GDPR Compliance
Last Updated: January 14, 2026
PerfectCSR.AI Inc. is committed to protecting the privacy and security of personal data in full compliance with the General Data Protection Regulation. This page explains our GDPR compliance measures, our role as a data controller and processor, and your rights as a data subject.
Throughout this document, when we refer to "we", "us", or "our", we mean PerfectCSR.AI Inc. The term "GDPR" refers to the European Union's General Data Protection Regulation. A "Data Controller" is an entity that determines how personal data is processed, while a "Data Processor" processes data on behalf of the controller.
GDPR at a glance
GDPR gives you control over your personal data. As an EU resident, you have rights including access, correction, deletion, and portability of your data. We act as a Data Controller for your account info and as a Data Processor for data you process through our AI platform. We offer Data Processing Agreements and use Standard Contractual Clauses for international transfers.
Our Role Under GDPR
π’ As a Data Controller
When you sign up for our Services, visit our website, or interact with us directly, PerfectCSR.AI acts as a Data Controller. This means we determine the purposes and means of processing your personal data, including:
- Account registration and management information
- Billing and payment data
- Website usage and analytics data
- Marketing and communication preferences
- Support tickets and correspondence
βοΈ As a Data Processor
When you use our AI chatbot platform to process your customers' or end-users' personal data, we act as a Data Processor. In this capacity:
- You (our customer) are the Data Controller for your end-users' data
- We process personal data strictly on your behalf and per your instructions
- We are bound by our Data Processing Agreement (DPA) with you
- You are responsible for ensuring lawful collection and processing of your end-users' data
Legal Bases for Processing
Under GDPR Article 6, we process personal data based on the following legal grounds:
| Legal Basis | When We Use It |
|---|---|
| Contract Performance Article 6(1)(b) |
Providing our Services, account management, billing, and customer support |
| Legitimate Interests Article 6(1)(f) |
Service improvement, security, fraud prevention, analytics, and B2B marketing |
| Legal Obligation Article 6(1)(c) |
Tax records, regulatory compliance, and responding to legal requests |
| Consent Article 6(1)(a) |
Marketing emails, newsletters, non-essential cookies, and optional features |
Your Rights Under GDPR
As a data subject in the European Economic Area (EEA), you have the following rights:
π Right of Access (Article 15)
Request a copy of all personal data we hold about you, along with information about how we process it, the purposes, recipients, and retention periods.
βοΈ Right to Rectification (Article 16)
Request correction of inaccurate personal data or completion of incomplete data without undue delay.
ποΈ Right to Erasure (Article 17)
Also known as the "right to be forgotten." Request deletion of your personal data when it's no longer necessary, you withdraw consent, or you object to processing.
βΈοΈ Right to Restriction (Article 18)
Request limitation of processing while we verify accuracy of your data, assess your objection, or when processing is unlawful but you prefer restriction over erasure.
π¦ Right to Data Portability (Article 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.
π« Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
π€ Rights Related to Automated Decisions (Article 22)
Not be subject to decisions based solely on automated processing (including profiling) that significantly affect you, with right to human review.
Legal stuff made easy
Your data, your control. Under GDPR, you can see what data we have, fix mistakes, delete it, take it elsewhere, or tell us to stop using it. Just email privacy@perfectcsr.ai and we'll respond within 30 days.
Exercising Your Rights
To exercise any of your GDPR rights, you can:
- Email: privacy@perfectcsr.ai
- Account Settings: Use built-in data management features
- DPO Contact: dpo@perfectcsr.ai
Response Timeline:
- We will acknowledge your request within 72 hours
- We will fulfill your request within 30 days
- Complex requests may be extended by up to 60 additional days (we will inform you)
- We may request identity verification for security purposes
Data Processing Agreement (DPA)
For customers processing EU personal data through our platform, we provide a comprehensive Data Processing Agreement that meets GDPR Article 28 requirements:
π Our DPA Includes:
- β Subject matter, duration, nature, and purpose of processing
- β Types of personal data and categories of data subjects
- β Our obligations and rights as a processor
- β Sub-processor management and approval process
- β Technical and organizational security measures (Annex)
- β Assistance with data subject requests
- β Breach notification procedures (within 48 hours)
- β Data return and secure deletion terms
- β Audit rights and compliance cooperation
- β Standard Contractual Clauses (SCCs) for international transfers
To request our DPA: Contact legal@perfectcsr.ai. Enterprise customers receive a DPA as part of their service agreement.
International Data Transfers
When transferring personal data outside the European Economic Area (EEA), we ensure GDPR-compliant protections:
π Standard Contractual Clauses (SCCs)
We use the European Commission's 2021 Standard Contractual Clauses as our primary transfer mechanism. Our SCCs include the appropriate modules for controller-to-controller and controller-to-processor transfers.
π‘οΈ Supplementary Measures (Post-Schrems II)
Following the Schrems II ruling, we implement additional safeguards:
- End-to-end encryption (AES-256) for data in transit and at rest
- Data pseudonymization and anonymization where possible
- Transfer Impact Assessments (TIAs) for recipient countries
- Additional contractual commitments on government access
- Technical measures to prevent unauthorized access
πͺπΊ EU Data Residency
Enterprise customers can choose EU-only data processing with data stored in our EU data centers (AWS Frankfurt, Ireland).
Sub-Processors
We use carefully selected sub-processors to help deliver our Services. All sub-processors are bound by GDPR-compliant agreements.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & hosting | EU (Frankfurt, Ireland) & US |
| Google Cloud Platform | AI/ML processing | EU & US |
| OpenAI | AI model inference | US (with DPA) |
| Stripe | Payment processing | EU & US |
| Intercom | Customer support | US (with SCCs) |
| SendGrid | Transactional emails | US (with SCCs) |
We maintain an up-to-date list of sub-processors. You can subscribe to sub-processor change notifications by emailing privacy@perfectcsr.ai.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance:
Data Protection Officer
PerfectCSR.AI Inc.
Email: dpo@perfectcsr.ai
Response Time: Within 72 hours
Data Breach Notification
In the event of a personal data breach affecting EU data subjects, we follow GDPR Article 33 and 34 requirements:
- Supervisory Authority: Notification within 72 hours of becoming aware (if required)
- Data Subjects: Notification "without undue delay" when breach is likely to result in high risk
- Customers (as Data Controller): Notification within 48 hours per our DPA
- Documentation: All breaches documented with facts, effects, and remedial actions
Record of Processing Activities
We maintain detailed records of processing activities as required by GDPR Article 30, including:
- Categories of data subjects and personal data
- Processing purposes and legal bases
- Data recipients and international transfers
- Retention periods
- Technical and organizational security measures
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.
- EU DPAs: European Data Protection Board Members
- UK ICO: Information Commissioner's Office
Contact Us
For GDPR-related inquiries, data subject requests, or DPA questions:
PerfectCSR.AI Inc. - Privacy Team
Email: privacy@perfectcsr.ai
DPO: dpo@perfectcsr.ai
Legal: legal@perfectcsr.ai