GDPR Information

For EU/EEA, UK, and Swiss residents — and for Customers serving shoppers in those regions.

The full data-handling details are in our Privacy Policy. This page is a focused summary of what GDPR requires us to disclose and how to exercise your rights.

Roles under GDPR

  • Customer (shop owner) = Data Controller — decides what data is collected from end shoppers and why.
  • Kwiro (Inteliweave)= Data Processor — processes shopper data on the Customer’s instructions, governed by the DPA you receive on subscription.
  • For Customer account data (your email, billing, etc.), Kwiro is the Controller.

Data Processing Agreement (DPA)

We provide a GDPR-compliant DPA to all paying Customers. It includes the Standard Contractual Clauses (Module 2: Controller-to-Processor, Commission Implementing Decision (EU) 2021/914) for international transfers, plus the Article 28 sub-processor and security obligations. Email [email protected]with the subject “DPA request” to receive the current version countersignature-ready.

Sub-processors

We use the following sub-processors to deliver the Service. Each is bound by SCCs or equivalent transfer mechanisms:

  • OpenRouter, Inc.— AI inference gateway. Data sent: the shopper’s message and retrieved product context. Region: US. Zero Data Retention (ZDR) is enabled on our OpenRouter account, meaning prompts and responses are not logged, stored, or retained by OpenRouter or by the upstream large language model providers it routes to.
  • Supabase Inc. — managed PostgreSQL hosting + authentication. Region: US (Oregon, AWS us-west-2). EU data-residency available on Enterprise tier under SCCs.
  • Resend — transactional email delivery. Region: US (SCCs in place).
  • Paddle.com Market Limited — billing and tax compliance (merchant of record). Region: UK + EU.
  • Cloudflare, Inc. — CDN + DDoS protection. No application data persisted at the edge.
  • Contabo GmbH — VPS infrastructure. Region: EU.

We’ll notify Customers by email at least 30 days before adding a new sub-processor or changing data residency.

International transfers

Where data is processed outside the EEA / UK / Switzerland (most notably for AI inference services hosted in the US), we rely on the European Commission’s Standard Contractual Clauses (2021/914) and the UK Addendum / Swiss equivalent, plus supplementary technical measures (encryption in transit and at rest, access logging, no plaintext storage of conversation content, and a contractual Zero Data Retention (ZDR) guarantee with the AI gateway so that prompts and responses are not logged or stored by the gateway or its upstream model providers).

Data subject rights

As an end shopper interacting with a Kwiro-powered chat, you have:

  • Right of access — receive a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure (“right to be forgotten”) — request deletion, subject to legal retention obligations.
  • Right to restriction — limit how we process your data.
  • Right to object — object to processing based on legitimate interests.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to lodge a complaint — with your local supervisory authority (find yours via edpb.europa.eu).

Most rights are exercised through the Customer (shop owner) since they’re the Data Controller. If the Customer doesn’t respond, you can email us at [email protected]and we’ll relay the request and verify it’s been actioned.

Response times

We respond to data subject requests within 30 days, extendable by an additional 60 days for complex requests (with notice to you). No fee for legitimate requests.

Data Protection Officer

We have not formally appointed a DPO under Article 37 GDPR (we don’t meet the mandatory criteria — no large-scale special-category processing, no large-scale systematic monitoring of public spaces). Privacy operations are coordinated by our founder team. The single point of contact for all privacy matters is [email protected].

If we appoint a DPO in the future (as we scale), this page and the Privacy Policy will be updated.

Breach notification

In the event of a personal data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by Article 33, and notify affected Customers (and, where required, end shoppers) without undue delay where the breach is likely to result in a high risk to rights and freedoms (Article 34).

Lawful bases — quick reference

See the Privacy Policy § 4 for full detail. In short:

  • Contractual necessity — providing the Service.
  • Legitimate interests — abuse prevention, security, aggregated AI improvement.
  • Legal obligation — billing records, sanctions screening.
  • Consent — only for marketing email beyond transactional.

Contact

All privacy / GDPR matters: [email protected]
Operating entity: Inteliweave (trade-licensed business in Bangladesh)
Trade Licence No.: 05/B-1854 · Rajshahi City Corporation
Registered address: 156/13, Upashahar Housing Estate, Cantonment-6202, Boalia, Rajshahi, Bangladesh