Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Grok (xAI)

xAI

Not CompliantEU: Not AvailableOpt-out Available30-day deletion window (consumer); custom (Business/Enterprise)US Only

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

USD pricing; verify current business/API terms

Enterprise Features

Business/API documentation exists, but EU procurement posture remains high risk

Last Updated

June 23, 2026

Grok (xAI) - GDPR & Data Privacy Overview (EU)

Version: June 2026 - prepared by WAIMAKERS B.V.

🚨 Executive Summary: NOT RECOMMENDED for EU Customers

Grok is an AI chatbot and API developed by xAI (X.AI LLC), a US company founded by Elon Musk. Grok is available through multiple channels: X platform (formerly Twitter), standalone web/mobile apps (grok.com), and an API for developers.

🚨 CRITICAL: Grok is currently under ACTIVE GDPR investigation by the Irish Data Protection Commission (DPC) and has severe compliance issues for European customers:

  • 🚨 5+ ACTIVE INVESTIGATIONS as of June 2026: (1) Irish DPC training inquiry (commenced Apr 2025), (2) Irish DPC deepfake probe (opened Feb 16–17, 2026), (3) European Commission DSA proceedings (January 2026), (4) UK ICO formal investigation (announced Feb 3, 2026) - potential fine GBP 17.5M or 4% annual turnover, (5) UK Ofcom investigation (launched Jan 12, 2026) - potential platform ban or multimillion-pound fine[1][2][3]
  • 🚨 Additional national investigations: Spain, France, India, Indonesia, Malaysia, Canada, Brazil, and California also investigating xAI/Grok practices
  • 🚨 EC opened a new Grok DSA investigation (announced 26 January 2026); a separate EC retention order (17 January 2025) requires X to preserve internal documents on its recommender algorithms through 31 December 2025; French authorities searched X's Paris premises on 3 February 2026 in a criminal investigation opened in January 2025
  • 🚨 September 2024: Irish DPC sued X in High Court; X agreed to permanently stop processing EU/EEA public posts from X platform for Grok training[4][5]
  • 🚨 Deepfake image scandal (Dec 2025–Feb 2026): Grok's image-editing feature (Grok Imagine) launched Aug 2025, and mass misuse to "undress" real photos surfaced in late Dec 2025; the Centre for Countering Digital Hate documented ~3 million sexualized images generated in 11 days; triggered India notice (Jan 3), French criminal probe expanded to Grok (early Jan), EC document preservation order (Jan 8), Indonesia temporary block (Jan 10), X restricted real-person image editing (Jan 14), UK ICO investigation (Feb 3), Irish DPC large-scale GDPR inquiry (Feb 16–17)
  • 🚨 xAI merged with X Corp (March 2025, ~$110B valuation): All X user data is now under xAI's data regime
  • ❌ US-only infrastructure: All data processed in Memphis, Tennessee (no EU data residency)[6][7]
  • ❌ US company: X.AI LLC based in Nevada, USA (not subject to EU jurisdiction)[8]
  • ⚠️ Training default = OPT-IN: Users must actively opt-out to prevent training (opposite of GDPR-compliant approach)[9]
  • ⚠️ Memory feature NOT available in EU/UK: Grok's new memory feature (April 2025) explicitly blocked in Europe[10][11]
  • ⚠️ Enterprise Vault launched: Isolated data plane with customer-controlled encryption - but US-hosted only, does not resolve EU jurisdiction issues
  • ⚠️ Oracle Cloud partnership (June 2025) for enterprise, but no EU-specific deployment confirmed[12]

Recommendation: DO NOT USE GROK for processing EU personal data or GDPR-regulated information. The active investigation, US-only infrastructure, and history of non-compliance make it unsuitable for European business use.

