How do we comply with GDPR?

1. Our Commitment

We process personal data lawfully, fairly, and transparently. We collect only what is necessary, keep it accurate, and retain it only as long as needed. We implement appropriate security measures and respect your rights as a data subject.

2. Lawful Basis

We process data on the lawful bases set out in GDPR Article 6: performance of a contract (subscription, support), legitimate interests (security, improvement of services), and consent where we explicitly ask for it. We document our processing activities and can provide this information on request.

3. Data Minimisation

We collect only the data necessary to provide our services. We do not store your passwords; integrations use OAuth. Your business data (emails, messages, etc.) remains under your control in your connected accounts. We process only what is needed to configure and operate the agents.

4. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent
• Complain: Lodge a complaint with your supervisory authority

To exercise any of these rights, contact us via the contact page. We will respond within 30 days as required by GDPR.

5. Data Processing Agreements

For business customers who need a Data Processing Agreement (DPA), we provide standard GDPR-compliant DPAs on request. Our sub-processors (e.g. Stripe, Vercel) and any additional providers used for your engagement are bound by appropriate contractual safeguards.

6. International Transfers

Where we transfer data outside the European Economic Area (EEA), we use Standard Contractual Clauses (SCCs) or other approved mechanisms. European hosting is available for customers who require data to remain within the EU.

7. Security and Breach Notification

We implement technical and organisational measures to protect your data, including encryption, access controls, and regular reviews. In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay where required.

8. Data Protection Officer

For organisations that require a designated contact, we provide a privacy contact point. If your organisation mandates a formal Data Protection Officer (DPO) contact, please reach out and we will accommodate where feasible.

9. Further Information

For full details of our data processing practices, see our Privacy Policy (linked in the site footer). For questions about GDPR compliance, contact us via the contact page.