Compliance

Our approach to AI regulation, provenance, and data protection.

EU AI Act

GENERAITR is operated by TOMLIN STUDIO AB, a Swedish company subject to EU law. We monitor the EU AI Act implementation closely and have taken the following positions as the regulation comes into force in 2026.

GENERAITR is built on the ComfyUI engine and provides two modes of AI generation: Online plans access closed-source models via API, routed through ComfyUI Partner nodes; Local plans allow organisations to run open-source AI models on their own GPU hardware, on-premise or in a private cloud. In both cases the underlying models are third-party General-Purpose AI (GPAI) systems, governed by the obligations placed on the model providers who built them. Our own transparency duties under the Act are set out in the next section.

We do not train models. We do not use customer-uploaded images to train or fine-tune any AI system. Generated outputs are owned by the customer organisation that produced them.

Compliance checklist: Article 50 checklist for your team → (Save as PDF from the page header.)

Provider and deployer: how the roles divide

The EU AI Act assigns transparency duties by role. GENERAITR is exclusively the Provider: we build and operate the generative AI platform. As the provider, we embed C2PA manifests, invisible watermarks, and verification tooling into every export and carry the technical transparency duties set out in Section 1 of the Code of Practice. GENERAITR does not publish or distribute content on behalf of users and is therefore not a Deployer.

The studios, creators, and organisations that use GENERAITR to generate and publish content are the Deployers under Article 50. A deployer is any natural or legal person who puts an AI system into use. When a Studios+ creator delivers AI-generated work to a client, or when an organisation publishes imagery produced on the platform, they are acting as deployers and hold the disclosure duty at the point of publication. This applies to both Studios+ partners (independent creators and studios) and to any organisation using GENERAITR as a tool in their own content workflow.

GENERAITR makes it straightforward for every deployer to meet their obligations: the EU compliance labels, C2PA manifest, and audit trail are built into the standard export workflow. The platform handles the Provider’s share of the obligation so that Deployers can focus on the publication step.

Aligned with the EU's official Code of Practice

In June 2026 the European Commission published its Code of Practice on marking and labelling AI-generated content: the official guidance for meeting Article 50, with a free set of EU icons (AI generated, AI modified, and a basic interactive AI mark).

GENERAITR applies these official EU icons as the default label on every export, alongside a machine-readable C2PA manifest. The company behind GENERAITR, TOMLIN STUDIO AB, adheres to the Code of Practice as a provider of generative AI, supporting the studios, creators, and organisations using the platform in meeting their own deployer obligations. Compliance is built into the standard workflow, not bolted on afterwards.

What happens if you don't comply

Article 99 of Regulation (EU) 2024/1689 sets out fines by infringement category. For Article 50 transparency and labelling violations, the fine reaches up to €15 million or 3% of global annual turnover, whichever is higher. Supplying incorrect or misleading information to authorities carries a separate tier of up to €7.5 million or 1%. The upper bound of the Act, reserved for prohibited AI systems, is €35 million or 7%.

Enforcement is handled by national authorities in each EU member state, not a single central body. Each country designates its own supervisory authority to investigate complaints, conduct market surveillance, and levy fines. In Sweden, PTS (Post and Telecom Authority) is the proposed coordinating authority.

Monitoring is not an automated scanner. In practice, enforcement is triggered by complaints from competitors, consumers, journalists, or advocacy groups, and by proactive reviews from national regulators. The risk is real even if it isn’t immediate. Once a complaint is filed, you either have an audit trail or you don’t.

GENERAITR gives you that audit trail on every export, as part of the standard workflow.

C2PA provenance watermarking

Every file exported from GENERAITR carries two layers of AI labelling applied automatically at generation time.

Invisible steganographic watermark: a DWT-DCT-SVD watermark is embedded in every image, encoding the generation timestamp, pipeline, and organisation. It survives JPEG re-saves and common image transformations. Video outputs are watermarked on every 30th frame.

C2PA Content Credentials manifest: every export is signed with a cryptographic manifest (ES256, ECDSA P-256) following the C2PA standard — the open specification backed by Adobe, Microsoft, Google, the BBC, and others. The manifest records the AI model used, marks the content as trainedAlgorithmicMedia, embeds a DigiCert timestamp, and chains back to any source media. It meets the machine-readable marking requirement of EU AI Act Article 50(2).

Signing certificate — current status: during Early Access, GENERAITR signs manifests with a self-issued certificate (CN=GENERAITR, O=TOMLIN STUDIO, C=SE). The manifest is valid C2PA and EU AI Act compliant. You can verify exported files at verify.contentauthenticity.org — during Early Access, files will show as Content Credentials found — not verified by trusted authority. Full external verification transitions to a CA-issued certificate with the Beta release (August 2026).

Visible watermark at export: the Export panel provides a configurable text overlay (font, position, opacity) and a GENERAITR-branded image overlay. Both are optional and persist per organisation as preferences. Turning them off does not affect the embedded C2PA manifest or steganographic watermark.

Provenance metadata download: the Export panel provides a Metadata button that downloads a machine-readable .meta.json file for each generated asset. This file records the pipeline, template, AI model, parameters, assembled prompt, and generation timestamp — providing a portable disclosure record you can attach to deliverables or share with clients.

Provenance: Generation Verification

In addition to outbound provenance (C2PA manifests on exports), GENERAITR provides inbound verification — the ability to check whether an image was AI-generated.

The Generation Verification tool is available in the Admin panel. Upload any image and GENERAITR will analyse it for steganographic AI markers and return a confidence score. This enables your team to verify content received from external sources before use in deliverables.

This feature is currently in development and available during Early Access for evaluation.

GDPR and data privacy

GENERAITR collects the minimum data necessary to operate the platform. We do not sell or share personal data with third parties for marketing purposes.

User accounts and organisation data are stored in the EU. Images generated or uploaded are stored on servers in Germany (Hetzner Cloud, FSK-compliant data centres).

You can request deletion of your account and all associated data by emailing hello@generaitr.com. See our Privacy Policy for full details.

AI model types and deployment

GENERAITR is built on the ComfyUI engine, which supports both closed-source and open-source AI models. You can choose between two deployment modes depending on your needs:

Online plans (API-based, closed-source models):GENERAITR Online routes your generation requests through ComfyUI Partner nodes to access closed-source models. Providers include Stability AI, Kling, and others. Generation runs on GENERAITR’s partner infrastructure via API. Each provider operates under their own terms of service and acceptable use policies. By using these models you agree to comply with the applicable provider policies.

Local plan (open-source models, on-premise): GENERAITR Local gives organisations the ability to run open-source AI models on their own GPU hardware, on-premise or in a private cloud. The ComfyUI engine runs entirely within your infrastructure; generation does not leave your systems. Model weights are downloaded from their respective open-source repositories. You are responsible for compliance with the licence terms of each open-source model you run.

A full list of active models is available in the AI Model Library inside the app. See also: generaitr.com/models-short.

Questions

For compliance-related enquiries, contact hello@generaitr.com.