Comparison of Grok Offerings (EU focus)

Tier Training on data? EU data residency Investigation status Compliance Price (USD)
Free (X platform) ❌ Banned: X permanently stopped training on EU posts (Sept 2024 court order) ❌ US only (Memphis) 🚨 Under investigation GDPR: Non-compliant $0
X Premium/Premium+ ❌ Banned: X permanently stopped training on EU posts ❌ US only 🚨 Under investigation GDPR: Non-compliant $8-40/month
SuperGrok (consumer) ⚠️ Yes (unless opt-out) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $30/month
SuperGrok Heavy ⚠️ Yes (unless opt-out) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $300/month
X Premium ⚠️ Banned for EU posts (court order) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $8/month
X Premium+ ⚠️ Banned for EU posts (court order) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $40/month
Grok Business ⚠️ Claims "no training" - UNVERIFIED during active investigations ❌ US only 🚨 5+ active investigations SOC 2 Type II; GDPR: Non-compliant $30/seat/month (Dec 2025)
API (Enterprise) ⚠️ Claims "no training on customer data" - UNVERIFIED ❌ US only 🚨 5+ active investigations DPA available, SOC 2 Type II; GDPR: Non-compliant Pay-per-token (~$3/M)

Notes for Europe

🚨 5+ Active Investigations (as of June 2026):

  1. Irish DPC - Grok training inquiry (commenced Apr 2025): Investigating lawfulness and transparency of Grok's processing of EU/EEA personal data for AI training. Status: Ongoing.[2][13]
  2. Irish DPC - Deepfake probe (opened Feb 16–17, 2026): Large-scale GDPR inquiry into Grok's deepfake generation capabilities and compliance with applicable rules, triggered by the Dec 2025 image scandal.
  3. European Commission - DSA proceedings (announced 26 January 2026): EC opened a new Digital Services Act investigation into how Grok's functionalities were deployed into X in the EU (press release IP/26/203). Separately, the EC's earlier DSA retention order (17 January 2025) requires X to preserve internal documents on changes to the design and functioning of its recommender algorithms for the period 17 January 2025 to 31 December 2025.
  4. UK ICO investigation (announced Feb 3, 2026): Formal investigation into XIUC and X.AI LLC over Grok deepfake image generation; potential fine of GBP 17.5M or 4% of annual global turnover.
  5. UK Ofcom investigation (launched Jan 12, 2026): Regulatory probe into Grok on X platform; potential sanctions include a platform ban or multimillion-pound fine.

Additional national investigations: Spain, France, India, Indonesia, Malaysia, Canada, Brazil, and California are also investigating xAI/Grok practices. The French criminal investigation was opened in January 2025 by the Paris cybercrime unit (following two reports received 12 January 2025) and later expanded to Grok deepfakes/negationist content; French authorities searched X's French premises on 3 February 2026.

xAI merger with X Corp (March 2025):

  • xAI and X Corp formally merged at approximately $110 billion combined valuation
  • All X user data is now under xAI's data regime, significantly expanding xAI's training data pool
  • This merger is directly relevant to the scope of ongoing GDPR investigations

September 2024 Court Order:

  • Irish DPC obtained High Court injunction (August 8, 2024) to stop X processing EU data[4]
  • X agreed permanently to stop using EU/EEA public posts from X platform for Grok training[4][14]
  • This ban applies ONLY to X platform posts, NOT to other Grok services (grok.com, API)[5]

Infrastructure: 100% US-based:

  • Colossus data center in Memphis, Tennessee (initially ~200,000 NVIDIA GPUs for Grok 3; since expanded to roughly 555,000 mixed NVIDIA GPUs as of early 2026)[6][15]
  • Oracle Cloud partnership announced June 2025, but no EU-specific deployment[12][16]
  • NO EU data residency on xAI's own first-party services (grok.com, X, xAI API). Note: Grok models are separately available with EU data residency via Microsoft Azure AI Foundry (EU regions / Azure EU Data Zone), which is a Microsoft-hosted and Microsoft-governed deployment path, not xAI first-party infrastructure

Training Policy:

  • Consumer (grok.com, X Premium): Default = training ENABLED; users must opt-out manually[9]
  • X platform EU users: Training BANNED (permanent court order)[4]
  • Enterprise API: xAI claims "no training on customer data"[8]
  • Reality: Opt-out burden on users = GDPR non-compliant

Memory Feature Blocked in EU: Grok's new memory feature (launched April 2025) is NOT available in EU or UK[10][11] - likely due to GDPR concerns

Enterprise Vault:

  • Isolated data plane with customer-controlled encryption
  • Marketed as enhanced data security for Enterprise customers
  • Critical limitation: Still US-hosted; does not resolve EU jurisdiction issues, active investigations, or lack of EU data residency

Pricing: All prices in USD (no EUR pricing):[17][18]

  • Free: $0 (10 queries per 2 hours)
  • SuperGrok: $30/month
  • SuperGrok Heavy: $300/month
  • X Premium: $8/month (limited Grok access)
  • X Premium+: $40/month (higher Grok limits)
  • Grok Business: $30/seat/month (launched December 2025)
  • Grok Enterprise: Custom pricing
  • API: ~$3-5 per million tokens depending on model

Is Grok GDPR-Compliant?

