GDPR & UK GDPR Compliance

EU GDPR applies to AskBiz because we offer services to individuals and businesses in the EU. UK GDPR applies because we are a UK-registered business and process personal data in the UK. Both frameworks impose substantially similar obligations.

AskBiz operates in two distinct capacities under GDPR:

• Data Controller — for personal data of our own users (your name, email, billing information)
• Data Processor — for personal data you upload or sync from connected platforms (your customers' hashed identifiers, order histories, etc.)

For your account data (as controller):

• Contract (Article 6(1)(b)) — processing your email, billing details, and account information is necessary to provide the service you have contracted for
• Legal obligation (Article 6(1)(c)) — retention of billing records for tax compliance
• Legitimate interests (Article 6(1)(f)) — product analytics (anonymised), security monitoring, and fraud prevention
• Consent (Article 6(1)(a)) — marketing communications (opt-in only)

For data you upload (as processor):

You determine the lawful basis. AskBiz processes this data on your documented instructions. Our DPA sets out our processor obligations.

AskBiz's infrastructure is hosted in the EU (AWS Dublin). However, we use Anthropic's Claude API, which involves a transfer of data to the United States.

This transfer is governed by:

• Standard Contractual Clauses (SCCs) — we have SCCs in place with Anthropic covering the transfer of personal data
• Anthropic's sub-processor obligations — Anthropic processes data transiently (not retained beyond the API call duration)
• Transfer Impact Assessment — we have conducted a TIA and determined that the SCCs provide adequate protection given the transient nature of the transfer and Anthropic's security measures

Data processed by Stripe (billing) is subject to Stripe's own GDPR compliance measures and Privacy Shield successor framework.

AskBiz uses the following sub-processors to deliver the service:

• Vercel Inc. (US) — application hosting. EU users' requests are served from Vercel's EU edge network. Data subject to Vercel's DPA and SCCs.
• Supabase Inc. (US) — database hosting, deployed on AWS EU-West-1 (Dublin). Data stored in the EU.
• Anthropic PBC (US) — Claude AI API. Personal data transmitted transiently for AI processing. SCCs in place.
• Stripe Inc. (US) — payment processing. Processes billing data only. Stripe's own GDPR compliance applies.
• PostHog Inc. (US) — product analytics. Anonymised usage data only. PostHog EU deployment used. Consent-based.

We maintain a full sub-processor list and notify customers of material sub-processor changes with 30 days' notice.

Under EU and UK GDPR, you have the following rights regarding personal data AskBiz holds about you:

• Access (Article 15) — request a copy of your personal data
• Rectification (Article 16) — correct inaccurate data
• Erasure (Article 17) — 'right to be forgotten'
• Restriction (Article 18) — restrict processing while a dispute is resolved
• Portability (Article 20) — receive your data in machine-readable format
• Object (Article 21) — object to processing based on legitimate interests
• Not to be subject to automated decisions (Article 22) — AskBiz is designed as a decision-support tool and does not make automated decisions with significant legal effects

Exercise any right by emailing privacy@askbiz.co. We respond within 30 days (extendable by 2 months for complex requests with notice).

You also have the right to lodge a complaint with the ICO (UK): ico.org.uk | 0303 123 1113, or your national supervisory authority (EU).