GDPR Compliance

We have implemented technical and organisational measures designed to meet our obligations under the GDPR and to help our customers meet theirs. We process personal data lawfully, fairly, and transparently, limit processing to specified purposes, minimise the data we collect, keep it accurate, retain it only as long as necessary, and protect it with appropriate security.

Under the GDPR, responsibilities depend on the role each party plays:

• Konversation as processor.When our customers use the Services to process the personal data of their own contacts and end users, the customer is the controller and Konversation acts as a processor, processing that data on the customer's documented instructions under our Data Processing Agreement.
• Konversation as controller. For data we determine the purposes of, such as account, billing, and website data, Konversation is the controller, as described in our Privacy Policy.

Where we act as a controller, we rely on one or more of the following lawful bases: performance of a contract, legitimate interests, consent, and compliance with a legal obligation. Where we act as a processor, the customer is responsible for establishing the lawful basis for processing their end users' data. Full detail is set out in our Privacy Policy.

The GDPR grants individuals the following rights, which we support:

• the right to be informed about how their data is used;
• the right of access to their personal data;
• the right to rectification of inaccurate or incomplete data;
• the right to erasure (the “right to be forgotten”);
• the right to restrict processing;
• the right to data portability;
• the right to object to processing; and
• rights in relation to automated decision-making and profiling.

Where Konversation is the controller, individuals can exercise these rights by contacting team@konversation.io. Where Konversation is a processor, requests should be directed to the relevant customer (the controller), and we will assist them in responding as required by Article 28.

We are based in the United Kingdom and may process personal data in the UK, the EEA, the United States, and other countries where we or our subprocessors operate. Where personal data is transferred outside the UK or EEA to a country without an adequacy decision, we rely on appropriate safeguards, including the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and the UK Addendum, together with supplementary measures where necessary.

We engage subprocessors to help deliver the Services and impose data-protection obligations on them that are no less protective than those we accept. We maintain a current list and provide advance notice of changes, as described on our Subprocessors page and in our Data Processing Agreement.

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, monitoring, backups, and a documented incident-response process. Further detail is set out in our Security Policy and in Annex II of our Data Processing Agreement.

We maintain procedures to detect, assess, and respond to personal data breaches. Where we act as a processor, we will notify affected customers without undue delay after becoming aware of a breach affecting their data, so they can meet their own notification obligations to supervisory authorities and data subjects under Articles 33 and 34.

Our Data Processing Agreement reflects the requirements of Article 28 and is available to all customers. It includes annexes covering the details of processing, technical and organisational measures, and our subprocessors. To request a countersigned copy, contact team@konversation.io.

For GDPR questions, data subject requests, or compliance documentation, contact our team. This page was last updated on June 15, 2026.