EUR pricing, English (the EU’s lingua franca), their current pop-up says they’re privacy and GDPR compliant (somehow), and infrastructure that logs EU traffic (Cloudflare EU nodes). The Irish DPC is their de facto lead authority - that’s why Meta, Google, and TikTok all get fined by them.
So when they dismiss my complaint with “you’re from Ukraine” - without even asking if I was in the EU when I used the site, or whether CivitAI targets EU users - it’s not legal analysis. It’s triage. And in that triage, non-EU users get deprioritized - no matter what the law says.
I’m not arguing theory. I’m reporting what happened:
- I made a lawful request
- They refused to engage
- DPC closed it in several days
- NGOs went silent
- If GDPR only protects people inside the EU’s borders - not people targeted by companies operating in the EU, then it’s not universal rights. It’s a walled garden. Maybe there are no data police. But someone still has to file the missing persons report.
Correct, it is not a universal right. They are not engaging with you because your complaint is outside their jurisdiction. And the company isn’t either.
It’s like expecting Saudi Arabia to apprehend a Dutchman in Riyadh because you showed them a photograph of him drinking alcohol in Amsterdam. Sure, he’s in their country, so they could do it. And he did something that’s illegal in their country. But he didn’t do it in their country.
If GDPR only protects people with EU passports, then it’s not universal rights - it’s privilege with a privacy logo.
And what do you think would happen if EU tried to enforce their laws in an interaction between two parties that both aren’t in the EU? If we did it, why shouldn’t any other country try and do the same? Better read up on Chinese law before you next do business with a company in, idk, France. Sound good?
It’s not about passports either. Move to Vienna or Prague and you may have better luck.
This guy would probably conclude that a US company operating in the EU would also need to apply GDPR to US users. He is so confidently wrong
Are you really surprised that European laws apply to European citizens?
The irony of a GDPR-related post of not being heard being removed by moderators at r/gdpr
It’s annoying you font have an easy way to confirm your data is deleted or not. But I’m not sure why you would expect the GDPR to cover you as a non-EU citizen? Hopefully soon you’ll be counted among us, but until then there isn’t much a GDPR officer could help you with.
Hopefully soon you’ll be counted among us, but until then there isn’t much a GDPR officer could help you with.
Thank you.
But I’m not sure why you would expect the GDPR to cover you as a non-EU citizen?
Because GDPR itself says I can:
https://gdpr-info.eu/art-3-gdpr/What line from article 3 makes you think that? It sounds to me like it’s only talking about data processors inside and outside the EU that handle data of people in the EU
Yet this same article in paragraph 2 literally says it only covers EU citizens.
“This Regulation applies to the processing of personal data of data subjects who are in the Union”
Why are you surprised when they point this out?
You’re describing how it works in practice - not how it’s written in law. GDPR protects data subjects in the EU, and applies to companies targeting the EU - not just EU passport holders. The real issue isn’t my location - it’s that CivitAI ignores the law, and regulators let them - until an EU citizen complains.
This creates a geographic lottery: if you’re physically in the EU when you complain, you get enforcement. If you’re not - even as an EU citizen abroad - you get dismissed. This is essentially a VIP lane despite claiming otherwise.
Can you confirm you are physically in the EU? If you are not, they do not care because as you pointed out, “it protects data subjects in the EU”. If you are not in the EU, then your location DOES matter. If you are in an EU territory (or territory where international agreements deem it applicable) even as a non-EU citizen, then that would suck. It doesn’t sound like lottery to me- be physically in a territory where the law applies and get gdpr. Expecting laws to apply outside their jurisdiction is crazy
Maybe I’m just bad with words, so let me try to explain my point better: GDPR isn’t triggered by location - it’s triggered by CivitAI’s targeting of the EU (EUR pricing, no geo-blocking, Cloudflare EU infrastructure, etc). Article 3(2) + EDPB Guidelines §21 make this clear - and the Irish DPC skipped that analysis entirely.
I’ve already covered this in other comments (and added a clarification to the post itself), so if you’d like to continue the discussion (or anyone else who might be reading this reply), I’d appreciate it if you could ground your points in primary sources - e.g., the GDPR text, EDPB guidance, or official DPC precedent, rather than common misunderstanding.
I’m not trying to win an argument nor asking for more than it’s written in the law itself.
Could you progressively poison your data?
Maybe I can? I’m not sure I understand the question. However, I don’t think I want to. This likely would require logging in. I haven’t logged since I sent that GDPR request.
I guess from a data security point of view, we should all understand that if we give our data to a company in a different country, we should not assume that there is any legal mechanism for forcing them to delete it.
