Data Privacy Compliance - Your Rights Under Applicable Data Protection Law
1. Our Role Under Applicable Privacy Law
1.1 Data Controller
KnowDesk Inc., a Delaware corporation, acts as a data controller for personal data collected from visitors to knowdesk.io and from registered account holders. As controller, we determine the purposes and means of processing your personal data. While KnowDesk Inc. is a US company and primarily governed by US privacy law, we acknowledge the rights of EU/EEA users under GDPR as a matter of good practice.
1.2 Data Processor
KnowDesk also acts as a data processor on behalf of our customers (companies using the KnowDesk platform). When end-users interact with a KnowDesk-powered widget on a customer's website, the customer is the data controller and KnowDesk processes that data according to their instructions.
2. Legal Bases for Processing
We process personal data only where we have a valid legal basis. For EU/EEA users, we reference the equivalent Article 6 GDPR bases below. For all users, our processing is grounded in the following lawful purposes:
| LEGAL BASIS | WHEN WE USE IT | EXAMPLES |
|---|---|---|
| Contract (Art. 6(1)(b) GDPR) | Processing necessary to perform our contract with you | Account management, service delivery, billing |
| Legitimate Interest (Art. 6(1)(f) GDPR) | Processing necessary for our legitimate business interests | Security monitoring, fraud prevention, product improvement |
| Consent (Art. 6(1)(a) GDPR) | Where you have given clear, specific consent | Marketing emails, optional analytics cookies |
| Legal Obligation (Art. 6(1)(c) GDPR) | Where processing is required by applicable law | Tax records, responding to lawful authorities |
3. Your Privacy Rights
We extend the following rights to all users of our platform regardless of location. EU/EEA users may also exercise these as formal GDPR rights under Articles 15–22. To exercise any of these rights, contact us at hello@knowdesk.io. We will respond within 45 days as permitted under US law, with a possible 45-day extension where reasonably necessary.
| RIGHT | ARTICLE | WHAT IT MEANS |
|---|---|---|
| Access | Art. 15 | Receive a copy of all personal data we hold about you, and information about how we process it |
| Rectification | Art. 16 | Have inaccurate or incomplete personal data corrected |
| Erasure | Art. 17 | Have your personal data deleted ('right to be forgotten'), subject to legal retention obligations |
| Restriction | Art. 18 | Ask us to pause processing while a dispute is resolved |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format (JSON or CSV) |
| Objection | Art. 21 | Object to processing based on legitimate interest, including for direct marketing |
| Withdraw Consent | Art. 7(3) | Withdraw any previously given consent at any time, without affecting past processing |
| Automated Decisions | Art. 22 | Not be subject to solely automated decisions that significantly affect you |
4. How to Submit a Data Request
To submit any privacy or data request:
- Email: hello@knowdesk.io with the subject line 'Privacy Request — [Your Name]'
- Call / Message: +1 (307) 316-8676
- Post: KnowDesk Inc. · 1908 Thomes Avenue, Cheyenne, WY 82001, United States
We may ask you to verify your identity before processing sensitive requests such as data deletion or export. We will not charge a fee for requests unless they are manifestly unfounded or excessive.
5. Data Retention Periods
| DATA TYPE | RETENTION PERIOD | REASON |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion | Service delivery |
| Conversation logs | 12 months from creation | Analytics and dispute resolution |
| Knowledge source content | Deleted immediately on source removal | User control |
| Billing and invoice records | 7 years | US federal and state tax law requirements |
| Technical and security logs | 90 days | Security monitoring |
| Cookie consent records | 3 years | GDPR accountability |
6. Sub-Processors and International Transfers
KnowDesk Inc. is a US-based company. Data is primarily stored and processed in the United States. We use the following sub-processors, each subject to a Data Processing Agreement (DPA) and appropriate data protection standards:
| SUB-PROCESSOR | COUNTRY | TRANSFER MECHANISM | PURPOSE |
|---|---|---|---|
| Supabase | Germany (EU - Central) | Data stored in EU | Database, auth, storage |
| Stripe | USA | Standard Contractual Clauses (for EU users) | Payment processing |
| Cloudflare | Global | Standard Contractual Clauses (for EU users) | CDN, security, edge computing |
| Cloud Server | Global | Standard Contractual Clauses (for EU users) | Application hosting |
For EU/EEA users, where data is transferred outside the EU, we rely on the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 where applicable.
7. Data Breach Notification
In the event of a personal data breach, we will assess the breach promptly and notify affected users directly without undue delay where the breach is likely to result in a high risk to their rights and freedoms. For EU/EEA users, we will use reasonable efforts to notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required. We will also notify affected users directly where there is a high risk to their rights and freedoms.
8. Privacy Contact
As a US-incorporated company, KnowDesk Inc. is not required to appoint a formal Data Protection Officer under GDPR. However, we take privacy seriously and have a designated privacy contact for all data-related queries:
- Email: hello@knowdesk.io
- Post: KnowDesk Inc. · 1908 Thomes Avenue, Cheyenne, WY 82001, United States
9. Supervisory Authority
As a US-incorporated company, KnowDesk Inc. does not have a lead EU supervisory authority. However, if you are an EU/EEA resident and believe we have not handled your data appropriately, you have the right to lodge a complaint with the supervisory authority in your EU member state. You may also contact the US Federal Trade Commission (FTC) at ftc.gov regarding US privacy concerns.
10. Data Processing Agreement (DPA)
If you use KnowDesk to process personal data of your own customers or employees (for example, through conversation logs), you may need a Data Processing Agreement with us under Article 28 GDPR. To request a DPA, contact hello@knowdesk.io. We will provide a standard DPA within 5 business days.