SakhiChat

GDPR & Data Processing

Information for EU/UK users, and a Data Processing Addendum for business customers.

Last updated: April 30, 2026

1. Overview

SakhiChat is operated by [LEGAL_ENTITY_NAME], a US company that serves customers worldwide, including the European Union and United Kingdom. This page explains how we comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

This page is a companion to our Privacy Policy. The Privacy Policy is the primary document — this page provides additional detail relevant to EU/UK users and business customers who require a Data Processing Addendum (DPA).

2. Our Commitment

We commit to handle personal data in line with GDPR principles:

  • Lawfulness, fairness, transparency — processing is lawful and clearly explained.
  • Purpose limitation — data is collected for specific, explicit purposes.
  • Data minimisation — only what we need.
  • Accuracy — kept up to date; we correct or erase inaccurate data.
  • Storage limitation — kept only as long as needed.
  • Integrity and confidentiality — protected with appropriate security.
  • Accountability — we can demonstrate compliance.

3. Controller / Processor Roles

Under GDPR, the role we play depends on whose data is involved:

3.1 We are the Data Controller for:

  • Account information of our customers (the people who sign up for SakhiChat).
  • Billing data and support communications.
  • Marketing communications (with consent).
  • Website visitor analytics.

3.2 We are a Data Processor for:

  • Personal data submitted to chatbots by end users (people chatting with bots on our customers' websites).
  • Knowledge-base content uploaded by our customers.
  • Conversation logs from connected channels (WhatsApp, web).

For data where we act as processor, our customer is the data controller. They decide what data is collected, why, and how long it is kept.

4. Your Rights

If you are an EU or UK resident, GDPR gives you the following rights:

  • Right of access — get a copy of your personal data.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data.
  • Right to restrict processing — temporarily limit how we use your data.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to object — object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — at any time, where processing is based on consent.
  • Right not to be subject to automated decisions producing legal or similarly significant effects without meaningful human review.
  • Right to lodge a complaint with your supervisory authority.

5. Exercising Your Rights

To exercise any of these rights, email support@sakhichat.com from the email address associated with your account. Please include:

  • Your full name and email address used with our Services.
  • The right you wish to exercise.
  • Any details that will help us respond accurately.

We will respond within 30 days. In complex cases we may extend this by up to two further months and will notify you. There is no fee for these requests, unless they are manifestly unfounded or excessive.

We may need to verify your identity before processing the request.

6. Subprocessors

We use the subprocessors listed in our Privacy Policy, Section 6. Each subprocessor is bound by contractual privacy commitments.

We will give reasonable advance notice of any new subprocessor or material change through this page or by email. If you object on reasonable data-protection grounds, contact us and we will work in good faith to find a solution.

7. International Transfers

SakhiChat is a US-based company. Personal data of EU/UK users may be transferred to the US and other third countries where our subprocessors operate.

For these transfers we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) — for transfers from the EU to third countries, we use the European Commission's approved 2021 SCCs.
  • UK International Data Transfer Agreement (IDTA) / Addendum — for transfers from the UK.
  • EU–US Data Privacy Framework — where the receiving party is certified.
  • Adequacy decisions — where applicable.

Copies of the SCCs / IDTA available on request from support@sakhichat.com.

8. Security Measures

We implement technical and organisational measures appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Strict access controls and least-privilege principles.
  • Password hashing using industry-standard algorithms.
  • Regular dependency updates and security reviews.
  • Logging and monitoring of access to production systems.
  • Incident response procedures.
  • Confidentiality obligations on employees and contractors with access to personal data.

9. Data Breach Notification

If we become aware of a personal data breach affecting EU/UK users, we will:

  • Notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons.
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Notify business customers (where we act as processor) without undue delay so they can fulfil their own notification obligations.

10. Data Processing Addendum (DPA)

Business customers (controllers) who require a Data Processing Addendum to comply with their own GDPR obligations can request one by emailing support@sakhichat.com.

Our standard DPA includes:

  • Subject matter and duration of processing.
  • Nature and purpose of processing.
  • Type of personal data and categories of data subjects.
  • Obligations and rights of the controller.
  • Confidentiality, security, and breach-notification commitments.
  • Subprocessor terms.
  • Data subject rights assistance.
  • Data return / deletion at end of processing.
  • Standard Contractual Clauses where applicable.

Larger customers with specific contractual requirements should reach out so we can review their template against ours.

11. EU/UK Representative

Under GDPR Article 27, non-EU controllers and processors offering services to EU residents may be required to appoint a representative in the Union.

[LEGAL_ENTITY_NAME] is in the process of appointing an EU Representative and a UK Representative. Once appointed, their contact details will be published on this page. In the interim, EU/UK users can reach us directly at support@sakhichat.com.

Note for the operator: Before launching to EU/UK customers, appoint a representative through a service such as EDPO, Prighter, or similar (typically $200–500/year). Update this page with the representative's contact details. This is a legal requirement under Article 27 once you are actively offering services to EU residents.

12. Supervisory Authorities

If you believe your data has been mishandled, you have the right to lodge a complaint with your local data protection authority:

We encourage you to contact us first so we can try to resolve the issue directly.

13. Contact Us

More legal