GDPR | Sayy AI

GDPR Compliance

Effective Date: 24 November, 2025

Sayy AI is designed to meet GDPR requirements end to end, including clear lawful bases for processing, strict data minimisation, strong encryption in transit and at rest, granular access controls, defined retention policies, and documented procedures for data subject rights, data processing agreements, and international data transfers.

1. Who We Are

We are an online platform that helps people embed conversational agents, sell products & services,
accept payments, and manage leads, all in one place.

For most of the information we collect, we act as the “data controller.”

2. Scope of this Notice

This notice explains:

The personal data we collect,
Why we collect it,
How we store, secure, transfer, and share it, and
The rights you have over that data.

It applies to:

Visitors to our public website
Account holders (workspace owners, team members, collaborators)
End-users who interact with an embedded agent (for instance, asking a question or making a purchase)

3. Personal Data We Collect

CATEGORY	EXAMPLES	COLLECTED FROM	PURPOSE/LAWFUL BASIS*
Identity	Name, username, profile picture	You	Contract – to create and manage your account
Contact	Email, phone, social links	You	Contract, Legitimate interest – onboarding & support
Billing	Country, tax ID, card last 4 digits	You / payment processor	Contract, Legal obligation (tax records)
Usage & Logs	App actions, chat transcripts, IP address, browser details, cookies	Your browser / our servers	Legitimate interest – service analytics & fraud prevention; Contract – provide chat logs & insights
Content you upload	Knowledge-base files, product images, form responses	You	Contract – operate the platform
Marketing preferences	Newsletter opt-in status	You	Consent

*See Section 4 for legal bases.

We do not intentionally collect special-category data (race, religion, health, etc.). If you upload such data,
you’re responsible for having a lawful basis to do so.

4. How and Why we use your Data

PURPOSE	Legal basis (Art. 6 GDPR)
Provide and secure the service; personalise dashboards; store chat history	Contract
Process payments and issue invoices	Contract & Legal obligation
Send product updates, security alerts, and transactional emails	Legitimate interest
Run analytics to improve features and performance	Legitimate interest
Send marketing newsletters or beta invitations	Consent – withdraw any time
Detect, investigate, and prevent fraud or abuse	Legitimate interest & Legal obligation

Whenever we rely on legitimate interest, we do a balancing test to be sure your privacy isn’t overridden.

5. Cookies & similar tech

We use first-party cookies for login sessions and security, plus cookieless analytics tools. Detailed cookie list → [placeholder link].

6. Sharing your data

RECIPIENT TYPE	ROLE	SAFEGUARDS
Cloud-hosting provider	Hosting & storage	EU data centres, ISO 27001
Payment processors	PCI-DSS card processing	Standard Contractual Clauses (SCCs) where required
Email & messaging tools	Transactional email, notifications	Data Processing Agreements + SCCs
AI-model providers	Generate natural-language responses	Requests are pseudonymised; SCCs if processed outside EU/UK
Analytics platform	Product-usage insight	IP anonymisation; EU hosting

We never sell personal data.

7. International transfers

When data leaves the EU/UK we rely on adequacy decisions, SCCs, and additional technical safeguards (encryption in transit & at rest).

8. Security Measures

TLS 1.3 with HSTS
Encryption at rest (AES-256)
2-factor authentication for staff & production systems
Annual penetration tests and continuous bug-bounty programme
Least-privilege IAM roles & automated log monitoring

9. Data Retention

DATA TYPE	RETENTION PERIOD
Account data	Life of the account + 30 days
Billing records	7 years (tax law)
Chat logs & user content	Until deleted by the workspace owner or as configured
Support tickets	2 years after closure

Back-ups roll off after 30 days.

10. Your rights under GDPR

You can: access, rectify, erase, restrict, port, or object to processing of your data, and withdraw consent at any time. Use in-app settings or the
contact method in Section 15. We reply within 30 days. You may also lodge a complaint with your local supervisory authority.

11. Automated decision-making

We don’t make decisions with legal or similarly significant effects solely by automated means.

12. Children’s data

The platform isn’t directed at children under 16. Let us know if a child’s data was submitted and we’ll delete it promptly.

13. Data breaches

We follow documented procedures to detect, report, and investigate personal-data breaches. If a breach poses a high risk to you, we’ll let you know and notify authorities, within 72 hours.

14. Changes to this notice

We sometimes update this page for legal or operational reasons. Major changes are announced in advance via email or in-app notice. Check the “Last updated” date to see the current version.

15. Contact us

For privacy questions or to exercise your rights, please use privacy@sayy.ai

Need a Data Processing Addendum (DPA)?

Workspace owners can request and e-sign our standard DPA in Settings → Compliance. It incorporates the EU SCCs 2021/914 and the UK IDTA by reference.

Quick-read summary

We collect only what’s needed to run the service, process payments, and improve features.
Your data is encrypted, never sold, and shared only with carefully vetted providers.
You control your data - edit, export, or delete it anytime.

GDPR Compliance

Effective Date: 24 November, 2025

1. Who We Are

We are an online platform that helps people embed conversational agents, sell products & services,
accept payments, and manage leads, all in one place.

For most of the information we collect, we act as the “data controller.”

2. Scope of this Notice

This notice explains:

The personal data we collect,
Why we collect it,
How we store, secure, transfer, and share it, and
The rights you have over that data.

