EU AI Act Compliance

Regulation (EU) 2024/1689, commonly the EU AI Act, entered into force on 1 August 2024 with staggered application dates between February 2025 and August 2027. PagePrinted Studio is built and operated from Norway (EEA-applicable via the EEA Agreement) and is in scope. This page is the regulator-facing companion to /legal/ai-disclosure: the latter explains what we do in plain language; this one cross-references each obligation to the article that creates it.

· I ·In one paragraph

PagePrinted is a deployer of general-purpose AI models (Article 3(4)) and, for the rendered book artefacts we publish, aprovider of an AI-generated content service. We do not build or fine-tune foundation models. The systems we deploy fall outside the prohibited-practice list (Article 5) and outside the high-risk list (Annex III). We apply Article 50 transparency throughout the product: in checkout, on every reader-facing page that ships AI-rendered work, and on the copyright page of the printed book where the buyer opts in.

· II ·Risk classification

We classify the studio as limited-risk under the Act's four-tier scheme:

• Unacceptable risk (Art. 5): none. We do not use subliminal techniques, exploit vulnerabilities, perform social scoring, or carry out untargeted facial-image scraping.
• High-risk (Annex III): none. See §V for the row-by-row check.
• Limited-risk (Art. 50, 52): yes. We generate synthetic text and image content interacting with a natural person, which triggers transparency duties.
• Minimal-risk: the deterministic typesetter and PDF generator. No AI Act obligations attach.

· III ·Article 50 — transparency to the user

Article 50(1) requires that any person interacting with an AI system be clearly informed unless it is obvious from context. We disclose at four seams: (a) the home page tagline names the studio as AI-assisted; (b) every theme card on /discover carries an "AI-generated draft" badge; (c) checkout displays a final consent block before payment is taken; (d) the AI Disclosure page at /legal/ai-disclosure is one click from every page footer.

· IV ·Article 52 — synthetic content marking

Article 52 requires providers of generative AI systems to mark synthetic outputs in a machine-readable way. Every PDF the studio renders carries a /CreationDate XMP packet with anxmpRights:Marked entry that names "PagePrinted Studio AI-generated v3 renderer" and a SHA-256 fingerprint of the prompt bundle that produced it. The marking is not user-removable; if a reader needs an export without the watermark for accessibility reasons, the route is a written request to [email protected] and we reply within one business day.

· V ·Annex III — high-risk row-by-row check

Annex III lists eight categories of high-risk use. We have walked each row to confirm non-applicability:

• 1. Biometrics: not used.
• 2. Critical infrastructure: not used.
• 3. Education & vocational training: the studio produces creative books; it does not score, admit, or evaluate students. A book bought by a teacher to read to a class is consumer use, not an educational-assessment system.
• 4. Employment, workers' management: not used.
• 5. Essential private & public services: not used (no credit scoring, no benefits triage).
• 6. Law enforcement: not used.
• 7. Migration, asylum, border: not used.
• 8. Administration of justice & democratic processes:not used.

· VI ·General-purpose AI (GPAI) models we deploy

Per Article 53/55, providers of GPAI models bear the bulk of the compliance burden (training-data summary, copyright policy, technical documentation). We are a downstream deployer, not a GPAI provider, and we use only models whose providers publish the GPAI transparency dossier required by Article 53(1)(a)–(d). The exact models in production rotate as the market moves; the live list is on /legal/ai-disclosure §II and is updated within seven days of any swap.

· VII ·Our role: deployer (and limited provider)

For the LLM that drafts the manuscript and the diffusion model that renders the illustrations, we are a deployer under Article 3(4): we use them under our authority for our service. For the bound book we ship to the buyer, we are a provider of an AI-generated content service under Article 3(3) — we put the output on the market. Both roles attach Article 50 transparency duties; we have not voluntarily opted into the AI Office's GPAI code of practice because we do not develop GPAI models.

· VIII ·Logging & records retention

Article 12 record-keeping for high-risk systems does not apply. We still log, for our own quality and incident-response purposes: every AI call (model id, parameter hash, prompt hash, output hash, timestamp, cost) in the ai_calls Postgres table for 18 months; every consent decision in the audit_log table for the legal retention period under Norwegian Bokføringsloven (see /legal/bokforingsloven); and the rendered PDF + manuscript JSON in MinIO for as long as the buyer keeps the order live, plus the statutory accounting period.

· IX ·How to file a complaint

Two routes. The fast path is an email to [email protected] describing the concern; we acknowledge within one business day and answer in full within five. The regulator path is the national market-surveillance authority. In Norway that is the Datatilsynet for the data-protection overlap and the Digitaliseringsdirektoratet (or the AI-Act-designated authority once finalised) for the AI Act itself; you can also file with the European AI Office for GPAI-tier concerns. None of those routes is gated by a prior complaint to us — you can go straight to the regulator at any time.