Short answer: NO. Grok is NOT GDPR-compliant and is currently under active regulatory investigation by the Irish Data Protection Commission.

Why Grok Fails GDPR Compliance

1. Multiple Active Regulatory Investigations

  • Irish DPC: 2 active inquiries (training, commenced Apr 2025; deepfakes, opened Feb 16–17, 2026)[2][1]
  • European Commission: new DSA investigation into Grok's deployment in X opened January 2026 (IP/26/203); separate earlier retention order (17 Jan 2025) on recommender-system records
  • UK ICO: Formal investigation (Feb 3, 2026) into XIUC and X.AI LLC; potential fine GBP 17.5M or 4% annual turnover
  • UK Ofcom: Investigation launched Jan 12, 2026; potential platform ban or multimillion-pound fine
  • Spain, France, India, Indonesia, Malaysia, Canada, Brazil, California: Additional national investigations ongoing; French criminal investigation (opened Jan 2025, expanded to Grok deepfakes early 2026); French authorities searched X Paris premises (Feb 3, 2026)
  • Previous court order (Sept 2024) required permanent ban on training with EU X posts[4]

2. No EU Data Residency

  • All data processed in USA (Memphis, Tennessee)[6]
  • No option to restrict processing to EU
  • Oracle Cloud partnership does NOT offer EU-specific deployment[12]

3. Training Opt-In by Default

  • Consumer services default to training ENABLED[9]
  • Violates GDPR requirement for opt-IN consent for non-essential processing
  • Burden on users to discover and disable training setting

4. US Company, US Jurisdiction

  • X.AI LLC based in Nevada, USA[8]
  • Subject to US laws (CLOUD Act, FISA 702)
  • No practical enforcement mechanism for EU data subjects

5. Limited Transparency

  • Retention periods not clearly documented
  • Subprocessors are publicly listed (https://x.ai/legal/subprocessor-list) and are predominantly US-based
  • Public security/privacy portal exists (x.ai/security, x.ai/privacy-portal), but the full SOC 2 report and detailed compliance documentation remain behind a sales contact

What Grok Does Have (Insufficient for GDPR)

  • βœ… DPA available for Enterprise customers (current version effective June 9, 2025)[19]
  • βœ… Europe Privacy Policy Addendum (April 2025)[20]
  • βœ… SOC 2 Type II stated for Grok Business/Enterprise (full report not publicly downloadable)[21]
  • ⚠️ Opt-out mechanism exists (but inadequate under GDPR)
  • ⚠️ No ISO 27001 certification mentioned

Consumer Grok (grok.com, X Premium)

What it is: ChatGPT-style conversational AI accessible via:

  • Grok.com website
  • Grok mobile apps (iOS/Android)
  • X platform (Premium/Premium+ subscribers)

Training policy: By default, xAI uses your inputs, outputs, and usage data to improve Grok models. You can opt-out in settings.[9]

⚠️ X platform EU exception: Due to Sept 2024 court order, X permanently stopped processing EU/EEA public posts for Grok training.[4] This applies ONLY to X platform, not grok.com or mobile apps.

Memory feature: Launched April 2025, Grok can remember past conversations to personalise responses. NOT available in EU or UK.[10][11]

Data location: Memphis, Tennessee, USA (Colossus data center)[6]

Retention: Account data is kept while the account is active; deleted conversations and Private Chat conversations are removed from xAI systems within 30 days (subject to safety/security/legal exceptions), but xAI gives no fixed retention term for retained active-account data.[9]

Opt-out process:

  • Grok.com/mobile apps: Settings β†’ Data & Privacy β†’ Disable training
  • X platform: Settings β†’ Privacy & Safety β†’ Grok β†’ Uncheck "Allow training"

Pricing:[17]

  • Free: $0 (10 queries per 2 hours)
  • SuperGrok: $30/month
  • SuperGrok Heavy: $300/month
  • X Premium: $8/month (limited Grok access)
  • X Premium+: $40/month (higher Grok limits)

When to use: Personal experimentation with non-sensitive, non-EU data only.

