GDPR compliance
All the necessary information you need to understand our GDPR compliance, for businesses wishing to use My AskAI within the European Union (EU).
The purpose of the General Data Protection Regulation (GDPR) is to provide data protection to citizens in EU countries (and through the UK GDPR, the UK) and to provide them with more control over their personal data.
At My AskAI, it means we must register and monitor all data processing activities related to you (known as the Data Subject) and have a complete understanding of how data is processed within and outside of our organization.
(We'll try and keep this as simple as possible).
If you have further questions about GDPR compliance, please contact Mike via chat, he is our Data Protection Officer (DPO).
To request a copy of our Data Protection Impact Assessment (DPIA) to review, you must be on an Enterprise plan, please get in touch with us via chat.
My AskAI is a Data Controller
As a business, we make decisions about and are responsible for where and how the data you provide to us is processed. Given this responsibility and control, we are therefore designated as a Data Controller under GDPR.
A Data Controller is distinct from a Data Processor in that a Data Processor works on behalf of a Data Controller and is directed by them (us).
Data Processors perform processes on personal data, this could be (but is not limited to) collecting, structuring, or storing data.
When you use My AskAI we operate as a Data Controller, however when another business uses us, as part of their services e.g. if someone used us as a platform via API, then we could become a Data Processor (still with us?).
Like almost all businesses, we rely on Data Processors (hereinafter referred to as Sub Processors) to operate.
For full details of the Sub Processors we rely upon, refer here.
Personal Information We Collect
As outlined in our Privacy Policy we only collect and process Personal Information (information about you) that is relevant, adequate, and necessary for us to provide you with the My AskAI service.
At a high level, and depending on your My AskAI usage, we may collect the following information about you:
Contact Data: Specifically, your email address only (All users)
Internet Data: This may include cookies, audience metrics, tracers, and navigation data
Identification Data: Very occasionally, we (or our Sub Processors) may collect your first and last name, however, this will only ever be when you have explicitly provided it to us
Connection Data: This may include your IP address, logs, timestamps of usage and interactions
In addition to this, and, depending on how you utilize My AskAI, we may collect (but do not request or require) additional Personal Information as a result of:
Content Uploads: As a user of My AskAI, you may choose to upload Personal Information of any type. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent you from doing and so we may as a result, unintendedly collect various types of Personal Information, including:
Identification Data
Professional Data
Sensitive Data
Contact Data
Personal Data
Economic and Financial Data
National Identification Number
Conversations with My AskAI 'bots': As a user of or an end-user of My AskAI, you or your end users may choose to upload Personal Information of any type through conversation with the AI. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent this from happening and so we may as a result, unintendedly collect various types of Personal Information, including:
Identification Data
Professional Data
Sensitive Data
Contact Data
Personal Data
Economic and Financial Data
National Identification Number
While in both these instances, the Personal Information has not been requested, it is likely necessary for the execution of our services i.e. for the bot to answer questions and so is stored.
How We Use Your Personal Information
We use your Personal Information for specific Processing Activities - these are the ways we take the information you give us and use it for something in our product to give you a better experience.
With each Processing Activity, we have defined the legal basis for the activity, in our case it will either be:
Legitimate Interest (LI): The data is necessary for the pursuit of our legitimate interests or of a third party's (e.g. we believe that the collection of said data will improve your experience)
Contractual Duties (CD): The data is necessary for the preparation of or execution of a contract with individuals (e.g. payment details for a subscription)
Consent (C): The data is used for a specific purpose upon clear consent collected from individuals (e.g. you have explicitly said you agree to something).
Note that the Processing Activities marked (*) are not core, necessary, or required parts of the My AskAI product and service, they are entirely optional
Processing Activity | Purpose | Legal Basis |
---|---|---|
Creating, accessing, managing and using your account | To grant you access to My AskAI, administer and manage your account, and allow you to use our service | LI, CD, C |
Payment & billing management | To process payments and subscriptions transactions | CD, C |
Adding content to an AskAI (AI training) | To allow you to add content to your AskAI (bot) to enable it to answer questions | LI, CD, C |
Conversational interaction with an AskAI 'bot' | To allow the user to interact and 'chat' with their AskAI and get responses to their questions | LI, CD, C |
Customer support | To provide customer support | LI |
Bug and security monitoring | To prevent and investigate system abuse | LI |
Website audience measurement | To gather analytics on our website traffic | LI, C |
Service improvement | To maintain and optimize the performance of My AskAI and understand how individuals use it | LI |
Newsletter subscription management | To send a regular newsletter and gather statistics | LI, C |
Marketing communication | To send marketing communications about updates and promotions about My AskAI | LI, C |
Marketing communication (Customers' end users) | For customers to collect email addresses of end users via chat forms. | LI, C |
B2B Lead management * | To interact with prospective individuals about My AskAI by email and follow lead management | LI |
Testimonial collection * | To gather and display testimonials on our website | C |
Virtual demo session * | To organize a demo session that you sign up for | C |
Feedback collection * | To gather and display feedback on our Public Roadmap | C |
Affiliate and referral programs management * | To offer a reward program to people promoting My AskAI | LI, CD |
In all cases, we only store your Personal Information for as long as is necessary to provide you with the My AskAI service that you sign up for or are subscribed to.
When these purposes are fulfilled or you ask us to, we will archive, erase, or anonymize your information, as per your request.
We may retain your Personal Information for a longer period than usual in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.
Our Sub Processors
The Sub Processors we use to provide the above Processing Activities are as follows:
Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a Pro subscription OR for where you are sharing your AskAI as a widget on your website.
