GDPR compliance

All the necessary information you need to understand our GDPR compliance, for businesses wishing to use My AskAI within the European Union (EU).

The purpose of the General Data Protection Regulation (GDPR) is to provide data protection to citizens in EU countries (and through the UK GDPR, the UK) and to provide them with more control over their personal data.

At My AskAI, it means we must register and monitor all data processing activities related to you (known as the Data Subject) and have a complete understanding of how data is processed within and outside of our organization.

(We'll try and keep this as simple as possible).

If you have further questions about GDPR compliance, please contact Mike via chat, he is our Data Protection Officer (DPO).

To request a copy of our Data Protection Impact Assessment (DPIA) to review, you must be on an Enterprise plan, please get in touch with us via chat.

My AskAI is a Data Controller

As a business, we make decisions about and are responsible for where and how the data you provide to us is processed. Given this responsibility and control, we are therefore designated as a Data Controller under GDPR.

A Data Controller is distinct from a Data Processor in that a Data Processor works on behalf of a Data Controller and is directed by them (us).

Data Processors perform processes on personal data, this could be (but is not limited to) collecting, structuring, or storing data.

When you use My AskAI we operate as a Data Controller, however when another business uses us, as part of their services e.g. if someone used us as a platform via API, then we could become a Data Processor (still with us?).

Like almost all businesses, we rely on Data Processors (hereinafter referred to as Sub Processors) to operate.

For full details of the Sub Processors we rely upon, refer here.

Personal Information We Collect

As outlined in our Privacy Policy we only collect and process Personal Information (information about you) that is relevant, adequate, and necessary for us to provide you with the My AskAI service.

At a high level, and depending on your My AskAI usage, we may collect the following information about you:

  • Contact Data: Specifically, your email address only (All users)

  • Internet Data: This may include cookies, audience metrics, tracers, and navigation data

  • Identification Data: Very occasionally, we (or our Sub Processors) may collect your first and last name, however, this will only ever be when you have explicitly provided it to us

  • Connection Data: This may include your IP address, logs, timestamps of usage and interactions

In addition to this, and, depending on how you utilize My AskAI, we may collect (but do not request or require) additional Personal Information as a result of:

  • Content Uploads: As a user of My AskAI, you may choose to upload Personal Information of any type. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent you from doing and so we may as a result, unintendedly collect various types of Personal Information, including:

    • Identification Data

    • Professional Data

    • Sensitive Data

    • Contact Data

    • Personal Data

    • Economic and Financial Data

    • National Identification Number

  • Conversations with My AskAI 'bots': As a user of or an end-user of My AskAI, you or your end users may choose to upload Personal Information of any type through conversation with the AI. While we do not recommend this (as we recommend sharing as little Personal Information as possible as good practice), we cannot prevent this from happening and so we may as a result, unintendedly collect various types of Personal Information, including:

    • Identification Data

    • Professional Data

    • Sensitive Data

    • Contact Data

    • Personal Data

    • Economic and Financial Data

    • National Identification Number

While in both these instances, the Personal Information has not been requested, it is likely necessary for the execution of our services i.e. for the bot to answer questions and so is stored.

How We Use Your Personal Information

We use your Personal Information for specific Processing Activities - these are the ways we take the information you give us and use it for something in our product to give you a better experience.

With each Processing Activity, we have defined the legal basis for the activity, in our case it will either be:

  • Legitimate Interest (LI): The data is necessary for the pursuit of our legitimate interests or of a third party's (e.g. we believe that the collection of said data will improve your experience)

  • Contractual Duties (CD): The data is necessary for the preparation of or execution of a contract with individuals (e.g. payment details for a subscription)

  • Consent (C): The data is used for a specific purpose upon clear consent collected from individuals (e.g. you have explicitly said you agree to something).

Note that the Processing Activities marked (*) are not core, necessary, or required parts of the My AskAI product and service, they are entirely optional

Processing Activity
Purpose
Legal Basis

Creating, accessing, managing and using your account

To grant you access to My AskAI, administer and manage your account, and allow you to use our service

LI, CD, C

Payment & billing management

To process payments and subscriptions transactions

CD, C

Adding content to an AskAI (AI training)

To allow you to add content to your AskAI (bot) to enable it to answer questions

LI, CD, C

Conversational interaction with an AskAI 'bot'

To allow the user to interact and 'chat' with their AskAI and get responses to their questions

LI, CD, C

Customer support

To provide customer support

LI

Bug and security monitoring

To prevent and investigate system abuse

LI

Website audience measurement

To gather analytics on our website traffic

LI, C

Service improvement

To maintain and optimize the performance of My AskAI and understand how individuals use it

LI

Newsletter subscription management

To send a regular newsletter and gather statistics

LI, C

Marketing communication

To send marketing communications about updates and promotions about My AskAI

LI, C

Marketing communication (Customers' end users)

For customers to collect email addresses of end users via chat forms.

LI, C

B2B Lead management *

To interact with prospective individuals about My AskAI by email and follow lead management

LI

Testimonial collection *

To gather and display testimonials on our website

C

Virtual demo session *

To organize a demo session that you sign up for

C

Feedback collection *

To gather and display feedback on our Public Roadmap

C

Affiliate and referral programs management *

To offer a reward program to people promoting My AskAI

LI, CD

In all cases, we only store your Personal Information for as long as is necessary to provide you with the My AskAI service that you sign up for or are subscribed to.

When these purposes are fulfilled or you ask us to, we will archive, erase, or anonymize your information, as per your request.

We may retain your Personal Information for a longer period than usual in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.

Our Sub Processors

The Sub Processors we use to provide the above Processing Activities are as follows:

Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a Pro subscription OR for where you are sharing your AskAI as a widget on your website.

Processing Activity
Categories of Personal Information Processed
Sub Processors
Security Measures
DPA or Safeguard

Creating, accessing, managing and using your account

Contact data

Twillio (SendGrid) Bubble CloudFlare

Render

User access control, Data encryption, Data backup measures, System & network protection, Data retention and erasure, Control of processors, Traceability measures

Payment & billing management

Economic and financial data, Identification data, Connection data, Internet data, Contact data

Stripe PayPal

Traceability measures, Data backup measures, Data encryption, Control of processors, User access control, Data retention and erasure

Adding content to an AskAI (AI training)

Identification Data

Professional Data

Sensitive Data

Contact Data

Personal Data

Economic and Financial Data

National Identification Number

Bubble

OpenAI

CarbonAI

Papertrail (Solarwinds)

Qdrant

Amazon AWS Anthropic

User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures

Interaction with an AskAI 'bot' (chat or sumarize)

Identification Data

Professional Data

Sensitive Data

Contact Data

Personal Data

Economic and Financial Data

National Identification Number

Bubble**

OpenAI **

CarbonAI **

Portkey **

Papertrail (Solarwinds) **

Qdrant*

CloudFlare **

Anthropic

WhatsApp

Slack

Microsoft Teams

User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures

Customer support

Identification data, Connection data, Contact data

Crisp

Data encryption, Control of processors

Bug and security monitoring

Connection data, Location data, Internet data

Hotjar

Papertrail (Solarwinds)

Software protection measures, Data encryption, User access control, Control of processors

Website audience measurement

Connection data, Internet data

Amplitude

Google Analytics

User access control, Data encryption, Control of processors

Service improvement

Connection data, Internet data

Amplitude Hotjar Bubble

Software protection measures, Data encryption, Control of processors, User access control

Newsletter subscription management

Internet data, Contact data

CustomerIO

Data encryption, Control of processors, User access control, Data retention and erasure

Marketing communication

Internet data, Contact data

CustomerIO

Data encryption, Control of processors, User access control, Data retention and erasure

Marketing communication (Customers' end users)

Identification data, Contact data

Bubble**

Data encryption, Control of processors

B2B Lead management *

Identification data, Professional data, Internet data, Contact data

Apollo

Data encryption, Control of processors, User access control

Testimonial collection *

Identification data, Professional data, Images & video data

Senja

Data encryption, Control of processors

Virtual demo session *

Contact data

Zoom Google Meet Scribbl

SavvyCal

User access control, Software protection measures, Data encryption, Data backup measures, Control of processors

Feedback collection *

Identification data, Contact data

Crisp Featurebase

Data encryption, Control of processors

Affiliate and referral programs management *

Identification data, Professional data, Internet data, Contact data

Reditus

Data encryption, Control of processors

Data Processing Agreement

As we may act as a Data Processor on behalf of others, we must also produce our own Data Processing Agreement.

You can find ours here.

If you are a paid user and require a signed copy, chat with us from your account associated and we will share a copy for signing.

Our Policies

You can find our policies here:

Accessing Or Deleting Your Data

In accordance with Articles 12 to 23 of GDPR, you have rights over your personal information:

  • You can request access to your personal information and a copy of it

  • You can ask us to modify your personal information if you consider it obsolete, inaccurate, or incomplete.

  • You can object to the processing of your personal information if based on our legitimate interest in certain circumstances.

  • You can request to restrict the processing during a limited period of time, in certain circumstances.

  • You can opt-out from a consent already given, without this withdrawal affecting the lawfulness of the processing operations already carried out.

  • When technically feasible, you can ask us to send you the Personal Information you provided us or that we communicate it to a third party.

  • You can ask us to delete your Personal Information at any time if it meets legal grounds for which it is applicable.

These rights can be exercised directly and at any time by sending an email to team@myaskai.com, requests will be completed within 30 days.

In the case you are our customer’s end user, please take into consideration that this request will be forwarded and must be answered directly by them.

International Data Transfers

Where we can, we try to process your Personal Information in the EU, however, some of our service providers are located in the US.

Fortunately, as a result of the EU's Adequacy Decision and the EU-US Data Privacy Framework, this doesn't mean you have to look elsewhere.

Essentially, as long as the Sub Processors in the US agree to process and protect data following the standards of GDPR, data can be safely and legally transferred to them from the EEA (or UK) via contractual clauses such as the Standard Contractual Clause (SCCs) that have been approved by the European Commission.

For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to the US.

For example, this FAQ explains:

“SCCs as a tool for data transfers, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority."

Therefore where there are sufficient Data Processing Agreements in place with US Sub Processors (and the GDPR framework is being followed), GDPR compliance can still be maintained, this includes Google Analytics 4 (GA4).

The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:

Sub Processor
Location
DPA

Twillio (SendGrid)

US

Bubble

US

Stripe

US

Paypal

US

Hotjar

US

Google Analytics

US

Amplitude

US

CloudFlare

US

Amazon AWS

US

Render

US

OpenAI

US

CarbonAI

US

Papertrail (Solarwinds)

US

Qdrant

US

WhatsApp

US

Slack

US

Microsoft Teams

US

Data Processing Agreements marked (*) are executed as part of the signing of the Terms of Service or Customer Agreement. Those marked (*) are executed by the signing of an additional agreement, copies of which are available upon request if not linked.

Privacy and Encryption of Personal Information

All Personal Information (and any other information and data we store) is encrypted at rest using AES 256 and encrypted in transit using TLS 1.2+.

Registration with the Information Commissioner's Office

You can find our Registration with the Information Commission's Officer (ICO) here.

Reporting a security vulnerability or breach

If you believe you have found a security vulnerability or a data breach in My AskAI, please share your findings via our chat as soon as possible.

Last updated