GDPR Compliance — Your Rights Under EU Data Protection Law
1. Our Role Under GDPR
1.1 Data Controller
KnowDesk, Lda acts as a data controller for personal data collected from visitors to knowdesk.io and from registered account holders. As controller, we determine the purposes and means of processing your personal data.
1.2 Data Processor
KnowDesk also acts as a data processor on behalf of our customers (companies using the KnowDesk platform). When end-users interact with a KnowDesk-powered widget on a customer's website, the customer is the data controller and KnowDesk processes that data according to their instructions.
2. Legal Bases for Processing
We process personal data only where we have a valid legal basis under Article 6 GDPR:
| LEGAL BASIS | WHEN WE USE IT | EXAMPLES |
|---|---|---|
| Article 6(1)(b) — Contract | Processing necessary to perform our contract with you | Account management, service delivery, billing |
| Article 6(1)(f) — Legitimate Interest | Processing necessary for our legitimate business interests | Security monitoring, fraud prevention, product improvement |
| Article 6(1)(a) — Consent | Where you have given clear, specific consent | Marketing emails, optional analytics cookies |
| Article 6(1)(c) — Legal Obligation | Where processing is required by EU or Portuguese law | Tax records, responding to lawful authorities |
3. Your Rights Under GDPR
As a data subject, you have the following rights under Articles 15–22 GDPR. To exercise any of these rights, contact us at privacy@knowdesk.io. We will respond within 30 days.
| RIGHT | ARTICLE | WHAT IT MEANS |
|---|---|---|
| Access | Art. 15 | Receive a copy of all personal data we hold about you, and information about how we process it |
| Rectification | Art. 16 | Have inaccurate or incomplete personal data corrected |
| Erasure | Art. 17 | Have your personal data deleted ('right to be forgotten'), subject to legal retention obligations |
| Restriction | Art. 18 | Ask us to pause processing while a dispute is resolved |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format (JSON or CSV) |
| Objection | Art. 21 | Object to processing based on legitimate interest, including for direct marketing |
| Withdraw Consent | Art. 7(3) | Withdraw any previously given consent at any time, without affecting past processing |
| Automated Decisions | Art. 22 | Not be subject to solely automated decisions that significantly affect you |
4. How to Submit a Data Request
To submit any GDPR request:
- Email: privacy@knowdesk.io with the subject line 'GDPR Request — [Your Name]'
- WhatsApp: +351 920 629 676
- Post: KnowDesk, Lda · Rua Dom João V 37, Damaia, 2720-167, Amadora, Lisbon, Portugal
We may ask you to verify your identity before processing sensitive requests such as data deletion or export. We will not charge a fee for requests unless they are manifestly unfounded or excessive.
5. Data Retention Periods
| DATA TYPE | RETENTION PERIOD | REASON |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion | Service delivery |
| Conversation logs | 12 months from creation | Analytics and dispute resolution |
| Knowledge source content | Deleted immediately on source removal | User control |
| Billing and invoice records | 7 years | Portuguese and EU tax law |
| Technical and security logs | 90 days | Security monitoring |
| Cookie consent records | 3 years | GDPR accountability |
6. Sub-Processors and International Transfers
We use the following sub-processors, each subject to a Data Processing Agreement (DPA) and GDPR-compliant data transfer mechanisms:
| SUB-PROCESSOR | COUNTRY | TRANSFER MECHANISM | PURPOSE |
|---|---|---|---|
| Supabase | Germany (AWS Frankfurt) | Data stored in EU | Database, auth, storage |
| Stripe | USA | EU Standard Contractual Clauses | Payment processing |
| Cloudflare | Global | EU Standard Contractual Clauses | CDN, security, edge computing |
| Anthropic | USA | EU Standard Contractual Clauses | AI completions (Claude API) |
| Vercel | Global | EU Standard Contractual Clauses | Application hosting |
For each sub-processor, we have assessed the transfer risks and implemented appropriate safeguards. The Standard Contractual Clauses we rely upon are those approved by the European Commission in Decision 2021/914.
7. Data Breach Notification
In the event of a personal data breach, we will notify the Portuguese data protection authority (CNPD) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
8. Data Protection Officer
As a small business (under 250 employees) that does not conduct large-scale systematic monitoring or process special category data, KnowDesk is not required to appoint a formal Data Protection Officer under Article 37 GDPR. However, our designated privacy contact is:
- Email: privacy@knowdesk.io
- Postal: KnowDesk, Lda · Rua Dom João V 37, Damaia, 2720-167, Amadora, Lisbon, Portugal
9. Supervisory Authority
You have the right to lodge a complaint with the supervisory authority in your EU member state. The lead supervisory authority for KnowDesk is:
- CNPD (Comissão Nacional de Proteção de Dados) — Portugal
- Website: www.cnpd.pt
- Address: Rua de São Bento 148-3º, 1200-821 Lisboa, Portugal
- Email: geral@cnpd.pt
10. Data Processing Agreement (DPA)
If you use KnowDesk to process personal data of your own customers or employees (for example, through conversation logs), you may need a Data Processing Agreement with us under Article 28 GDPR. To request a DPA, contact legal@knowdesk.io. We will provide a standard DPA within 5 business days.