LEGAL

Privacy Policy — How KnowDesk Protects Your Data

Last updated: 1 May 2026KnowDesk, Lda · Amadora, Portugal
Summary: We collect only what we need to run KnowDesk. We never sell your data. We use Supabase for storage, Stripe for payments, and Cloudflare for delivery. You can request deletion of your data at any time.

1. Who We Are

KnowDesk is operated by KnowDesk, Lda, a company registered in Portugal with its registered office at Rua Dom João V 37, Damaia, 2720-167, Amadora, Lisbon, Portugal. References to "KnowDesk", "we", "us", or "our" in this policy refer to KnowDesk, Lda.

We are the data controller for personal data collected through our website (knowdesk.io) and platform. For questions about this policy, contact us at privacy@knowdesk.io.

2. What Data We Collect

2.1 Account data

  • Email address and password (hashed, never stored in plain text)
  • Company name and website URL
  • Billing name and address (via Stripe — we never store card numbers)

2.2 Usage data

  • Conversation logs — messages sent to and received from your AI widget
  • Knowledge source metadata (file names, sync status, character count)
  • Widget configuration settings (brand name, colour, tone)
  • Dashboard activity (pages visited, features used)
  • Message counts used against your monthly plan limit

2.3 Technical data

  • IP address (collected by Cloudflare for security and rate limiting)
  • Browser type and version
  • Device type and operating system
  • Referring URL and pages visited on knowdesk.io
  • Cookie identifiers (see our Cookie Policy for details)

2.4 Data you upload

When you connect knowledge sources, the content of those documents (Google Docs, PDFs, pasted text) is stored encrypted in our database and used solely to generate responses in your AI widget. We do not read, analyse, or use this content for any other purpose.

3. How We Use Your Data

PURPOSELEGAL BASISDATA USED
Providing and operating the KnowDesk serviceContractual necessityAccount data, usage data
Processing payments and managing subscriptionsContractual necessityBilling data via Stripe
Sending service emails (invoices, alerts, password resets)Contractual necessityEmail address
Improving the platform and fixing bugsLegitimate interestUsage data, technical data
Preventing fraud and abuseLegitimate interestTechnical data, IP address
Sending product update emails (if opted in)ConsentEmail address
Complying with legal obligationsLegal obligationAll relevant data

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following trusted sub-processors, each operating under GDPR-compliant data processing agreements:

SUB-PROCESSORPURPOSELOCATION
SupabaseDatabase, authentication, file storageEU (AWS Frankfurt)
StripePayment processing and billingUSA (Standard Contractual Clauses)
CloudflareCDN, DDoS protection, edge computingGlobal (SCC-protected)
AnthropicAI completions (Claude API)USA (SCC-protected)
VercelApplication hosting and deploymentGlobal (SCC-protected)

5. Data Retention

  • Account data: retained for the lifetime of your account, plus 30 days after deletion
  • Conversation logs: retained for 12 months, then automatically deleted
  • Knowledge source content: deleted immediately when you remove a source
  • Billing records: retained for 7 years (legal requirement under Portuguese/EU tax law)
  • Technical logs: retained for 90 days

6. Your Rights (GDPR)

As a resident of the EU/EEA, or as a user of our platform regardless of location, you have the following rights under GDPR:

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure ('right to be forgotten') — request deletion of your account and all associated data
  • Right to restriction — ask us to limit how we process your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — for any processing based on consent (e.g. marketing emails)

To exercise any of these rights, email privacy@knowdesk.io or contact us via WhatsApp. We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD) at cnpd.pt.

7. Security

We implement industry-standard security measures including: encrypted data at rest (AES-256), encrypted data in transit (TLS 1.3), API key authentication for all widget requests, row-level security policies on all database tables, and regular security reviews. No system is 100% secure — if you discover a vulnerability, please report it to security@knowdesk.io.

8. International Transfers

Some sub-processors (Stripe, Anthropic, Vercel, Cloudflare) are based in or transfer data to the USA. Where this occurs, transfers are protected by the EU Standard Contractual Clauses (SCCs) approved by the European Commission, or by the EU-US Data Privacy Framework where applicable.

9. Children

KnowDesk is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact privacy@knowdesk.io and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We'll notify registered users by email for material changes. The "Last updated" date at the top of this page always reflects the current version. Continued use of KnowDesk after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your rights:

  • Email: privacy@knowdesk.io
  • WhatsApp: +351 920 629 676
  • Post: KnowDesk, Lda · Rua Dom João V 37, Damaia, 2720-167, Amadora, Lisbon, Portugal
© 2026 KnowDesk. All rights reserved.
Privacy PolicyTerms of ServiceCookie PolicyGDPR