GDPR Compliance

1. Introduction

ControlShift AI ("ControlShift AI," "we," "our," or "us") is committed to supporting compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and UK GDPR where applicable. This page summarizes how we address key GDPR requirements for customers in the European Economic Area (EEA), United Kingdom, and other regions with similar laws.

2. Our Role Under GDPR

Depending on the processing activity, ControlShift AI may act as:

• Controller for account, billing, marketing, and website data we collect directly from customers and visitors
• Processor for personal data submitted by customers through the platform, such as end-user chat or voice interaction data

Processor obligations are set out in our Data Processing Agreement (DPA).

3. Lawful Bases for Processing

When acting as Controller, we rely on lawful bases including:

• Contract: To provide the Service and fulfill our agreement with you
• Legitimate interests: To improve, secure, and market our services where balanced against your rights
• Consent: For non-essential cookies and certain marketing communications (see our Cookie Policy)
• Legal obligation: Where required to comply with applicable law

4. Data Subject Rights

Under GDPR, individuals may have the following rights, subject to conditions and exceptions:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

To exercise rights relating to data we control directly, contact support@controlshiftai.com. For data processed on behalf of a customer, contact the customer (Controller) first; we will assist them as required. See also our Data Deletion Instructions.

5. International Data Transfers

Personal data may be processed in Australia, the United States, and other countries where our subprocessors operate. Where GDPR applies, we implement appropriate safeguards for transfers, including Standard Contractual Clauses (SCCs) and supplementary measures where required. See our Subprocessor List for details on providers and locations.

6. Security Measures

We implement technical and organizational measures to protect personal data as described in our Security Policy, including access controls, encryption, and incident response procedures.

7. Data Protection by Design

We incorporate privacy considerations into product development, data minimization practices, configurable retention options, and customer controls over integrations and agent behavior. Our Responsible AI Policy addresses transparency and accountability for AI features.

8. Data Breach Notification

In the event of a personal data breach affecting customer data, we will notify affected customers without undue delay where required by GDPR and our DPA, and cooperate with Controllers in meeting regulatory notification obligations.

9. Data Protection Officer and EU Representative

For GDPR-related inquiries, contact us at support@controlshiftai.com. If an EU or UK representative is appointed, details will be published on this page.

10. Supervisory Authority

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concerns.

11. Related Documents

• Privacy Policy
• Data Processing Agreement (DPA)
• Cookie Policy
• Subprocessor List

12. Contact Us

• Email: support@controlshiftai.com
• Address: Sydney, NSW, Australia