GDPR Compliance — OutreachAgent

Overview

The GDPR (Regulation (EU) 2016/679) is the world's most comprehensive data privacy law. It applies to any organisation that processes the personal data of EU residents, regardless of where the organisation is based.

OutreachAgent is operated by Emacron AI Technologies Ltd, a company registered in England and Wales. We process EU personal data and are therefore subject to the GDPR in full.

Our data roles

Data Controller: Emacron AI Technologies Ltd acts as a data controller for the personal data of our customers (e.g. your name, email, and billing information) which we process to provide and improve the OutreachAgent platform.

Data Processor: When you upload contact lists or other personal data of your own customers or prospects into OutreachAgent, we act as a data processor on your behalf. You are the data controller for that data and we process it only on your documented instructions.

Lawful bases for processing

We rely on the following lawful bases under Article 6 GDPR:

Contract (6(1)(b))Processing necessary to provide the service you have contracted with us for.
Legitimate interests (6(1)(f))Improving our platform, fraud prevention, and security monitoring.
Legal obligation (6(1)(c))Retaining financial records for tax and accounting purposes.
Consent (6(1)(a))Marketing communications via email (you can withdraw consent at any time).

Your rights as a data subject

Under the GDPR, EU residents have the following rights in relation to their personal data:

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to restriction (Art. 18)

Ask us to restrict processing in certain circumstances.

Right to data portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Rights in automated decision-making (Art. 22)

Not to be subject to purely automated decisions with significant legal effects.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

International data transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

→ Standard Contractual Clauses (SCCs) approved by the European Commission
→ Transfer to countries with an EU adequacy decision
→ UK IDTA (International Data Transfer Agreement) for transfers from the UK

Data Processing Agreement (DPA)

A GDPR-compliant Data Processing Agreement is available to all OutreachAgent customers at no charge. If you are an existing customer, the DPA is incorporated by reference into the Terms of Service. If you require a signed DPA for compliance purposes, please email [email protected].

Sub-processors

We use the following sub-processors to deliver the OutreachAgent service:

Sub-processor	Purpose	Location
Supabase	Database & authentication	EU (Frankfurt)
Cloudflare	CDN, DDoS protection, DNS	EU/US
AWS	Infrastructure & storage	EU (Frankfurt)
Twilio	SMS delivery	US (SCCs in place)
Stripe	Payment processing	US (SCCs in place)
PostHog	Product analytics (anonymised)	EU

We notify customers at least 30 days in advance of any material change to our sub-processor list.

Contact our Data Protection Officer

For any GDPR-related queries, requests, or complaints, contact our DPO:

Data Protection Officer

Emacron AI Technologies

Fourth Floor, City Vista, Kharadi, Pune 411014, India

[email protected]

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.