GDPR Compliance

Our Commitment

FAQai.app is fully committed to complying with the General Data Protection Regulation (GDPR). We believe in transparency, data minimisation, and giving you full control over your personal information. This page outlines how we meet our obligations under GDPR and how you can exercise your rights.

Data Controller

The data controller for FAQai.app is FAQai Ltd, registered in London, United Kingdom. For data protection enquiries, you can reach our Data Protection Officer at dpo@faqai.app.

Legal Basis for Processing

We process personal data under the following legal bases:

Contract Performance

Processing necessary to deliver our service to you, including processing your uploaded documents, generating RAG datasets, and managing your account.

Legitimate Interest

Processing for purposes where we have a legitimate business interest, including service improvement, security monitoring, and fraud prevention. We balance these interests against your rights and freedoms.

Consent

Where required, we obtain your explicit consent before processing. This applies to marketing communications and optional analytics cookies. You can withdraw consent at any time.

Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access (Art. 15) - request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16) - request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17) - request deletion of your personal data where there is no compelling reason for continued processing.
• Right to Restrict Processing (Art. 18) - request that we limit processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20) - receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21) - object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Art. 22) - the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, visit Settings > Privacy in your account or email dpo@faqai.app. We will respond to your request within 30 days.

Data Processing

• Document processing - your documents are processed on EU/UK servers to ensure data residency compliance.
• AI processing - document content is sent to AI providers (OpenRouter, OpenAI) solely for RAG dataset generation. Your data is not used for model training purposes.
• Supabase - our database is hosted in the EU region, ensuring your data remains within compliant jurisdictions.

International Data Transfers

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for any transfers to non-EU countries, ensuring your data receives the same level of protection regardless of where it is processed.

Data Retention

We retain your data only for as long as necessary:

• Documents - retained until you choose to delete them. You have full control over your uploaded content.
• Account data - deleted within 30 days of account closure, except where retention is required by law.

Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Articles 33–34 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay.

Sub-processors

We use the following sub-processors to deliver our service:

• OpenRouter / OpenAI - AI processing for RAG dataset generation.
• Supabase - database hosting and authentication.
• Stripe - payment processing.
• Vercel - application hosting and content delivery.
• Google - OAuth authentication provider.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Information Commissioner's Office (ICO) in the United Kingdom. You can contact the ICO at ico.org.uk.

International Compliance

In addition to GDPR, FAQai.app is committed to complying with data protection laws in all regions where our users are located. We have aligned our data practices with the following frameworks:

• CCPA/CPRA (California, USA) - consumer privacy rights including access, deletion, and opt-out of data sharing.
• LGPD (Brazil) - Lei Geral de Proteção de Dados, providing rights to access, correction, deletion, and portability.
• PIPEDA (Canada) - Personal Information Protection and Electronic Documents Act, governing consent-based data processing.
• POPIA (South Africa) - Protection of Personal Information Act, setting conditions for lawful data processing.
• PDPA (Singapore) - Personal Data Protection Act, including consent, access, and correction rights.
• APPI (Japan) - Act on the Protection of Personal Information, with purpose specification and cross-border transfer safeguards.
• APPs (Australia) - Australian Privacy Principles under the Privacy Act 1988, covering collection, use, and disclosure of personal information.

For detailed information about your specific rights under each framework, please refer to the regional sections in our Privacy Policy.

Contact

For any GDPR-related or international data protection enquiries, contact our Data Protection Officer at dpo@faqai.app or call +44 7778 208203.

Last updated: February 2026