Privacy Policy
Last updated: 9 February 2025
1. Data Controller
The controller of your personal data is:
Buildgrid Ltd
Email: privacy@supportlens.ai
For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact us at the address above.
2. What Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Data you provide to us
- Account data — name, email address, organisation name, and password (managed via our authentication provider)
- Support content — support ticket content, customer communications, chat messages, and knowledge-base articles you create
- Payment data — billing details processed by our payment service provider (Stripe). We do not store full payment card numbers.
- Communication data — any correspondence you send to us (e.g. emails, feedback, contact form submissions)
2.2 Data collected automatically
- Usage data — pages visited, features used, clicks, session duration, and other interaction data
- Device and connection data — IP address, browser type and version, operating system, device identifiers, and referring URL
- Cookies and similar technologies — see Section 9 below
3. Purposes and Legal Bases for Processing
Under Articles 6 and 9 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), we process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and maintaining the Service, including account management | Performance of the contract with you (Art. 6(1)(b)) |
| Processing payments and invoicing | Performance of contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Sending transactional and service-related communications | Performance of contract (Art. 6(1)(b)) |
| AI-assisted features (e.g. response suggestions, ticket classification) | Performance of contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Improving and developing the Service, analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
| Ensuring security and preventing fraud | Legitimate interest (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Compliance with legal obligations (e.g. accounting, tax) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override your rights and freedoms. You may request details of this assessment by contacting us.
4. Recipients and Disclosure of Data
We may share your personal data with the following categories of recipients:
- Sub-processors and service providers — hosting providers (cloud infrastructure), authentication services (Auth0/Okta), payment processing (Stripe), email delivery services, and AI model providers (Anthropic, Azure OpenAI). These providers process data only on our instructions and are bound by data processing agreements.
- Within your organisation — other members of your organisation on Supportlens may access data you create within that organisation in accordance with the role-based permissions configured by your organisation administrator.
- Legal and regulatory authorities — where required by applicable law, court order, or governmental request.
- Business transfers — in connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
We do not sell your personal data to third parties.
5. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA), including the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
- European Commission adequacy decisions (GDPR Art. 45)
- Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46(2)(c))
- The EU–U.S. Data Privacy Framework, where the recipient is certified
You may request a copy of the safeguards in place by contacting us at the address provided in Section 1.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
- Account data — retained for the duration of your account and deleted within 90 days of account closure, unless longer retention is required by law.
- Support content and communications — retained for the duration of your account. You or your organisation administrator may delete specific data at any time.
- Payment and invoicing records — retained for 6 years after the end of the financial year to which they relate, in accordance with Finnish accounting legislation (Kirjanpitolaki 1336/1997).
- Usage and analytics data — retained in identifiable form for up to 26 months, after which it is anonymised or deleted.
- Security logs — retained for up to 12 months.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls and role-based permissions
- Regular security assessments
- Data processing agreements with all sub-processors
- Employee confidentiality obligations
8. Your Rights
Under the GDPR and the Finnish Data Protection Act (Tietosuojalaki 1050/2018), you have the following rights:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and request a copy.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data where there is no compelling reason for continued processing.
- Right to restriction of processing (Art. 18) — restrict processing in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint — you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):
Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki, Finland
Email: tietosuoja(at)om.fi
Website: tietosuoja.fi/en
To exercise any of these rights, please contact us at privacy@supportlens.ai. We will respond to your request within one month. In complex cases, this period may be extended by a further two months, of which we will inform you.
9. Cookies and Similar Technologies
We use the following types of cookies:
- Strictly necessary cookies — required for the Service to function (e.g. session cookies, organisation context cookies). These do not require consent.
- Analytics cookies — help us understand how the Service is used. Placed only with your consent.
You can manage your cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Service.
10. Automated Decision-Making and Profiling
Our Service uses AI-powered features to assist with support operations, such as suggesting responses, classifying tickets, and summarising conversations. These features are designed to assist human agents and do not produce decisions with legal or similarly significant effects on individuals without human review. You have the right to request human intervention, express your point of view, and contest any decision that you believe affects you.
11. Children's Data
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such data.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the “Last updated” date above. Where changes are significant, we will provide additional notice (e.g. via email or an in-app notification). We encourage you to review this policy periodically.
13. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data subject rights, please contact us:
Buildgrid Ltd
Email: privacy@supportlens.ai