GDPR Compliance
Last updated: January 15, 2025
Our Commitment to GDPR
Protecting your data rights across the European Union
Deelo.ai is committed to compliance with the General Data Protection Regulation (GDPR). We take data protection seriously and have implemented comprehensive measures to protect the personal data of our users in the European Economic Area (EEA) and the United Kingdom.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It gives individuals in the EU/EEA greater control over their personal data and establishes strict requirements for organizations that process this data.
Our Role Under GDPR
As a Data Controller
When you create a Deelo account, we act as a data controller for your account information, billing data, and other personal information you provide directly to us. We determine the purposes and means of processing this data.
As a Data Processor
When you use Deelo to store and process your customer data (e.g., CRM contacts, project information, invoices), we act as a data processor on your behalf. You are the data controller for this data and responsible for ensuring lawful processing.
Your Rights Under GDPR
If you are located in the EEA or UK, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you. We'll provide this within 30 days.
Right to Rectification
Request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") in certain circumstances.
Right to Restriction
Request that we limit the processing of your personal data in certain situations.
Right to Data Portability
Receive your data in a structured, commonly used, machine-readable format (JSON/CSV).
Right to Object
Object to processing based on legitimate interests, including profiling and direct marketing.
Additional Rights
- Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.
- Right Not to Be Subject to Automated Decision-Making: You can request human review of automated decisions that significantly affect you.
How to Exercise Your Rights
You can exercise your GDPR rights by:
- Account Settings: Access, export, or delete your data directly from your Deelo account settings.
- Email: Contact our Data Protection team at privacy@deelo.ai.
- In-App Request: Use the "Data Request" feature in Settings > Privacy.
We will respond to your request within 30 days. In complex cases, we may extend this by an additional 60 days with notice.
Legal Bases for Processing
Under GDPR, we must have a legal basis for processing your personal data. We rely on the following bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Account management, service delivery, billing, customer support |
| Legitimate Interests | Fraud prevention, security, service improvement, analytics |
| Consent | Marketing communications, non-essential cookies, optional features |
| Legal Obligation | Tax records, regulatory compliance, legal requests |
Data Processing Agreement (DPA)
For business customers who need a Data Processing Agreement to comply with GDPR requirements, we offer a standard DPA that covers:
- Nature, purpose, and duration of processing
- Types of personal data and data subject categories
- Obligations and rights of the controller
- Sub-processor management
- Security measures
- Data breach notification procedures
- International data transfers
- Data deletion upon termination
International Data Transfers
Deelo is operated by Klutch SH, LLC, based in the United States. When we transfer personal data from the EEA/UK to the US or other countries, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers to non-adequate countries.
- Supplementary Measures: Additional technical and organizational measures to protect transferred data.
- Transfer Impact Assessments: We evaluate the laws of destination countries and implement necessary safeguards.
Sub-Processors
We use carefully selected sub-processors to help deliver our services. Key sub-processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting | US/EU |
| Amazon Web Services | Infrastructure hosting | US/EU |
| Stripe | Payment processing | US |
| SendGrid | Email delivery | US |
| Twilio | SMS and voice services | US |
| OpenAI/Anthropic | AI processing | US |
We maintain contracts with all sub-processors requiring GDPR-compliant data protection. Customers will be notified of new sub-processors with the opportunity to object.
Data Retention
We retain personal data only as long as necessary:
- Account Data: Retained while your account is active plus 30 days after deletion.
- Customer Data: Retained per your instructions; deleted within 30 days of account termination.
- Billing Data: Retained for 7 years for tax and accounting purposes.
- Support Data: Retained for 3 years after ticket closure.
- Backups: Retained for up to 90 days after deletion.
Security Measures
We implement comprehensive technical and organizational measures to protect personal data:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Multi-factor authentication
- Regular security audits and penetration testing
- Employee background checks and training
- Incident response procedures
- Physical data center security
For more details, see our Security page.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms:
- We will notify you within 72 hours of becoming aware of the breach.
- Notification will include nature of breach, likely consequences, and measures taken.
- We will assist you in meeting your obligations to notify supervisory authorities and affected individuals.
Data Protection Officer
For GDPR-related inquiries, you can contact our Data Protection team:
EU Representative
If required under GDPR Article 27, we will appoint a representative in the European Union. Details will be provided upon request.
Supervisory Authorities
You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities can be found on the European Data Protection Board website.
Additional Resources
- Privacy Policy - Full details on data collection and use
- Security - Our security practices and certifications
- Cookie Policy - How we use cookies and tracking technologies
- Terms of Service - Our service agreement
This page provides general information about our GDPR compliance. It does not constitute legal advice. For specific questions about GDPR compliance, please consult with a qualified legal professional.