Processing Activity | Categories of Personal Information Processed | Sub Processors | Security Measures | DPA or Safeguard |
---|---|---|---|---|
Creating, accessing, managing and using your account | Contact data | Twillio (SendGrid) Bubble CloudFlare Render | User access control, Data encryption, Data backup measures, System & network protection, Data retention and erasure, Control of processors, Traceability measures | Twillio DPA (SendGrid) Bubble DPA CloudFlare DPA |
Payment & billing management | Economic and financial data, Identification data, Connection data, Internet data, Contact data | Stripe PayPal | Traceability measures, Data backup measures, Data encryption, Control of processors, User access control, Data retention and erasure | |
Adding content to an AskAI (AI training) | Identification Data Professional Data Sensitive Data Contact Data Personal Data Economic and Financial Data National Identification Number | Bubble OpenAI CarbonAI Papertrail (Solarwinds) Qdrant Amazon AWS Anthropic | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | |
Interaction with an AskAI 'bot' (chat or sumarize) | Identification Data Professional Data Sensitive Data Contact Data Personal Data Economic and Financial Data National Identification Number | Bubble** OpenAI ** CarbonAI ** Portkey ** Papertrail (Solarwinds) ** Qdrant* CloudFlare ** Anthropic Slack Microsoft Teams | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | |
Customer support | Identification data, Connection data, Contact data | Crisp | Data encryption, Control of processors | |
Bug and security monitoring | Connection data, Location data, Internet data | Hotjar Papertrail (Solarwinds)
| Software protection measures, Data encryption, User access control, Control of processors | |
Website audience measurement | Connection data, Internet data | Amplitude Google Analytics | User access control, Data encryption, Control of processors | |
Service improvement | Connection data, Internet data | Amplitude Hotjar Bubble | Software protection measures, Data encryption, Control of processors, User access control | |
Newsletter subscription management | Internet data, Contact data | CustomerIO | Data encryption, Control of processors, User access control, Data retention and erasure | |
Marketing communication | Internet data, Contact data | CustomerIO | Data encryption, Control of processors, User access control, Data retention and erasure | |
Marketing communication (Customers' end users) | Identification data, Contact data | Bubble** | Data encryption, Control of processors | |
B2B Lead management * | Identification data, Professional data, Internet data, Contact data | Apollo | Data encryption, Control of processors, User access control | |
Testimonial collection * | Identification data, Professional data, Images & video data | Senja | Data encryption, Control of processors | |
Virtual demo session * | Contact data | Zoom Google Meet Scribbl SavvyCal | User access control, Software protection measures, Data encryption, Data backup measures, Control of processors | |
Feedback collection * | Identification data, Contact data | Crisp Featurebase | Data encryption, Control of processors | |
Affiliate and referral programs management * | Identification data, Professional data, Internet data, Contact data | Reditus | Data encryption, Control of processors |
Data Processing Agreement
As we may act as a Data Processor on behalf of others, we must also produce our own Data Processing Agreement.
You can find ours here.
If you are a paid user and require a signed copy, chat with us from your account associated and we will share a copy for signing.
Our Policies
You can find our policies here:
Accessing Or Deleting Your Data
In accordance with Articles 12 to 23 of GDPR, you have rights over your personal information:
You can request access to your personal information and a copy of it
You can ask us to modify your personal information if you consider it obsolete, inaccurate, or incomplete.
You can object to the processing of your personal information if based on our legitimate interest in certain circumstances.
You can request to restrict the processing during a limited period of time, in certain circumstances.
You can opt-out from a consent already given, without this withdrawal affecting the lawfulness of the processing operations already carried out.
When technically feasible, you can ask us to send you the Personal Information you provided us or that we communicate it to a third party.
You can ask us to delete your Personal Information at any time if it meets legal grounds for which it is applicable.
These rights can be exercised directly and at any time by sending an email to team@myaskai.com, requests will be completed within 30 days.
In the case you are our customer’s end user, please take into consideration that this request will be forwarded and must be answered directly by them.
International Data Transfers
Where we can, we try to process your Personal Information in the EU, however, some of our service providers are located in the US.
Fortunately, as a result of the EU's Adequacy Decision and the EU-US Data Privacy Framework, this doesn't mean you have to look elsewhere.
Essentially, as long as the Sub Processors in the US agree to process and protect data following the standards of GDPR, data can be safely and legally transferred to them from the EEA (or UK) via contractual clauses such as the Standard Contractual Clause (SCCs) that have been approved by the European Commission.
For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to the US.
For example, this FAQ explains:
“SCCs as a tool for data transfers, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority."
Therefore where there are sufficient Data Processing Agreements in place with US Sub Processors (and the GDPR framework is being followed), GDPR compliance can still be maintained, this includes Google Analytics 4 (GA4).
The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:
Sub Processor | Location | DPA |
---|---|---|
Twillio (SendGrid) | US | |
Bubble | US | |
Stripe | US | |
Paypal | US | |
Hotjar | US | |
Google Analytics | US | |
Amplitude | US | |
CloudFlare | US | |
Amazon AWS | US | |
Render | US | |
OpenAI | US | |
CarbonAI | US | |
Papertrail (Solarwinds) | US | |
Qdrant | US | |
US | ||
Slack | US | |
Microsoft Teams | US |
Data Processing Agreements marked (*) are executed as part of the signing of the Terms of Service or Customer Agreement. Those marked (*) are executed by the signing of an additional agreement, copies of which are available upon request if not linked.
Privacy and Encryption of Personal Information
All Personal Information (and any other information and data we store) is encrypted at rest using AES 256 and encrypted in transit using TLS 1.2+.
Registration with the Information Commissioner's Office
You can find our Registration with the Information Commission's Officer (ICO) here.
Reporting a security vulnerability or breach
If you believe you have found a security vulnerability or a data breach in My AskAI, please share your findings via our chat as soon as possible.
Last updated