To request a copy of our Data Protection Impact Assessment (DPIA) to review, you must be on an Enterprise plan, please get in touch with us via chat.
My AskAI is a Data Controller
As a business, we make decisions about and are responsible for where and how the data you provide to us is processed. Given this responsibility and control, we are therefore designated as a Data Controller under GDPR. A Data Controller is distinct from a Data Processor in that a Data Processor works on behalf of a Data Controller and is directed by them (us). Data Processors perform processes on personal data, this could be (but is not limited to) collecting, structuring, or storing data. When you use My AskAI we operate as a Data Controller, however when another business uses us, as part of their services e.g. if someone used us as a platform via API, then we could become a Data Processor (still with us?). Like almost all businesses, we rely on Data Processors (hereinafter referred to as Sub Processors) to operate. For full details of the Sub Processors we rely upon, refer here.Personal Information We Collect
As outlined in our Privacy Policy we only collect and process Personal Information (information about you) that is relevant, adequate, and necessary for us to provide you with the My AskAI service. At a high level, and depending on your My AskAI usage, we may collect the following information about you:- Contact Data: Specifically, your email address only (All users)
- Internet Data: This may include cookies, audience metrics, tracers, and navigation data
- Identification Data: Very occasionally, we (or our Sub Processors) may collect your first and last name, however, this will only ever be when you have explicitly provided it to us
- Connection Data: This may include your IP address, logs, timestamps of usage and interactions
- Content Uploads: As a user of My AskAI, you may choose to upload Personal Information of any type. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent you from doing and so we may as a result, unintendedly collect various types of Personal Information, including:
- Identification Data
- Professional Data
- Sensitive Data
- Contact Data
- Personal Data
- Economic and Financial Data
- National Identification Number
- Conversations with My AskAI ‘bots’: As a user of or an end-user of My AskAI, you or your end users may choose to upload Personal Information of any type through conversation with the AI. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent this from happening and so we may as a result, unintendedly collect various types of Personal Information, including:
- Identification Data
- Professional Data
- Sensitive Data
- Contact Data
- Personal Data
- Economic and Financial Data
- National Identification Number
How We Use Your Personal Information
We use your Personal Information for specific Processing Activities - these are the ways we take the information you give us and use it for something in our product to give you a better experience. With each Processing Activity, we have defined the legal basis for the activity, in our case it will either be:- Legitimate Interest (LI): The data is necessary for the pursuit of our legitimate interests or of a third party’s (e.g. we believe that the collection of said data will improve your experience)
- Contractual Duties (CD): The data is necessary for the preparation of or execution of a contract with individuals (e.g. payment details for a subscription)
- Consent (C): The data is used for a specific purpose upon clear consent collected from individuals (e.g. you have explicitly said you agree to something).
Note that the Processing Activities marked (*) are not core, necessary, or required parts of the My AskAI product and service, they are entirely optional
| Processing Activity | Purpose | Legal Basis |
|---|---|---|
| Creating, accessing, managing and using your account | To grant you access to My AskAI, administer and manage your account, and allow you to use our service | LI, CD, C |
| Payment & billing management | To process payments and subscriptions transactions | CD, C |
| Adding content to a My AskAI (AI training) | To allow you to add content to your My AskAI (bot) to enable it to answer questions | LI, CD, C |
| Conversational interaction with a My AskAI ‘bot’ | To allow the user to interact and ‘chat’ with their My AskAI and get responses to their questions | LI, CD, C |
| Customer support | To provide customer support | LI |
| Bug and security monitoring | To prevent and investigate system abuse | LI |
| Website audience measurement | To gather analytics on our website traffic | LI, C |
| Service improvement | To maintain and optimize the performance of My AskAI and understand how individuals use it | LI |
| Newsletter subscription management | To send a regular newsletter and gather statistics | LI, C |
| Marketing communication | To send marketing communications about updates and promotions about My AskAI | LI, C |
| Marketing communication (Customers’ end users) | For customers to collect email addresses of end users via chat forms. | LI, C |
| B2B Lead management * | To interact with prospective individuals about My AskAI by email and follow lead management | LI |
| Testimonial collection * | To gather and display testimonials on our website | C |
| Virtual demo session * | To organize a demo session that you sign up for | C |
| Feedback collection * | To gather and display feedback on our Public Roadmap | C |
| Affiliate and referral programs management * | To offer a reward program to people promoting My AskAI | LI, CD |
Our Sub Processors
The Sub Processors we use to provide the above Processing Activities are as follows:Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a Pro subscription OR for where you are sharing your My AskAI as a widget on your website.
| Processing Activity | Categories of Personal Information Processed | Sub Processors | Security Measures | DPA or Safeguard |
|---|---|---|---|---|
| Creating, accessing, managing and using your account | Contact data | Twillio (SendGrid) Render | User access control, Data encryption, Data backup measures, System & network protection, Data retention and erasure, Control of processors, Traceability measures | Twillio DPA (SendGrid) |
| Payment & billing management | Economic and financial data, Identification data, Connection data, Internet data, Contact data | Stripe | Traceability measures, Data backup measures, Data encryption, Control of processors, User access control, Data retention and erasure | |
| Adding content to a My AskAI (AI training) | Identification Data Professional Data Sensitive Data Contact Data Personal Data Economic and Financial Data National Identification Number | Bubble OpenAI CarbonAI Papertrail (Solarwinds) Qdrant Amazon AWS | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | |
| Interaction with a My AskAI ‘bot’ (chat or sumarize) | Identification Data Professional Data Sensitive Data Contact Data Personal Data Economic and Financial Data National Identification Number | Bubble** OpenAI ** CarbonAI ** Portkey ** Papertrail (Solarwinds) ** Qdrant* CloudFlare ** Anthropic Slack Microsoft Teams | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | |
| Customer support | Identification data, Connection data, Contact data | Crisp | Data encryption, Control of processors | Crisp DPA |
| Bug and security monitoring | Connection data, Location data, Internet data | Hotjar Papertrail (Solarwinds) | Software protection measures, Data encryption, User access control, Control of processors | |
| Website audience measurement | Connection data, Internet data | Amplitude Google Analytics | User access control, Data encryption, Control of processors | |
| Service improvement | Connection data, Internet data | Amplitude | Software protection measures, Data encryption, Control of processors, User access control | |
| Newsletter subscription management | Internet data, Contact data | CustomerIO | Data encryption, Control of processors, User access control, Data retention and erasure | CustomerIO DPA |
| Marketing communication | Internet data, Contact data | CustomerIO | Data encryption, Control of processors, User access control, Data retention and erasure | CustomerIO DPA |
| Marketing communication (Customers’ end users) | Identification data, Contact data | Bubble** | Data encryption, Control of processors | Bubble DPA |
| B2B Lead management * | Identification data, Professional data, Internet data, Contact data | Apollo | Data encryption, Control of processors, User access control | Apollo DPA |
| Testimonial collection * | Identification data, Professional data, Images & video data | Senja | Data encryption, Control of processors | Senja Privacy Policy |
| Virtual demo session * | Contact data | Zoom SavvyCal | User access control, Software protection measures, Data encryption, Data backup measures, Control of processors | |
| Feedback collection * | Identification data, Contact data | Crisp | Data encryption, Control of processors | |
| Affiliate and referral programs management * | Identification data, Professional data, Internet data, Contact data | Reditus | Data encryption, Control of processors | Reditus DPA |
Data Processing Agreement
As we may act as a Data Processor on behalf of others, we must also produce our own Data Processing Agreement. You can find ours here. If you are a paid user and require a signed copy, chat with us from your account associated and we will share a copy for signing.Our Policies
You can find our policies here:Accessing Or Deleting Your Data
In accordance with Articles 12 to 23 of GDPR, you have rights over your personal information:- You can request access to your personal information and a copy of it
- You can ask us to modify your personal information if you consider it obsolete, inaccurate, or incomplete.
- You can object to the processing of your personal information if based on our legitimate interest in certain circumstances.
- You can request to restrict the processing during a limited period of time, in certain circumstances.
- You can opt-out from a consent already given, without this withdrawal affecting the lawfulness of the processing operations already carried out.
- When technically feasible, you can ask us to send you the Personal Information you provided us or that we communicate it to a third party.
- You can ask us to delete your Personal Information at any time if it meets legal grounds for which it is applicable.
International Data Transfers
Where we can, we try to process your Personal Information in the EU, however, some of our service providers are located in the US. Fortunately, as a result of the EU’s Adequacy Decision and the EU-US Data Privacy Framework, this doesn’t mean you have to look elsewhere. Essentially, as long as the Sub Processors in the US agree to process and protect data following the standards of GDPR, data can be safely and legally transferred to them from the EEA (or UK) via contractual clauses such as the Standard Contractual Clause (SCCs) that have been approved by the European Commission. For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to the US. For example, this FAQ explains:“SCCs as a tool for data transfers, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority.”Therefore where there are sufficient Data Processing Agreements in place with US Sub Processors (and the GDPR framework is being followed), GDPR compliance can still be maintained, this includes Google Analytics 4 (GA4). The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:
| Sub Processor | Location | DPA |
|---|---|---|
| Twillio (SendGrid) | US | Data Processing Agreement* |
| Bubble | US | Data Processing Agreement* |
| Stripe | US | Data Processing Agreement* |
| Paypal | US | Data Processing Agreement* |
| Hotjar | US | Data Processing Agreement* |
| Google Analytics | US | Data Processing Agreement* |
| Amplitude | US | Data Processing Agreement* |
| CloudFlare | US | Data Processing Agreement* |
| Amazon AWS | US | Data Processing Agreement* |
| Render | US | Data Processing Agreement** |
| OpenAI | US | Data Processing Agreement* |
| CarbonAI | US | Data Processing Agreement** |
| Papertrail (Solarwinds) | US | Data Processing Agreement* |
| Qdrant | US | Data Processing Agreement* |
| US | Data Processing Agreement* Part 1 Part 2 Part 3 | |
| Slack | US | Data Processing Agreement** |
| Microsoft Teams | US | Data Processing Agreement* |
Data Processing Agreements marked (*) are executed as part of the signing of the Terms of Service or Customer Agreement. Those marked (*) are executed by the signing of an additional agreement, copies of which are available upon request if not linked.