It applies to:

Visitors to our public website
Account holders (workspace owners, team members, collaborators)
End-users who interact with an embedded agent (for instance, asking a question or making a purchase)

3. Personal Data We Collect

CATEGORY	EXAMPLES	COLLECTED FROM	PURPOSE/LAWFUL BASIS*
Identity	Name, username, profile picture	You	Contract – to create and manage your account
Contact	Email, phone, social links	You	Contract, Legitimate interest – onboarding & support
Billing	Country, tax ID, card last 4 digits	You / payment processor	Contract, Legal obligation (tax records)
Usage & Logs	App actions, chat transcripts, IP address, browser details, cookies	Your browser / our servers	Legitimate interest – service analytics & fraud prevention; Contract – provide chat logs & insights
Content you upload	Knowledge-base files, product images, form responses	You	Contract – operate the platform
Marketing preferences	Newsletter opt-in status	You	Consent

*See Section 4 for legal bases.

We do not intentionally collect special-category data (race, religion, health, etc.). If you upload such data,
you’re responsible for having a lawful basis to do so.

4. How and Why we use your Data

PURPOSE	Legal basis (Art. 6 GDPR)
Provide and secure the service; personalise dashboards; store chat history	Contract
Process payments and issue invoices	Contract & Legal obligation
Send product updates, security alerts, and transactional emails	Legitimate interest
Run analytics to improve features and performance	Legitimate interest
Send marketing newsletters or beta invitations	Consent – withdraw any time
Detect, investigate, and prevent fraud or abuse	Legitimate interest & Legal obligation

Whenever we rely on legitimate interest, we do a balancing test to be sure your privacy isn’t overridden.

5. Cookies & similar tech

We use first-party cookies for login sessions and security, plus cookieless analytics tools. Detailed cookie list → [placeholder link].

6. Sharing your data

RECIPIENT TYPE	ROLE	SAFEGUARDS
Cloud-hosting provider	Hosting & storage	EU data centres, ISO 27001
Payment processors	PCI-DSS card processing	Standard Contractual Clauses (SCCs) where required
Email & messaging tools	Transactional email, notifications	Data Processing Agreements + SCCs
AI-model providers	Generate natural-language responses	Requests are pseudonymised; SCCs if processed outside EU/UK
Analytics platform	Product-usage insight	IP anonymisation; EU hosting

We never sell personal data.

7. International transfers

When data leaves the EU/UK we rely on adequacy decisions, SCCs, and additional technical safeguards (encryption in transit & at rest).

8. Security Measures

TLS 1.3 with HSTS
Encryption at rest (AES-256)
2-factor authentication for staff & production systems
Annual penetration tests and continuous bug-bounty programme
Least-privilege IAM roles & automated log monitoring

9. Data Retention

DATA TYPE	RETENTION PERIOD
Account data	Life of the account + 30 days
Billing records	7 years (tax law)
Chat logs & user content	Until deleted by the workspace owner or as configured
Support tickets	2 years after closure

Back-ups roll off after 30 days.

10. Your rights under GDPR

11. Automated decision-making

We don’t make decisions with legal or similarly significant effects solely by automated means.

12. Children’s data

The platform isn’t directed at children under 16. Let us know if a child’s data was submitted and we’ll delete it promptly.

13. Data breaches

We follow documented procedures to detect, report, and investigate personal-data breaches. If a breach poses a high risk to you, we’ll let you know and notify authorities, within 72 hours.

14. Changes to this notice

We sometimes update this page for legal or operational reasons. Major changes are announced in advance via email or in-app notice. Check the “Last updated” date to see the current version.

15. Contact us

For privacy questions or to exercise your rights, please use privacy@sayy.ai

Need a Data Processing Addendum (DPA)?

Workspace owners can request and e-sign our standard DPA in Settings → Compliance. It incorporates the EU SCCs 2021/914 and the UK IDTA by reference.

Quick-read summary

We collect only what’s needed to run the service, process payments, and improve features.
Your data is encrypted, never sold, and shared only with carefully vetted providers.
You control your data - edit, export, or delete it anytime.

GDPR Compliance

1. Who We Are

We are an online platform that helps people embed conversational agents, sell products & services, accept payments, and manage leads, all in one place.

For most of the information we collect, we act as the “data controller.”

2. Scope of this Notice

This notice explains:

It applies to:

3. Personal Data We Collect

4. How and Why we use your Data

5. Cookies & similar tech

6. Sharing your data

7. International transfers

8. Security Measures

9. Data Retention

10. Your rights under GDPR

11. Automated decision-making

12. Children’s data

13. Data breaches

14. Changes to this notice

15. Contact us

Need a Data Processing Addendum (DPA)?

Quick-read summary

GDPR Compliance

1. Who We Are

We are an online platform that helps people embed conversational agents, sell products & services, accept payments, and manage leads, all in one place.

For most of the information we collect, we act as the “data controller.”

2. Scope of this Notice

This notice explains:

It applies to:

3. Personal Data We Collect

4. How and Why we use your Data

5. Cookies & similar tech

6. Sharing your data

7. International transfers

8. Security Measures

9. Data Retention

10. Your rights under GDPR

11. Automated decision-making

12. Children’s data

13. Data breaches

14. Changes to this notice

15. Contact us

Need a Data Processing Addendum (DPA)?

Quick-read summary

We are an online platform that helps people embed conversational agents, sell products & services,
accept payments, and manage leads, all in one place.

We are an online platform that helps people embed conversational agents, sell products & services,
accept payments, and manage leads, all in one place.