Global Software AI
Global Software AI

Privacy Policy

Last updated: to be set on publication

Controller: Global Software AI ("GSAI", "we", "us", "our"), Lastadijas iela 18-1A, Riga, Latvia, LV-1050. Contact: privacy@globalsoftware.ai.

Scope: This Privacy Policy applies to the GSAI Agent service (the "Service") offered on globalsoftware.ai. It explains what personal data we collect, why, the lawful basis, who we share it with, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR).

1. Who is the controller and who is the processor

For different categories of data we hold different roles:

  • Controller: for account, billing, and configuration data — we decide why and how we process it.
  • Processor: for your Google OAuth tokens and the contents of your Gmail / Calendar that the agent reads or writes on your behalf — we act only on your documented instructions.

Processor activity is governed by the Data Processing Agreement (DPA).

2. What personal data we collect

2.1 Information you provide

  • Account: email, password (hashed), display name, optional profile picture.
  • Profile: full legal name, country, optional company name and VAT ID.
  • Agent configuration: language, timezone, working hours, signature, About-Me, do-not rules, autonomy preset.
  • Payment method: handled by Stripe; we never see your card number.
  • Customer-supplied Google credentials: OAuth client ID + secret you create in your own Google Cloud project.

2.2 Information generated by your use of the Service

  • Audit log of agent actions (emails drafted, sent; events created).
  • System events (signup, payment, deployment, errors).
  • Subscription state from Stripe.

2.3 Information processed by the agent on your behalf (we are processor)

  • Contents of your Gmail within the scopes you granted.
  • Contents of your Google Calendar within the scopes you granted.
  • Telegram messages between you and your agent.
  • A "vault" of markdown notes the agent uses as memory, stored on our EU infrastructure.

2.4 Automatic collection

  • Standard server logs (IP, user agent, URL, timestamp). Retained 14 days.
  • We do not use third-party analytics that drop cookies. No Google Analytics, no Hotjar, no Pixel.

3. Why we process your data and the lawful basis

  • Account & service delivery — Contract (GDPR Art. 6(1)(b)).
  • Payment, invoicing, tax — Contract + Legal obligation.
  • Security, fraud prevention, audit — Legitimate interests.
  • Support requests — Contract.

We do not use your data to train AI models. We do not send marketing email to customers without separate consent.

4. Sub-processors

We rely on a small number of carefully chosen sub-processors. The current list is at /legal/sub-processors.

OpenAI and Stripe involve a transfer to the US. We rely on the EU–US Data Privacy Framework and Stripe's intra-group SCCs. We will substitute equivalent safeguards if these are invalidated.

5. How long we keep your data

  • Account after cancellation: 30-day grace, then archived. Permanently deleted after 90 days unless legal hold.
  • Stripe invoices and tax records: 5 years (Latvian tax law).
  • Audit log: 13 months rolling. Email body content truncated after 90 days.
  • Google OAuth tokens after cancellation: deleted immediately and revoked at Google.
  • Container logs and server logs: 14 days.
  • Supabase backups: 30 days.

6. Cookies

Only essential cookies (Supabase auth, Stripe security). No tracking. No banner needed.

7. Your rights under the GDPR

  • Access — get a copy of what we hold.
  • Rectification — correct inaccurate data; most fields are editable in your dashboard.
  • Erasure — have your data deleted.
  • Restriction — pause processing pending dispute.
  • Portability — receive your data in a machine-readable format.
  • Object — to processing based on legitimate interest.
  • Withdraw consent — where consent was the basis.
  • Not be subject to solely automated decisions producing legal effects — your agent acts under your configured authorisation; you remain in control.

To exercise any right, email privacy@globalsoftware.ai. We respond within 30 days. You also have the right to lodge a complaint with the Latvian Data State Inspectorate (DVI).

8. Security

TLS in transit, AES-256 at rest, pgsodium application-layer encryption for sensitive fields, RLS for tenant isolation, audit log of administrative access. Breach notifications within 72h where required.

9. Children

The Service is for working professionals. We do not knowingly collect data from anyone under 16.

10. Automated processing and AI

The agent uses large language models. Its actions are taken under your direct authorisation (autonomy preset, do-not rules, your ability to disconnect at any time). These do not constitute "solely automated decision-making producing legal or similarly significant effects" within GDPR Art. 22.

11. Changes

We notify material changes by email at least 14 days before they take effect.

12. Contact

privacy@globalsoftware.ai · Global Software AI, Lastadijas iela 18-1A, Riga, LV-1050.