visibilityRASADAI

GDPR Compliance

Last updated: April 23, 2026

This page explains how RasadAI complies with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It complements our Privacy Policy, which applies globally.

Our Role

For data you provide directly (account information, brand configuration, integration tokens), RasadAI is the data controller.

For mention data we collect from public sources on your behalf, RasadAI acts as a data processor on your instructions.

Lawful Bases for Processing

We rely on the following lawful bases (Article 6):

  • Contract — to deliver the Service you've subscribed to.
  • Legitimate interest — to secure, monitor, and improve the Service, prevent abuse, and respond to support inquiries. We balance this against your rights and freedoms.
  • Legal obligation — to comply with applicable laws.
  • Consent — for any optional marketing emails (you can withdraw at any time).

Your Rights Under GDPR

If you are in the EU, UK, or EEA, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.
  • Lodge a complaint — with your local data-protection authority.

To exercise any of these rights, email privacy@rasadai.com. We respond to GDPR requests within 30 days.

Data Processing Agreement (DPA)

For customers using RasadAI in a B2B context where we process data on your behalf, we offer a Data Processing Agreement that satisfies Article 28 GDPR requirements. To request a DPA, email legal@rasadai.com.

International Data Transfers

Some of our infrastructure providers are located outside the EU/EEA (primarily in the United States). Where data is transferred outside the EU/EEA, we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs) for transfers to processors in third countries.
  • Adequacy decisions where applicable.
  • Supplementary technical measures (encryption in transit and at rest, per-tenant isolation, access controls).

Sub-Processors

We use the following sub-processors to deliver the Service:

  • Vercel (USA) — web hosting and serverless compute.
  • Supabase (EU/USA) — database and storage.
  • Railway (USA) — agent service hosting.
  • Anthropic via OpenRouter (USA) — AI inference.
  • Public-data APIs for monitoring (third-party providers across regions).
  • Workspace integrations you choose to enable (Slack, Discord, Telegram, Microsoft Teams).

We notify customers of material sub-processor changes at least 30 days in advance via email.

Data Retention

Personal data is retained only as long as necessary for the purposes described in our Privacy Policy and for legal compliance. On account closure, personal data is deleted within 30 days.

Data Breach Notification

In the event of a personal-data breach likely to result in risk to individuals' rights and freedoms, we will notify affected customers and the relevant supervisory authority within 72 hours of becoming aware, in accordance with Articles 33 and 34 GDPR.

Contact Our Data Protection Lead

For any GDPR-related inquiry: privacy@rasadai.com