The GDPR outlines various requirements based on how organizations manage the personal data of data subjects:
Data Controllers are entities that collect personal data and determine the purposes, means, and methods of processing that data.
Data Processors are entities that process data on behalf of a Data Controller.
ReachOut.AI functions as both a Data Controller and a Data Processor. As a Data Controller, we handle the personal data of our users for our own purposes, such as analytics and service enhancement. However, for most of the data processed through the ReachOut.AI platform, we act as a Data Processor, assisting users in processing their data to fulfill their objectives using our platform.
Our users maintain complete control over their data, deciding what information to upload and when to delete it from our platform. ReachOut.AI processes user data solely at the user’s direction, whether through our interface or via verbal or written instructions. We do not utilize your data for any purposes other than providing you with the highest quality and most suitable service. For more detailed information about our data processing practices, please refer to our Privacy Policy.
In accordance with GDPR requirements, we have developed, reviewed, updated, and modified numerous internal practices and policies to ensure compliance as both a Data Controller and a Data Processor. Below is an overview of several key measures we have implemented and continue to maintain to uphold this compliance.
We actively monitor guidance from privacy-related regulatory bodies regarding GDPR compliance and adjust our product features and contractual commitments as needed. We will provide you with regular updates to keep you informed and up to dat
Given that ReachOut.AI’s core business revolves around data processing, it is essential for our entire team to understand their responsibilities regarding personal data protection and compliance. As a result, all members of our development team and engineers have completed appropriate GDPR training. This commitment reflects our dedication to fostering a culture of GDPR compliance at ReachOut.AI.
We provide a Data Processing Agreement (DPA) for our enterprise users who collect data from data subjects within the EU. Our DPA includes contractual terms that align with GDPR requirements.
The DPA is available upon request exclusively for our Enterprise Users (also referred to as Partners). Enterprise users who need a DPA with ReachOut.AI in our capacity as a Data Processor can request a copy of our DPA here.
To ensure that no additional terms are imposed on ReachOut.AI beyond what is outlined in our DPA and Terms of Service, we generally cannot agree to sign user-provided DPAs. If you find that you cannot comply with our standard DPA, please reach out to us at [email protected]. We are more than happy to discuss your concerns and explore available options.
We maintain an internal data map and other relevant documentation identifying all categories of data subjects with which ReachOut.AI interacts and the categories of data collected about each category of these data subjects. This documentation was drafted and built in response to the GDPR requirements and is updated whenever changes to ReachOut.AI’s product, infrastructure, marketing functions or any other data processing occur.
These documents enable us to ascertain and validate the legal basis and legitimate purposes for collecting and processing personal data. We also constantly evaluate potential risks personal data processing may pose to fundamental rights and ensure that we have in place the appropriate and proportional security and privacy safeguards across our infrastructure and software ecosystem. We only store and process data for as long as necessary to achieve relevant purposes.
Refer to our Privacy Policy for further information regarding the collection, storage and management of personal data provided to us.
If you’d like to learn more about ReachOut.AI’s Data Security, please see our security page. It provides detailed information on how we approach security, including our technical and organizational measures as well as our encryption standards.
We maintain a list of third-party vendors on our website. Our subprocess include:
We engage with subprocessors meeting high privacy protection and security standards, that are appropriate and proportional to the type of data processing.
We maintain an internal Security Incident Response Plan that outlines the process our team follows in the event of a suspected data breach. We updated this document in response to the GDPR and other relevant data privacy regulations.
Under the GDPR you must have a legal basis for all data processing. As a Data Controller using ReachOut.AI, it is likely that consent will be one of the legal bases used to ensure compliance for the data you upload to our platform.
In order to be valid, consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. Given that using ReachOut.AI you may process special categories or sensitive data, obtaining explicit consent for such processing is very important. The following does not constitute legal or compliance advice but provides suggestions as to how other Data Controllers manage consent:
As a customer of ReachOut.AI based in the EU you are able to access, update, retrieve and remove or request to remove your own or other personal data you uploaded.
You may edit the data you have provided to ReachOut.AI open by managing your ReachOut.AI account. If you would like an export of such data you can request it at any time. For other related requests contact us at [email protected]
You control the data uploaded to ReachOut.AI and therefore they are stored as long as you have your account. When you cancel your account we will dispose of provided data in accordance with our Terms of Service and Privacy Policy.
At this moment we do not offer data storage in the EU and all data you process (video/audio/images/text) using ReachOut.AI is transferred to the United States and processed with the use of our cloud providers’ servers located therein.
We make our best to implement the newest and relevant Standard Contractual Clauses approved by the European Commission to our DPA. You can request a DPA at [email protected]. In case of any questions you can reach us at the same email as above.
In order to safeguard the highest possible standard of data protection we are in the process of hiring a dedicated Privacy Counsel and GDPR representative to internally oversee our compliance. In case of a specific privacy and data protection questions, to which answers you can’t find the answer here or in the Privacy Policy, you can contact him in advance through [email protected]
Other useful resourses: