We're a Danish company. Your data is hosted in the EU, isolated by Postgres itself, and we've built retention and deletion into the product so you don't have to chase a vendor for them.
We're built and run under EU law. Your customers' data sits in eu-central-1, isolated at the database level, with every change logged. The DPA we send is a real signed document. Everything below is checkable on the privacy page, the DPA, and the subprocessors list.
Specifics, not a trust mark on the homepage.
Tickets, messages, attachments, and AI embeddings all live on AWS in Frankfurt. We don't replicate anything to the US, including for failover.
Postgres row-level security policies do the filtering, not our app code. The application role can't bypass them, so no query our app or the AI can write will leak data between workspaces.
Whether a person, the AI, or an automation made the change, we record who did it, what they touched, and why. You always know what happened and how.
Our AI calls go through providers with zero-retention turned on. Your tickets are never used to train someone else's model. Enterprise plans can switch to a self-hosted model on request.
GDPR says you can't hold on to personal data forever. We've made that practical. Tell us what to clean up and when, see exactly what would be touched in counts and bytes, and turn the policy on when you're ready.
New retention policies are off when you create them. Run a preview to see which tickets and attachments would be touched before you turn anything on.
Each brand in your workspace can set its own retention. A consumer storefront might clean up closed tickets after 90 days, while a B2B brand keeps them for five years.
Drop just the attachment files and keep the conversation searchable for analytics, or anonymize the messages and attachments together.
Policies start the clock when a ticket is solved and then closed, so we never touch a ticket the customer might still come back to.
When a customer asks to be forgotten under Article 17, you don't have to write to an engineer. An admin asks the AI to run the anonymization, confirms it explicitly, and the action lands in the same audit log as everything else.
GDPR Article 17(3)(e) lets us keep anonymized records when we need them for legal reasons, like billing audit. Keeping the structure of the record costs nothing, and means your reporting still has a long memory.
You're the controller of your workspace data. You can export it in a machine-readable format whenever you like. If you delete the workspace, you get 30 days where it's recoverable, then we delete the primary copy. Backups disappear through normal rotation within 35 days.
AWS for hosting, Stripe for billing, Resend for email, plus the LLM providers. Each one is on the subprocessors page with what data they see and why. If we add or replace one, you get at least 30 days' notice.
Subprocessors →The Data Processing Addendum walks through the Article 28 obligations, our security measures, how international transfers work, and what we do if there's a breach. It's a real signed document.
Read the DPA →14 days free, no card, no limit on team size. You only pay more when the product actually resolves more tickets for you.
Start free trial →