Powered by eniston
  1. Overview
  2. FAQ & Troubleshooting
  3. Legal & Compliance
  4. GDPR Compliance

GDPR Compliance

The GDPR outlines various requirements based on how organizations manage the personal data of data subjects:

Data Controllers are entities that collect personal data and determine the purposes, means, and methods of processing that data.

Data Processors are entities that process data on behalf of a Data Controller.

ReachOut.AI functions as both a Data Controller and a Data Processor. As a Data Controller, we handle the personal data of our users for our own purposes, such as analytics and service enhancement. However, for most of the data processed through the ReachOut.AI platform, we act as a Data Processor, assisting users in processing their data to fulfill their objectives using our platform.

Our users maintain complete control over their data, deciding what information to upload and when to delete it from our platform. ReachOut.AI processes user data solely at the user’s direction, whether through our interface or via verbal or written instructions. We do not utilize your data for any purposes other than providing you with the highest quality and most suitable service. For more detailed information about our data processing practices, please refer to our Privacy Policy.

ReachOut.AI’s GDPR compliance

In accordance with GDPR requirements, we have developed, reviewed, updated, and modified numerous internal practices and policies to ensure compliance as both a Data Controller and a Data Processor. Below is an overview of several key measures we have implemented and continue to maintain to uphold this compliance.

We actively monitor guidance from privacy-related regulatory bodies regarding GDPR compliance and adjust our product features and contractual commitments as needed. We will provide you with regular updates to keep you informed and up to dat

GDPR awareness

Given that ReachOut.AI’s core business revolves around data processing, it is essential for our entire team to understand their responsibilities regarding personal data protection and compliance. As a result, all members of our development team and engineers have completed appropriate GDPR training. This commitment reflects our dedication to fostering a culture of GDPR compliance at ReachOut.AI.

Data Processing Agreement for Enterprise Users

We provide a Data Processing Agreement (DPA) for our enterprise users who collect data from data subjects within the EU. Our DPA includes contractual terms that align with GDPR requirements.

The DPA is available upon request exclusively for our Enterprise Users (also referred to as Partners). Enterprise users who need a DPA with ReachOut.AI in our capacity as a Data Processor can request a copy of our DPA here.

To ensure that no additional terms are imposed on ReachOut.AI beyond what is outlined in our DPA and Terms of Service, we generally cannot agree to sign user-provided DPAs. If you find that you cannot comply with our standard DPA, please reach out to us at support@reachout.ai. We are more than happy to discuss your concerns and explore available options.

Data Inventory and Data Protection Principles

We maintain an internal data map and other relevant documentation identifying all categories of data subjects with which ReachOut.AI interacts and the categories of data collected about each category of these data subjects. This documentation was drafted and built in response to the GDPR requirements and is updated whenever changes to ReachOut.AI’s product, infrastructure,  marketing functions or any other data processing occur.

These documents enable us to ascertain and validate the legal basis and legitimate purposes for collecting and processing personal data. We also constantly evaluate potential risks personal data processing may pose to fundamental rights and ensure that we have in place the appropriate and proportional security and privacy safeguards across our infrastructure and software ecosystem. We only store and process data for as long as necessary to achieve relevant purposes.

Refer to our Privacy Policy for further information regarding the collection, storage and management of personal data provided to us.

If you’d like to learn more about ReachOut.AI’s Data Security, please see our security page. It provides detailed information on how we approach security, including our technical and organizational measures as well as our encryption standards.

Third party Subprocessors

We maintain a list of third-party vendors on our website. Our subprocess include:

  • Amazon Web Services: Web hosting for backend processes, data storage, video processing. User profile and identity data are stored and transmitted for video processing and app functionalities. Video/image/audio data are stored and transmitted for video processing. Server location: US
 
  • Cloudways: Web hosting for the application front-end processes. User profile and identity data are stored and transmitted for account setup. Text/Video/image/audio data are transmitted to for video processing. Server location: US
 

 

 

  • Sentry: Application monitoring and alerting logs and collecting errors (US)
 
  • OpenAI: Script rewriting when users create videos, script content moderation, text to speech, speech to text (US)

  • Microsoft Azure: Text to Speech, data warehouse, script data are transmitted for generating audio
 
  • Google Cloud: Text to Speech, data warehouse, script data are transmitted for generating audio
 
  • Crisp.chat: Customer support, help center (set to be discontinued on February 2025)
 
 
 
 
  • Zapier Pabbly Connect Make.com – Connected with our APIs once and if the user uses it to create an action like adding leads campaigns, etc (optional)
 
  • BugPilot for tracking and monitoring bugs and improve performance based on user experience (Italy) – Set to be discontinued on February 2025
 
  • RunPod.io for Secure Cloud GPU infrastructure.
 
  • Gcore.com – for wp-cdn service for WordPress (to be discontinued on February 2025) 
 
  • Google Analytics for web analytics service that provides numerous analytical tools useful for insights on website performance and marketing campaigns.
 
  • Meta Pixel – collects data that helps us measure, optimise and build audiences for our ad campaigns.
 
  • TruConversion – for analyzing user behavior anonymously in the app through features like heatmaps, session recordings, and surveys to help us understand visitor interactions and enhance user experience.
 

We engage with subprocessors meeting high privacy protection and security standards, that are appropriate and proportional to the type of data processing.

Incident response and breach management

We maintain an internal Security Incident Response Plan that outlines the process our team follows in the event of a suspected data breach. We updated this document in response to the GDPR and other relevant data privacy regulations.

Here's our public incident response plan.

A note on consent

Under the GDPR you must have a legal basis for all data processing. As a Data Controller using ReachOut.AI, it is likely that consent will be one of the legal bases used to ensure compliance for the data you upload to our platform.

In order to be valid, consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. Given that using ReachOut.AI you may process special categories or sensitive data, obtaining explicit consent for such processing is very important. The following does not constitute legal or compliance advice but provides suggestions as to how other Data Controllers manage consent:

  • Verifiable consent necessitates a recorded log of how and when a customer permitted the processing of their data. 
  • Explicit consent requires that individuals actively agree to their data being processed, such as by ticking a box during signup or subscription. This opt-in process must include a clear message, in plain language, detailing how their personal data will be used.
  • If you rely on consent for processing personal data, ensure that where and why you collected the data aligns with the GDPR’s consent standards.

Data Subject Rights in our role as Processor and Controller

As a customer of ReachOut.AI based in the EU you are able to access, update, retrieve and remove or request to remove your own or other personal data you uploaded.

You may edit the data you have provided to ReachOut.AI open by managing your ReachOut.AI  account. If you would like an export of such data you can request it at any time. For other related requests contact us at support@reachout.ai

You control the data uploaded to ReachOut.AI and therefore they are stored as long as you have your account. When you cancel your account we will dispose of provided data in accordance with our Terms of Service  and Privacy Policy.

International Data Transfers

At this moment we do not offer data storage in the EU and all data you process (video/audio/images/text) using ReachOut.AI is transferred to the United States and processed with the use of our cloud providers’ servers located therein.

We make our best to implement the newest and relevant Standard Contractual Clauses approved by the European Commission to our DPA. You can request a DPA at support@reachout.ai. In case of any questions you can reach us at the same email as above.

Privacy Counsel and Further Assistance

In order to safeguard the highest possible standard of data protection we are in the process of hiring a dedicated Privacy Counsel and GDPR representative to internally oversee our compliance. In case of a specific privacy and data protection questions, to which answers you can’t find the answer here or in the Privacy Policy, you can contact him in advance through privacy@reachout.ai

Other useful resourses:

Was this article helpful?
© 2024 ReachOut.AI (Legacy)