When NOT to use: Any EU personal data, client data, GDPR-regulated information, business use.

Grok Business & Enterprise

What it is: Commercial offerings for teams and organisations:

  • Grok Business: $30/seat/month, designed for small-to-medium teams[21]
  • Grok Enterprise: Custom pricing, enterprise-grade controls[21]
  • API: Developer access for custom integrations[8]

Training policy: xAI claims "no training on your data" for Business/Enterprise.[21][8]

⚠️ Verification issue: This claim is difficult to verify given:

  • Active GDPR investigation into training practices
  • History of non-compliance (Sept 2024 court order)
  • Lack of public audit reports or third-party verification

Data location: US-only (Memphis + Oracle Cloud)[6][12]

Compliance:[21]

  • SOC 2 Type II (report not publicly available)
  • GDPR & CCPA compliance (claimed, under investigation)
  • Data encryption at rest and in transit
  • No ISO 27001 certification mentioned

DPA: Available for Enterprise customers (last updated June 9, 2025)[19]

  • Includes Standard Contractual Clauses for EU data transfers
  • Defines xAI as "processor" for customer data
  • However: DPA does NOT resolve US jurisdiction or infrastructure issues

Connectors: Google Drive, SharePoint, GitHub, Dropbox integration claimed[21]

When to use: ❌ NOT recommended for EU customers due to active investigation and US-only infrastructure.

When NOT to use: Any GDPR-regulated use case, EU personal data, highly regulated industries (financial services, healthcare, government).

API Access

What it is: Developer API for integrating Grok models into applications.[8]

Models available (as of Oct 2025):[22]

  • Grok 4, Grok 4 Fast
  • Grok 3, Grok 3 Fast
  • Pricing: per-token, split input/output, varies by model (e.g., Grok 4 ~$3 input / $15 output per million tokens)

Training policy: xAI states that customer data submitted via API "is not used to train or improve models."[8]

Retention: xAI's developer docs state API requests and responses are temporarily stored for 30 days for potential abuse/misuse auditing and then automatically deleted; an enterprise Zero Data Retention (ZDR) option stores no API request/response data at all.[8]

Data location: US (Memphis, Tennessee + Oracle Cloud)[6][12]

Terms: Enterprise Terms of Service + DPA[23][19]

When to use: ❌ NOT recommended for EU customers due to US-only infrastructure and active GDPR investigation.

Data Processing Flow

Consumer Grok (grok.com, mobile apps)

User submits prompt
  ↓
xAI servers (Memphis, Tennessee, USA)
  β”œβ”€ Processed by Grok model (Grok 3/4)
  β”œβ”€ Response generated
  └─ Data stored:
      β”œβ”€ Conversation history (indefinite, until user deletes)
      β”œβ”€ Memory (if enabled; NOT available in EU/UK)
      └─ Training data (default ENABLED; user can opt-out)

Data never leaves USA
No EU data residency option

X Platform (EU users)

EU user posts on X
  ↓
X servers
  β”œβ”€ Public posts stored on X platform
  └─ 🚨 BANNED from Grok training (Sept 2024 court order)
      ↓
      Data NOT shared with xAI for Grok training
      (Permanent injunction)

Note: Ban applies ONLY to X platform posts,
NOT to direct [Grok.com/API](http://Grok.com/API) usage

Enterprise API

API request from customer application
  ↓
xAI servers (Memphis + Oracle Cloud, USA only)
  β”œβ”€ Processed by selected Grok model
  β”œβ”€ Response returned to customer
  └─ Data handling:
      β”œβ”€ Claims: "Not used for training"
      β”œβ”€ Retention: 30 days then auto-deleted (0 with enterprise ZDR)
      └─ Location: US only (no EU option)

⚠️ Despite DPA and no-training claim,
data still subject to:
  - US jurisdiction (CLOUD Act)
  - Active GDPR investigation
  - US-only infrastructure

Recommendations (GDPR-first)

❌ Do NOT use for EU customers

  • Any Grok offering (consumer, business, enterprise, API) for EU personal data
  • Any GDPR-regulated use case (HR data, customer data, patient data, financial data)
  • Government or highly regulated industries in EU

🚨 Active risks

  • Regulatory risk: Active GDPR investigation; potential fines for customers using Grok
  • Legal risk: DPA and SCCs insufficient given US jurisdiction and investigation
  • Reputational risk: Association with platform under regulatory scrutiny
  • Data sovereignty risk: No EU infrastructure or data residency

βœ… Alternative solutions for EU customers

  • EU-based providers: Mistral AI (French), Aleph Alpha (German)
  • EU data residency options: OpenAI (Azure EU), Anthropic Claude (GCP EU regions), Google Gemini (EU regions)
  • Self-hosted: Llama 3, Mistral open models on EU infrastructure

EU Rollout Checklist (Practical)

⚠️ RECOMMENDATION: DO NOT proceed with Grok deployment for EU use cases.

If your organisation is considering Grok despite warnings:

1. Legal Review (MANDATORY)

  • βœ… Consult with EU data protection counsel
  • βœ… Complete Data Protection Impact Assessment (DPIA)
  • βœ… Document legal basis for US data transfers
  • βœ… Assess risk of regulatory action given active investigation
  • βœ… Prepare for potential DPC inquiries

2. Due Diligence

  • βœ… Request and review SOC 2 report (not publicly available)
  • βœ… Review DPA and Enterprise Terms thoroughly
  • βœ… Verify "no training" claim with xAI (request contractual guarantees)
  • βœ… Request retention policy documentation (not in public FAQs)
  • βœ… Understand limitations of Standard Contractual Clauses given US location

3. Data Minimisation

  • βœ… Strip all EU personal data before submission to Grok
  • βœ… Use pseudonymisation/anonymisation techniques
  • βœ… Implement data filtering layer to block PII
  • βœ… Maintain audit logs of all data sent to Grok

4. User Rights Management

  • βœ… Document how to handle GDPR subject access requests
  • βœ… Establish process for data deletion requests
  • βœ… Clarify data controller vs processor responsibilities
  • βœ… Prepare for right-to-object requests

5. Monitoring

  • βœ… Track GDPR investigation developments
  • βœ… Monitor for new court orders or regulatory actions
  • βœ… Review xAI privacy policy updates (frequent changes)
  • βœ… Assess quarterly whether continued use is justified

6. Transparency

  • βœ… Disclose Grok use in privacy notices
  • βœ… Inform data subjects of US data transfers
  • βœ… Provide opt-out mechanism for Grok processing
  • βœ… Document in records of processing activities (Article 30)

Procurement Q&A

Q: Is xAI a US or EU company?

A: US company. X.AI LLC is incorporated in Nevada, USA.[8] The company is not subject to EU jurisdiction and is headquartered in the United States.

Q: Where is Grok data stored and processed?

A: 100% USA. Primary infrastructure is the Colossus data center in Memphis, Tennessee (200,000 NVIDIA H100 GPUs).[6][7] Oracle Cloud partnership announced June 2025, but no EU-specific deployment confirmed.[12] There is NO EU data residency option.

Q: What is the status of the GDPR investigations?

A: Rapidly escalating - 5+ active investigations as of March 2026:

  1. Irish DPC training inquiry (commenced Apr 2025) - examining lawfulness of EU data training practices[2]
  2. Irish DPC deepfake probe (opened Feb 16–17, 2026) - large-scale GDPR inquiry into Grok's deepfake image generation
  3. European Commission DSA proceedings (new Grok investigation announced 26 January 2026, IP/26/203) - a separate EC retention order (17 January 2025) requires X to preserve internal documents on its recommender algorithms through 31 December 2025; French authorities searched X's Paris premises on 3 February 2026
  4. UK ICO formal investigation (announced Feb 3, 2026) - covering XIUC and X.AI LLC; potential fine GBP 17.5M or 4% of annual global turnover
  5. UK Ofcom investigation (launched Jan 12, 2026) - potential platform ban or multimillion-pound fine

Additional investigations by Spain, France (including a criminal investigation opened Jan 2025 and expanded to Grok in early 2026), India, Indonesia, Malaysia, Canada, Brazil, and California are also ongoing. No resolutions have been announced as of March 2026.

Q: What was the September 2024 court order about?

A: In August 2024, the Irish DPC obtained a High Court injunction requiring X (the platform) to stop processing EU/EEA public posts for Grok training.[4] X agreed to permanently stop this processing.[5] However, this ban applies ONLY to X platform posts, NOT to grok.com, mobile apps, or API usage.

Q: Does xAI train on my data?

A: Depends on product:

  • Consumer Grok (grok.com, mobile): YES, by default. You can opt-out in settings.[9]
  • X platform (EU users): NO. Permanently banned by court order.[4]
  • Business/Enterprise/API: xAI claims "no training on customer data."[8][21] However, this is difficult to verify given the active GDPR investigation and history of non-compliance.

Q: Is there a Data Processing Agreement (DPA)?

A: Yes, for Enterprise customers (last updated June 9, 2025).[19] The DPA includes Standard Contractual Clauses for EU data transfers. However, the DPA does NOT resolve:

  • US-only infrastructure
  • US jurisdiction (CLOUD Act, FISA 702)
  • Active GDPR investigation
  • Lack of EU data residency

Q: What compliance certifications does xAI have?

A:

  • βœ… SOC 2: Claimed for Business/Enterprise (report not publicly available)[21]
  • ❌ ISO 27001: Not mentioned
  • 🚨 GDPR: Under active investigation; non-compliant[1]
  • ⚠️ CCPA: Claimed but not verified

Q: How long does xAI retain data?

A: Partly specified, partly open-ended. Deleted and Private Chat conversations are removed within 30 days; API requests/responses are stored 30 days then auto-deleted (0 with enterprise ZDR). xAI gives no fixed retention term for retained active-account data, which it keeps "as long as necessary to provide services."[9][8] The open-ended active-account retention remains a GDPR transparency concern.

Q: Can I restrict data processing to the EU?

A: Not on xAI's own services. xAI's first-party grok.com, X and xAI API process data in the USA (Memphis, Tennessee + Oracle Cloud) with no EU residency. Grok models can, however, be consumed with EU data residency via Microsoft Azure AI Foundry (EU regions / Azure EU Data Zone), which is governed by Microsoft's Azure terms rather than xAI's.[6][12]

Q: Why is the memory feature blocked in the EU?

A: Grok's new memory feature (launched April 2025) is explicitly not available in the European Union or UK.[10][11] While xAI has not provided an official reason, this is likely due to GDPR concerns about indefinite data retention and lack of clear legal basis.

Q: What is xAI's relationship with X (Twitter)?

A: xAI acquired X Corp in March 2025 (combined valuation ~$113 billion). In February 2026, SpaceX acquired xAI, making xAI a wholly owned subsidiary of SpaceX (combined valuation ~$1.25 trillion). This means:

  • All X user data is now under xAI's data regime, expanding xAI's training data access
  • The merger is directly relevant to ongoing GDPR investigations into Grok training data sources
  • Grok is integrated into X platform (X Premium/Premium+ subscribers)
  • All entities are ultimately controlled by Elon Musk

Notes & Caveats

🚨 Rapidly Escalating Global Regulatory Enforcement: As of March 2026, xAI/Grok faces 5+ active investigations across the UK and EU (Irish DPC training inquiry, Irish DPC deepfake probe, EC DSA proceedings, UK ICO investigation with potential GBP 17.5M fine, UK Ofcom investigation with potential platform ban), plus national investigations in Spain, France, India, Indonesia, Malaysia, Canada, Brazil, and California. The Dec 2025 deepfake image scandal - ~3 million sexualized images documented by the Centre for Countering Digital Hate in just 11 days - directly triggered multiple of these probes. This represents a dramatic escalation from the single investigation noted in October 2025.[2][1]

🚨 xAI-X Corp Merger Impact: The March 2025 merger (~$110B valuation) means all X user data is now under xAI's data regime, expanding the scope of data xAI can access for Grok training. This is directly relevant to the ongoing DPC and EC investigations.

