GDPR Compliance
Effective Date: 24 November, 2025
Sayy AI is designed to meet GDPR requirements end to end, including clear lawful bases for processing, strict data minimisation, strong encryption in transit and at rest, granular access controls, defined retention policies, and documented procedures for data subject rights, data processing agreements, and international data transfers.
1. Who We Are
We are an online platform that helps people embed conversational agents, sell products & services,
accept payments, and manage leads, all in one place.
For most of the information we collect, we act as the “data controller.”
2. Scope of this Notice
This notice explains:
- The personal data we collect,
- Why we collect it,
- How we store, secure, transfer, and share it, and
- The rights you have over that data.
It applies to:
- Visitors to our public website
- Account holders (workspace owners, team members, collaborators)
- End-users who interact with an embedded agent (for instance, asking a question or making a purchase)
3. Personal Data We Collect
*See Section 4 for legal bases.
We do not intentionally collect special-category data (race, religion, health, etc.). If you upload such data,
you’re responsible for having a lawful basis to do so.
4. How and Why we use your Data
Whenever we rely on legitimate interest, we do a balancing test to be sure your privacy isn’t overridden.
5. Cookies & similar tech
We use first-party cookies for login sessions and security, plus cookieless analytics tools. Detailed cookie list → [placeholder link].
6. Sharing your data
We never sell personal data.
7. International transfers
When data leaves the EU/UK we rely on adequacy decisions, SCCs, and additional technical safeguards (encryption in transit & at rest).
8. Security Measures
- TLS 1.3 with HSTS
- Encryption at rest (AES-256)
- 2-factor authentication for staff & production systems
- Annual penetration tests and continuous bug-bounty programme
- Least-privilege IAM roles & automated log monitoring
9. Data Retention
Back-ups roll off after 30 days.
10. Your rights under GDPR
You can: access, rectify, erase, restrict, port, or object to processing of your data, and withdraw consent at any time. Use in-app settings or the
contact method in Section 15. We reply within 30 days. You may also lodge a complaint with your local supervisory authority.
11. Automated decision-making
We don’t make decisions with legal or similarly significant effects solely by automated means.
12. Children’s data
The platform isn’t directed at children under 16. Let us know if a child’s data was submitted and we’ll delete it promptly.
13. Data breaches
We follow documented procedures to detect, report, and investigate personal-data breaches. If a breach poses a high risk to you, we’ll let you know and notify authorities, within 72 hours.
14. Changes to this notice
We sometimes update this page for legal or operational reasons. Major changes are announced in advance via email or in-app notice. Check the “Last updated” date to see the current version.
15. Contact us
For privacy questions or to exercise your rights, please use privacy@sayy.ai
Need a Data Processing Addendum (DPA)?
Workspace owners can request and e-sign our standard DPA in Settings → Compliance. It incorporates the EU SCCs 2021/914 and the UK IDTA by reference.
Quick-read summary
- We collect only what’s needed to run the service, process payments, and improve features.
- Your data is encrypted, never sold, and shared only with carefully vetted providers.
- You control your data - edit, export, or delete it anytime.