GDPR compliance
All the necessary information you need to understand our GDPR compliance, for businesses wishing to use My AskAI within the European Union (EU).
The purpose of the General Data Protection Regulation (GDPR) is to provide data protection to citizens in EU countries (and through the UK GDPR, the UK) and to provide them with more control over their personal data.
At My AskAI, it means we must register and monitor all data processing activities related to you (known as the Data Subject) and have a complete understanding of how data is processed within and outside of our organization.
(We'll try and keep this as simple as possible).
If you have further questions about GDPR compliance, please contact Mike via chat, he is our Data Protection Officer (DPO).
To request a copy of our Data Protection Impact Assessment (DPIA) to review, you must be on an Enterprise plan, please get in touch with us via chat.
My AskAI is a Data Controller
As a business, we make decisions about and are responsible for where and how the data you provide to us is processed. Given this responsibility and control, we are therefore designated as a Data Controller under GDPR.
A Data Controller is distinct from a Data Processor in that a Data Processor works on behalf of a Data Controller and is directed by them (us).
Data Processors perform processes on personal data, this could be (but is not limited to) collecting, structuring, or storing data.
When you use My AskAI we operate as a Data Controller, however when another business uses us, as part of their services e.g. if someone used us as a platform via API, then we could become a Data Processor (still with us?).
Like almost all businesses, we rely on Data Processors (hereinafter referred to as Sub Processors) to operate.
For full details of the Sub Processors we rely upon, refer here.
Personal Information We Collect
As outlined in our Privacy Policy we only collect and process Personal Information (information about you) that is relevant, adequate, and necessary for us to provide you with the My AskAI service.
At a high level, and depending on your My AskAI usage, we may collect the following information about you:
Contact Data: Specifically, your email address only (All users)
Internet Data: This may include cookies, audience metrics, tracers, and navigation data
Identification Data: Very occasionally, we (or our Sub Processors) may collect your first and last name, however, this will only ever be when you have explicitly provided it to us
Connection Data: This may include your IP address, logs, timestamps of usage and interactions
In addition to this, and, depending on how you utilize My AskAI, we may collect (but do not request or require) additional Personal Information as a result of:
Content Uploads: As a user of My AskAI, you may choose to upload Personal Information of any type. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent you from doing and so we may as a result, unintendedly collect various types of Personal Information, including:
Identification Data
Professional Data
Sensitive Data
Contact Data
Personal Data
Economic and Financial Data
National Identification Number
Conversations with My AskAI 'bots': As a user of or an end-user of My AskAI, you or your end users may choose to upload Personal Information of any type through conversation with the AI. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent this from happening and so we may as a result, unintendedly collect various types of Personal Information, including:
Identification Data
Professional Data
Sensitive Data
Contact Data
Personal Data
Economic and Financial Data
National Identification Number
While in both these instances, the Personal Information has not been requested, it is likely necessary for the execution of our services i.e. for the bot to answer questions and so is stored.
How We Use Your Personal Information
We use your Personal Information for specific Processing Activities - these are the ways we take the information you give us and use it for something in our product to give you a better experience.
With each Processing Activity, we have defined the legal basis for the activity, in our case it will either be:
Legitimate Interest (LI): The data is necessary for the pursuit of our legitimate interests or of a third party's (e.g. we believe that the collection of said data will improve your experience)
Contractual Duties (CD): The data is necessary for the preparation of or execution of a contract with individuals (e.g. payment details for a subscription)
Consent (C): The data is used for a specific purpose upon clear consent collected from individuals (e.g. you have explicitly said you agree to something).
Note that the Processing Activities marked (*) are not core, necessary, or required parts of the My AskAI product and service, they are entirely optional
In all cases, we only store your Personal Information for as long as is necessary to provide you with the My AskAI service that you sign up for or are subscribed to.
When these purposes are fulfilled or you ask us to, we will archive, erase, or anonymize your information, as per your request.
We may retain your Personal Information for a longer period than usual in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.
Our Sub Processors
The Sub Processors we use to provide the above Processing Activities are as follows:
Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a Pro subscription OR for where you are sharing your AskAI as a widget on your website.
Data Processing Agreement
As we may act as a Data Processor on behalf of others, we must also produce our own Data Processing Agreement.
You can find ours here.
If you are a paid user and require a signed copy, chat with us from your account associated and we will share a copy for signing.
Our Policies
You can find our policies here:
Accessing Or Deleting Your Data
In accordance with Articles 12 to 23 of GDPR, you have rights over your personal information:
You can request access to your personal information and a copy of it
You can ask us to modify your personal information if you consider it obsolete, inaccurate, or incomplete.
You can object to the processing of your personal information if based on our legitimate interest in certain circumstances.
You can request to restrict the processing during a limited period of time, in certain circumstances.
You can opt-out from a consent already given, without this withdrawal affecting the lawfulness of the processing operations already carried out.
When technically feasible, you can ask us to send you the Personal Information you provided us or that we communicate it to a third party.
You can ask us to delete your Personal Information at any time if it meets legal grounds for which it is applicable.
These rights can be exercised directly and at any time by sending an email to team@myaskai.com, requests will be completed within 30 days.
In the case you are our customer’s end user, please take into consideration that this request will be forwarded and must be answered directly by them.
International Data Transfers
Where we can, we try to process your Personal Information in the EU, however, some of our service providers are located in the US.
Fortunately, as a result of the EU's Adequacy Decision and the EU-US Data Privacy Framework, this doesn't mean you have to look elsewhere.
Essentially, as long as the Sub Processors in the US agree to process and protect data following the standards of GDPR, data can be safely and legally transferred to them from the EEA (or UK) via contractual clauses such as the Standard Contractual Clause (SCCs) that have been approved by the European Commission.
For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to the US.
For example, this FAQ explains:
“SCCs as a tool for data transfers, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority."
Therefore where there are sufficient Data Processing Agreements in place with US Sub Processors (and the GDPR framework is being followed), GDPR compliance can still be maintained, this includes Google Analytics 4 (GA4).
The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:
Data Processing Agreements marked (*) are executed as part of the signing of the Terms of Service or Customer Agreement. Those marked (*) are executed by the signing of an additional agreement, copies of which are available upon request if not linked.
Privacy and Encryption of Personal Information
All Personal Information (and any other information and data we store) is encrypted at rest using AES 256 and encrypted in transit using TLS 1.2+.
Registration with the Information Commissioner's Office
You can find our Registration with the Information Commission's Officer (ICO) here.
Reporting a security vulnerability or breach
If you believe you have found a security vulnerability or a data breach in My AskAI, please share your findings via our chat as soon as possible.
Last updated