🚨 History of Non-Compliance: xAI/X has a documented history of GDPR violations:

  • Required court order to stop training on EU posts (Sept 2024)[4]
  • Multiple privacy complaints filed by advocacy groups[1]
  • Swiss Federal Data Protection Commissioner (FDPIC) ran a preliminary investigation, concluded March 20, 2025, finding X compliant with the Swiss FADP via the training opt-out[24]

❌ No EU Data Residency: Unlike competitors (OpenAI Azure, Anthropic GCP, Google, Mistral), xAI offers no EU data residency option. All data processed in USA.[6]

❌ Training Opt-In by Default: Consumer services default to training ENABLED, requiring users to opt-out.[9] This violates GDPR's requirement for opt-IN consent for non-essential processing.

❌ Memory Blocked in EU: The explicit blocking of Grok's memory feature in EU/UK[10] suggests xAI recognises GDPR compliance challenges but has not resolved them.

⚠️ Unverified Claims: xAI's claims about "no training" on Enterprise data and SOC 2 compliance are difficult to verify:

  • SOC 2 report not publicly available
  • No independent audits or third-party verification
  • Active regulatory investigation undermines trust

⚠️ Limited Transparency: Compared to competitors, xAI provides minimal public documentation:

  • Public security/trust page and privacy portal exist (x.ai/security, x.ai/privacy-portal)
  • Retention specified as a 30-day deletion window for deleted/Private Chat data; active-account data has no fixed term
  • Subprocessor list is published (x.ai/legal/subprocessor-list)
  • Full SOC 2 report and detailed audit documentation still behind a sales contact

⚠️ US Jurisdiction: As a US company with US-only infrastructure, xAI is subject to:

  • CLOUD Act (foreign data access)
  • FISA 702 surveillance
  • US government data requests
  • Limited practical enforcement of EU data subject rights

⚠️ Rapid Changes: xAI frequently updates terms and privacy policies:

  • Europe Privacy Policy Addendum added April 2025[20]
  • DPA last updated June 2025[19]
  • Terms of Service updated multiple times 2024-2025
  • Monitor for changes if considering deployment

Disclaimer

🚨 STRONG WARNING: This overview documents Grok's current status as of March 2026, including 5+ active investigations across the UK and EU (Irish DPC training inquiry, Irish DPC deepfake probe, EC DSA proceedings, UK ICO investigation, UK Ofcom investigation), a global deepfake image scandal that generated approximately 3 million sexualized images in 11 days, and a documented history of non-compliance. The situation has dramatically escalated since October 2025. We STRONGLY ADVISE AGAINST using Grok for any EU personal data or GDPR-regulated use cases.

This overview is intended solely as an informative tool. We strongly advise customers to:

  1. Consult with EU data protection counsel before considering Grok
  2. Complete a Data Protection Impact Assessment (DPIA) for any EU use case
  3. Monitor the active GDPR investigation for developments
  4. Review alternative AI providers with EU data residency and compliance
  5. Thoroughly review all legal documentation (DPA, Terms, Privacy Policy)

WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. We do not use Grok internally due to GDPR compliance concerns.

Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Given the active regulatory investigation and documented compliance issues, we cannot recommend Grok for EU customers at this time.

Prepared and issued by WAIMAKERS B.V. - June 2026.

References

  • https://x.ai/legal/privacy-policy - xAI Privacy Policy (Effective April 4, 2026)
  • https://x.ai/legal/data-processing-addendum - xAI Data Processing Addendum (Effective: June 9, 2025)
  • https://x.ai/legal/faq-enterprise - xAI Enterprise FAQs
  • https://x.ai/legal/terms-of-service-enterprise - xAI Enterprise Terms of Service
  • https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-welcomes-conclusion-proceedings-relating-xs-ai-tool-grok - Irish DPC Court Proceedings on X/Grok (September 2024)
  • https://www.euractiv.com/section/tech/news/exclusive-irish-data-privacy-watchdog-opens-investigation-into-musks-grok-ai-model/ - Irish DPC Opens GDPR Investigation into Grok AI (April 2025)
  • https://www.freevacy.com/news/data-protection-commission/dpi-opens-gdpr-investigation-into-xais-grok-ai-data-training/6312 - DPC Opens GDPR Investigation into xAI's Grok AI Data Training

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique Β· Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast β†—

Β© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy