Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Grok (xAI)

xAI

Not CompliantEU: Not AvailableOpt-out AvailableUndefinedUS Only

Business Plan Price

$30/seat (Business) - billed in USD

Enterprise Features

SOC 2, DPA available, Enterprise Vault, no training claim (unverified)

Last Updated

March 23, 2026

Grok (xAI) - GDPR & Data Privacy Overview (EU)

Version: March 2026 - prepared by WAIMAKERS B.V.

🚨 Executive Summary: NOT RECOMMENDED for EU Customers

Grok is an AI chatbot and API developed by xAI (X.AI LLC), a US company founded by Elon Musk. Grok is available through multiple channels: X platform (formerly Twitter), standalone web/mobile apps (grok.com), and an API for developers.

🚨 CRITICAL: Grok is currently under ACTIVE GDPR investigation by the Irish Data Protection Commission (DPC) and has severe compliance issues for European customers:

  • 🚨 5+ ACTIVE INVESTIGATIONS as of March 2026: (1) Irish DPC training inquiry (ongoing since Aug 2024), (2) Irish DPC deepfake probe (opened Feb 16–17, 2026), (3) European Commission DSA proceedings (January 2026), (4) UK ICO formal investigation (announced Feb 3, 2026) β€” potential fine GBP 17.5M or 4% annual turnover, (5) UK Ofcom investigation (launched Jan 12, 2026) β€” potential platform ban or multimillion-pound fine[1][2][3]
  • 🚨 Additional national investigations: Spain, France, India, Indonesia, Malaysia, Canada, Brazil, and California also investigating xAI/Grok practices
  • 🚨 EC ordered preservation of all Grok AI records through 2026; French authorities raided X Paris offices; France opened criminal investigation (Jan 5, 2026)
  • 🚨 September 2024: Irish DPC sued X in High Court; X agreed to permanently stop processing EU/EEA public posts from X platform for Grok training[4][5]
  • 🚨 Deepfake image scandal (Dec 2025–Feb 2026): Grok's "edit image" feature launched late Dec 2025; the Centre for Countering Digital Hate documented ~3 million sexualized images generated in 11 days; triggered India notice (Jan 3), French criminal investigation (Jan 5), EC document preservation order (Jan 8), Indonesia temporary block (Jan 10), X restricted real-person image editing (Jan 14), UK ICO investigation (Feb 3), Irish DPC large-scale GDPR inquiry (Feb 16–17)
  • 🚨 xAI merged with X Corp (March 2025, ~$110B valuation): All X user data is now under xAI's data regime
  • ❌ US-only infrastructure: All data processed in Memphis, Tennessee (no EU data residency)[6][7]
  • ❌ US company: X.AI LLC based in Nevada, USA (not subject to EU jurisdiction)[8]
  • ⚠️ Training default = OPT-IN: Users must actively opt-out to prevent training (opposite of GDPR-compliant approach)[9]
  • ⚠️ Memory feature NOT available in EU/UK: Grok's new memory feature (April 2025) explicitly blocked in Europe[10][11]
  • ⚠️ Enterprise Vault launched: Isolated data plane with customer-controlled encryption - but US-hosted only, does not resolve EU jurisdiction issues
  • ⚠️ Oracle Cloud partnership (June 2025) for enterprise, but no EU-specific deployment confirmed[12]

Recommendation: DO NOT USE GROK for processing EU personal data or GDPR-regulated information. The active investigation, US-only infrastructure, and history of non-compliance make it unsuitable for European business use.

Comparison of Grok Offerings (EU focus)

Tier Training on data? EU data residency Investigation status Compliance Price (USD)
Free (X platform) ❌ Banned: X permanently stopped training on EU posts (Sept 2024 court order) ❌ US only (Memphis) 🚨 Under investigation GDPR: Non-compliant $0
X Premium/Premium+ ❌ Banned: X permanently stopped training on EU posts ❌ US only 🚨 Under investigation GDPR: Non-compliant $8-16/month
SuperGrok (consumer) ⚠️ Yes (unless opt-out) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $30/month
SuperGrok Heavy ⚠️ Yes (unless opt-out) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $300/month
X Premium ⚠️ Banned for EU posts (court order) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $8/month
X Premium+ ⚠️ Banned for EU posts (court order) ❌ US only 🚨 5+ active investigations GDPR: Non-compliant $40/month
Grok Business ⚠️ Claims "no training" - UNVERIFIED during active investigations ❌ US only 🚨 5+ active investigations SOC 2 claimed; GDPR: Non-compliant $30/seat/month (Dec 2025)
API (Enterprise) ⚠️ Claims "no training on customer data" - UNVERIFIED ❌ US only 🚨 5+ active investigations DPA available, SOC 2 claimed; GDPR: Non-compliant Pay-per-token (~$3/M)

Notes for Europe

🚨 5+ Active Investigations (as of March 2026):

  1. Irish DPC - Grok training inquiry (ongoing since Aug 2024): Investigating lawfulness and transparency of Grok's processing of EU/EEA personal data for AI training. Status: Ongoing.[2][13]
  2. Irish DPC - Deepfake probe (opened Feb 16–17, 2026): Large-scale GDPR inquiry into Grok's deepfake generation capabilities and compliance with applicable rules, triggered by the Dec 2025 image scandal.
  3. European Commission - DSA proceedings (January 2026): EC opened Digital Services Act proceedings against X/xAI; EC ordered preservation of all Grok AI records through end of 2026 (order issued Jan 8, 2026).
  4. UK ICO investigation (announced Feb 3, 2026): Formal investigation into XIUC and X.AI LLC over Grok deepfake image generation; potential fine of GBP 17.5M or 4% of annual global turnover.
  5. UK Ofcom investigation (launched Jan 12, 2026): Regulatory probe into Grok on X platform; potential sanctions include a platform ban or multimillion-pound fine.

Additional national investigations: Spain, France, India (notice Jan 3, 2026), Indonesia (temporary block Jan 10, 2026), Malaysia, Canada, Brazil, and California are also investigating xAI/Grok practices. French authorities conducted a raid on X Paris offices and opened a criminal investigation (Jan 5, 2026).

xAI merger with X Corp (March 2025):

  • xAI and X Corp formally merged at approximately $110 billion combined valuation
  • All X user data is now under xAI's data regime, significantly expanding xAI's training data pool
  • This merger is directly relevant to the scope of ongoing GDPR investigations

September 2024 Court Order:

  • Irish DPC obtained High Court injunction (August 8, 2024) to stop X processing EU data[4]
  • X agreed permanently to stop using EU/EEA public posts from X platform for Grok training[4][14]
  • This ban applies ONLY to X platform posts, NOT to other Grok services (grok.com, API)[5]

Infrastructure: 100% US-based:

  • Colossus data center in Memphis, Tennessee (200,000 NVIDIA H100 GPUs)[6][15]
  • Oracle Cloud partnership announced June 2025, but no EU-specific deployment[12][16]
  • NO EU data residency option available

Training Policy:

  • Consumer (grok.com, X Premium): Default = training ENABLED; users must opt-out manually[9]
  • X platform EU users: Training BANNED (permanent court order)[4]
  • Enterprise API: xAI claims "no training on customer data"[8]
  • Reality: Opt-out burden on users = GDPR non-compliant

Memory Feature Blocked in EU: Grok's new memory feature (launched April 2025) is NOT available in EU or UK[10][11] - likely due to GDPR concerns

Enterprise Vault:

  • Isolated data plane with customer-controlled encryption
  • Marketed as enhanced data security for Enterprise customers
  • Critical limitation: Still US-hosted; does not resolve EU jurisdiction issues, active investigations, or lack of EU data residency

Pricing: All prices in USD (no EUR pricing):[17][18]

  • Free: $0 (10 queries per 2 hours)
  • SuperGrok: $30/month
  • SuperGrok Heavy: $300/month
  • X Premium: $8/month (limited Grok access)
  • X Premium+: $40/month (higher Grok limits)
  • Grok Business: $30/seat/month (launched December 2025)
  • Grok Enterprise: Custom pricing
  • API: ~$3-5 per million tokens depending on model

Is Grok GDPR-Compliant?

Short answer: NO. Grok is NOT GDPR-compliant and is currently under active regulatory investigation by the Irish Data Protection Commission.

Why Grok Fails GDPR Compliance

1. Multiple Active Regulatory Investigations

  • Irish DPC: 2 active inquiries (training, ongoing since Aug 2024; deepfakes, opened Feb 16–17, 2026)[2][1]
  • European Commission: DSA proceedings opened January 2026; EC ordered preservation of all Grok AI records through end of 2026 (Jan 8, 2026)
  • UK ICO: Formal investigation (Feb 3, 2026) into XIUC and X.AI LLC; potential fine GBP 17.5M or 4% annual turnover
  • UK Ofcom: Investigation launched Jan 12, 2026; potential platform ban or multimillion-pound fine
  • Spain, France, India, Indonesia, Malaysia, Canada, Brazil, California: Additional national investigations ongoing; French criminal investigation opened Jan 5, 2026; French authorities raided X Paris offices
  • Previous court order (Sept 2024) required permanent ban on training with EU X posts[4]

2. No EU Data Residency

  • All data processed in USA (Memphis, Tennessee)[6]
  • No option to restrict processing to EU
  • Oracle Cloud partnership does NOT offer EU-specific deployment[12]

3. Training Opt-In by Default

  • Consumer services default to training ENABLED[9]
  • Violates GDPR requirement for opt-IN consent for non-essential processing
  • Burden on users to discover and disable training setting

4. US Company, US Jurisdiction

  • X.AI LLC based in Nevada, USA[8]
  • Subject to US laws (CLOUD Act, FISA 702)
  • No practical enforcement mechanism for EU data subjects

5. Limited Transparency

  • Retention periods not clearly documented
  • Subprocessors not publicly listed (unlike competitors)
  • No public Trust Center or compliance documentation portal

What Grok Does Have (Insufficient for GDPR)

  • βœ… DPA available for Enterprise customers (Sept 2024)[19]
  • βœ… Europe Privacy Policy Addendum (April 2025)[20]
  • βœ… SOC 2 compliance claimed for Grok Business/Enterprise[21]
  • ⚠️ Opt-out mechanism exists (but inadequate under GDPR)
  • ⚠️ No ISO 27001 certification mentioned

Consumer Grok (grok.com, X Premium)

What it is: ChatGPT-style conversational AI accessible via:

  • Grok.com website
  • Grok mobile apps (iOS/Android)
  • X platform (Premium/Premium+ subscribers)

Training policy: By default, xAI uses your inputs, outputs, and usage data to improve Grok models. You can opt-out in settings.[9]

⚠️ X platform EU exception: Due to Sept 2024 court order, X permanently stopped processing EU/EEA public posts for Grok training.[4] This applies ONLY to X platform, not grok.com or mobile apps.

Memory feature: Launched April 2025, Grok can remember past conversations to personalise responses. NOT available in EU or UK.[10][11]

Data location: Memphis, Tennessee, USA (Colossus data center)[6]

Retention: Not clearly specified in public documentation. Consumer FAQ states xAI retains information "as long as necessary" but provides no specific timeframes.[9]

Opt-out process:

  • Grok.com/mobile apps: Settings β†’ Data & Privacy β†’ Disable training
  • X platform: Settings β†’ Privacy & Safety β†’ Grok β†’ Uncheck "Allow training"

Pricing:[17]

  • Free: $0 (10 queries per 2 hours)
  • SuperGrok: $30/month
  • SuperGrok Heavy: $300/month
  • X Premium: $8/month (limited Grok access)
  • X Premium+: $16/month (higher Grok limits)

When to use: Personal experimentation with non-sensitive, non-EU data only.

When NOT to use: Any EU personal data, client data, GDPR-regulated information, business use.

Grok Business & Enterprise

What it is: Commercial offerings for teams and organisations:

  • Grok Business: $30/seat/month, designed for small-to-medium teams[21]
  • Grok Enterprise: Custom pricing, enterprise-grade controls[21]
  • API: Developer access for custom integrations[8]

Training policy: xAI claims "no training on your data" for Business/Enterprise.[21][8]

⚠️ Verification issue: This claim is difficult to verify given:

  • Active GDPR investigation into training practices
  • History of non-compliance (Sept 2024 court order)
  • Lack of public audit reports or third-party verification

Data location: US-only (Memphis + Oracle Cloud)[6][12]

Compliance:[21]

  • SOC 2 compliance (claimed, report not publicly available)
  • GDPR & CCPA compliance (claimed, under investigation)
  • Data encryption at rest and in transit
  • No ISO 27001 certification mentioned

DPA: Available for Enterprise customers (last updated Sept 5, 2024)[19]

  • Includes Standard Contractual Clauses for EU data transfers
  • Defines xAI as "processor" for customer data
  • However: DPA does NOT resolve US jurisdiction or infrastructure issues

Connectors: Google Drive, SharePoint, GitHub, Dropbox integration claimed[21]

When to use: ❌ NOT recommended for EU customers due to active investigation and US-only infrastructure.

When NOT to use: Any GDPR-regulated use case, EU personal data, highly regulated industries (financial services, healthcare, government).

API Access

What it is: Developer API for integrating Grok models into applications.[8]

Models available (as of Oct 2025):[22]

  • Grok 4, Grok 4 Fast
  • Grok 3, Grok 3 Fast
  • Pricing: ~$3-5 per million tokens depending on model

Training policy: xAI states that customer data submitted via API "is not used to train or improve models."[8]

Retention: Not clearly specified. Enterprise FAQ states xAI retains data "as necessary to provide services" but provides no specific timeframes.[8]

Data location: US (Memphis, Tennessee + Oracle Cloud)[6][12]

Terms: Enterprise Terms of Service + DPA[23][19]

When to use: ❌ NOT recommended for EU customers due to US-only infrastructure and active GDPR investigation.

Data Processing Flow

Consumer Grok (grok.com, mobile apps)

User submits prompt
  ↓
xAI servers (Memphis, Tennessee, USA)
  β”œβ”€ Processed by Grok model (Grok 3/4)
  β”œβ”€ Response generated
  └─ Data stored:
      β”œβ”€ Conversation history (indefinite, until user deletes)
      β”œβ”€ Memory (if enabled; NOT available in EU/UK)
      └─ Training data (default ENABLED; user can opt-out)

Data never leaves USA
No EU data residency option

X Platform (EU users)

EU user posts on X
  ↓
X servers
  β”œβ”€ Public posts stored on X platform
  └─ 🚨 BANNED from Grok training (Sept 2024 court order)
      ↓
      Data NOT shared with xAI for Grok training
      (Permanent injunction)

Note: Ban applies ONLY to X platform posts,
NOT to direct [Grok.com/API](http://Grok.com/API) usage

Enterprise API

API request from customer application
  ↓
xAI servers (Memphis + Oracle Cloud, USA only)
  β”œβ”€ Processed by selected Grok model
  β”œβ”€ Response returned to customer
  └─ Data handling:
      β”œβ”€ Claims: "Not used for training"
      β”œβ”€ Retention: Undefined timeframe
      └─ Location: US only (no EU option)

⚠️ Despite DPA and no-training claim,
data still subject to:
  - US jurisdiction (CLOUD Act)
  - Active GDPR investigation
  - US-only infrastructure

Recommendations (GDPR-first)

❌ Do NOT use for EU customers

  • Any Grok offering (consumer, business, enterprise, API) for EU personal data
  • Any GDPR-regulated use case (HR data, customer data, patient data, financial data)
  • Government or highly regulated industries in EU

🚨 Active risks

  • Regulatory risk: Active GDPR investigation; potential fines for customers using Grok
  • Legal risk: DPA and SCCs insufficient given US jurisdiction and investigation
  • Reputational risk: Association with platform under regulatory scrutiny
  • Data sovereignty risk: No EU infrastructure or data residency

βœ… Alternative solutions for EU customers

  • EU-based providers: Mistral AI (French), Aleph Alpha (German)
  • EU data residency options: OpenAI (Azure EU), Anthropic Claude (GCP EU regions), Google Gemini (EU regions)
  • Self-hosted: Llama 3, Mistral open models on EU infrastructure

EU Rollout Checklist (Practical)

⚠️ RECOMMENDATION: DO NOT proceed with Grok deployment for EU use cases.

If your organisation is considering Grok despite warnings:

1. Legal Review (MANDATORY)

  • βœ… Consult with EU data protection counsel
  • βœ… Complete Data Protection Impact Assessment (DPIA)
  • βœ… Document legal basis for US data transfers
  • βœ… Assess risk of regulatory action given active investigation
  • βœ… Prepare for potential DPC inquiries

2. Due Diligence

  • βœ… Request and review SOC 2 report (not publicly available)
  • βœ… Review DPA and Enterprise Terms thoroughly
  • βœ… Verify "no training" claim with xAI (request contractual guarantees)
  • βœ… Request retention policy documentation (not in public FAQs)
  • βœ… Understand limitations of Standard Contractual Clauses given US location

3. Data Minimisation

  • βœ… Strip all EU personal data before submission to Grok
  • βœ… Use pseudonymisation/anonymisation techniques
  • βœ… Implement data filtering layer to block PII
  • βœ… Maintain audit logs of all data sent to Grok

4. User Rights Management

  • βœ… Document how to handle GDPR subject access requests
  • βœ… Establish process for data deletion requests
  • βœ… Clarify data controller vs processor responsibilities
  • βœ… Prepare for right-to-object requests

5. Monitoring

  • βœ… Track GDPR investigation developments
  • βœ… Monitor for new court orders or regulatory actions
  • βœ… Review xAI privacy policy updates (frequent changes)
  • βœ… Assess quarterly whether continued use is justified

6. Transparency

  • βœ… Disclose Grok use in privacy notices
  • βœ… Inform data subjects of US data transfers
  • βœ… Provide opt-out mechanism for Grok processing
  • βœ… Document in records of processing activities (Article 30)

Procurement Q&A

Q: Is xAI a US or EU company?

A: US company. X.AI LLC is incorporated in Nevada, USA.[8] The company is not subject to EU jurisdiction and is headquartered in the United States.

Q: Where is Grok data stored and processed?

A: 100% USA. Primary infrastructure is the Colossus data center in Memphis, Tennessee (200,000 NVIDIA H100 GPUs).[6][7] Oracle Cloud partnership announced June 2025, but no EU-specific deployment confirmed.[12] There is NO EU data residency option.

Q: What is the status of the GDPR investigations?

A: Rapidly escalating - 5+ active investigations as of March 2026:

  1. Irish DPC training inquiry (ongoing since Aug 2024) - examining lawfulness of EU data training practices[2]
  2. Irish DPC deepfake probe (opened Feb 16–17, 2026) - large-scale GDPR inquiry into Grok's deepfake image generation
  3. European Commission DSA proceedings (January 2026) - EC ordered preservation of all Grok AI records through end of 2026; French authorities raided X Paris offices
  4. UK ICO formal investigation (announced Feb 3, 2026) - covering XIUC and X.AI LLC; potential fine GBP 17.5M or 4% of annual global turnover
  5. UK Ofcom investigation (launched Jan 12, 2026) - potential platform ban or multimillion-pound fine

Additional investigations by Spain, France (including criminal investigation opened Jan 5, 2026), India, Indonesia, Malaysia, Canada, Brazil, and California are also ongoing. No resolutions have been announced as of March 2026.

Q: What was the September 2024 court order about?

A: In August 2024, the Irish DPC obtained a High Court injunction requiring X (the platform) to stop processing EU/EEA public posts for Grok training.[4] X agreed to permanently stop this processing.[5] However, this ban applies ONLY to X platform posts, NOT to grok.com, mobile apps, or API usage.

Q: Does xAI train on my data?

A: Depends on product:

  • Consumer Grok (grok.com, mobile): YES, by default. You can opt-out in settings.[9]
  • X platform (EU users): NO. Permanently banned by court order.[4]
  • Business/Enterprise/API: xAI claims "no training on customer data."[8][21] However, this is difficult to verify given the active GDPR investigation and history of non-compliance.

Q: Is there a Data Processing Agreement (DPA)?

A: Yes, for Enterprise customers (last updated Sept 5, 2024).[19] The DPA includes Standard Contractual Clauses for EU data transfers. However, the DPA does NOT resolve:

  • US-only infrastructure
  • US jurisdiction (CLOUD Act, FISA 702)
  • Active GDPR investigation
  • Lack of EU data residency

Q: What compliance certifications does xAI have?

A:

  • βœ… SOC 2: Claimed for Business/Enterprise (report not publicly available)[21]
  • ❌ ISO 27001: Not mentioned
  • 🚨 GDPR: Under active investigation; non-compliant[1]
  • ⚠️ CCPA: Claimed but not verified

Q: How long does xAI retain data?

A: Not clearly specified. Consumer FAQ states xAI retains information "as long as necessary to provide services" but provides no specific timeframes.[9] Enterprise FAQ similarly vague.[8] This lack of transparency is a GDPR compliance red flag.

Q: Can I restrict data processing to the EU?

A: NO. There is no EU data residency option. All data is processed in the USA (Memphis, Tennessee + Oracle Cloud).[6][12]

Q: Why is the memory feature blocked in the EU?

A: Grok's new memory feature (launched April 2025) is explicitly not available in the European Union or UK.[10][11] While xAI has not provided an official reason, this is likely due to GDPR concerns about indefinite data retention and lack of clear legal basis.

Q: What is xAI's relationship with X (Twitter)?

A: xAI and X Corp formally merged in March 2025 at approximately $110 billion combined valuation. This means:

  • All X user data is now under xAI's data regime, expanding xAI's training data access
  • The merger is directly relevant to ongoing GDPR investigations into Grok training data sources
  • Grok is integrated into X platform (X Premium/Premium+ subscribers)
  • Both entities are controlled by Elon Musk

Notes & Caveats

🚨 Rapidly Escalating Global Regulatory Enforcement: As of March 2026, xAI/Grok faces 5+ active investigations across the UK and EU (Irish DPC training inquiry, Irish DPC deepfake probe, EC DSA proceedings, UK ICO investigation with potential GBP 17.5M fine, UK Ofcom investigation with potential platform ban), plus national investigations in Spain, France, India, Indonesia, Malaysia, Canada, Brazil, and California. The Dec 2025 deepfake image scandal β€” ~3 million sexualized images documented by the Centre for Countering Digital Hate in just 11 days β€” directly triggered multiple of these probes. This represents a dramatic escalation from the single investigation noted in October 2025.[2][1]

🚨 xAI-X Corp Merger Impact: The March 2025 merger (~$110B valuation) means all X user data is now under xAI's data regime, expanding the scope of data xAI can access for Grok training. This is directly relevant to the ongoing DPC and EC investigations.

🚨 History of Non-Compliance: xAI/X has a documented history of GDPR violations:

  • Required court order to stop training on EU posts (Sept 2024)[4]
  • Multiple privacy complaints filed by advocacy groups[1]
  • Swiss Federal Data Protection Commissioner also investigated (March 2025)[24]

❌ No EU Data Residency: Unlike competitors (OpenAI Azure, Anthropic GCP, Google, Mistral), xAI offers no EU data residency option. All data processed in USA.[6]

❌ Training Opt-In by Default: Consumer services default to training ENABLED, requiring users to opt-out.[9] This violates GDPR's requirement for opt-IN consent for non-essential processing.

❌ Memory Blocked in EU: The explicit blocking of Grok's memory feature in EU/UK[10] suggests xAI recognises GDPR compliance challenges but has not resolved them.

⚠️ Unverified Claims: xAI's claims about "no training" on Enterprise data and SOC 2 compliance are difficult to verify:

  • SOC 2 report not publicly available
  • No independent audits or third-party verification
  • Active regulatory investigation undermines trust

⚠️ Limited Transparency: Compared to competitors, xAI provides minimal public documentation:

  • No public Trust Center or security portal
  • Retention periods undefined
  • Subprocessor list not published
  • Compliance documentation behind sales contact

⚠️ US Jurisdiction: As a US company with US-only infrastructure, xAI is subject to:

  • CLOUD Act (foreign data access)
  • FISA 702 surveillance
  • US government data requests
  • Limited practical enforcement of EU data subject rights

⚠️ Rapid Changes: xAI frequently updates terms and privacy policies:

  • Europe Privacy Policy Addendum added April 2025[20]
  • DPA last updated Sept 2024[19]
  • Terms of Service updated multiple times 2024-2025
  • Monitor for changes if considering deployment

Disclaimer

🚨 STRONG WARNING: This overview documents Grok's current status as of March 2026, including 5+ active investigations across the UK and EU (Irish DPC training inquiry, Irish DPC deepfake probe, EC DSA proceedings, UK ICO investigation, UK Ofcom investigation), a global deepfake image scandal that generated approximately 3 million sexualized images in 11 days, and a documented history of non-compliance. The situation has dramatically escalated since October 2025. We STRONGLY ADVISE AGAINST using Grok for any EU personal data or GDPR-regulated use cases.

This overview is intended solely as an informative tool. We strongly advise customers to:

  1. Consult with EU data protection counsel before considering Grok
  2. Complete a Data Protection Impact Assessment (DPIA) for any EU use case
  3. Monitor the active GDPR investigation for developments
  4. Review alternative AI providers with EU data residency and compliance
  5. Thoroughly review all legal documentation (DPA, Terms, Privacy Policy)

WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. We do not use Grok internally due to GDPR compliance concerns.

Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Given the active regulatory investigation and documented compliance issues, we cannot recommend Grok for EU customers at this time.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://x.ai/legal/privacy-policy - xAI Privacy Policy (Effective July 10, 2025)
  • https://x.ai/legal/data-processing-addendum/previous-2024-09-05 - xAI Data Processing Addendum (Last Modified: September 5, 2024)
  • https://x.ai/legal/faq-enterprise - xAI Enterprise FAQs
  • https://x.ai/legal/terms-of-service-enterprise - xAI Enterprise Terms of Service
  • https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-welcomes-conclusion-proceedings-relating-xs-ai-tool-grok - Irish DPC Court Proceedings on X/Grok (September 2024)
  • https://www.euractiv.com/section/tech/news/exclusive-irish-data-privacy-watchdog-opens-investigation-into-musks-grok-ai-model/ - Irish DPC Opens GDPR Investigation into Grok AI (April 2025)
  • https://www.freevacy.com/news/data-protection-commission/dpi-opens-gdpr-investigation-into-xais-grok-ai-data-training/6312 - DPC Opens GDPR Investigation into xAI's Grok AI Data Training

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique Β· Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast β†—

Β© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy