GDPR Compliance for AI Agents
Last updated: May 16, 2026
Our Commitment
Cyndra is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR) and the UK GDPR. This page outlines how we meet GDPR requirements, the lawful basis we rely on for each processing activity, and how you can exercise your rights.
For procurement and DPO inquiries, contact dpo@cyndra.ai.
Controller vs Processor
For your account data (billing, support, account preferences), Cyndra acts as the data controller. For data you submit through the platform to be processed by AI agents (CRM records, support tickets, internal docs), Cyndra acts as a data processor on your behalf, with you as the controller. The standard Cyndra DPA codifies this and is countersignable on request.
Lawful Basis for Processing
We rely on the following Article 6 bases, mapped to specific processing activities:
Contractual necessity
Processing required to deliver the service you've signed up for: account creation, billing, AI agent execution, tool integration.
Legitimate interest
Aggregated, de-identified product analytics to improve the platform. Security telemetry to detect abuse and protect customer accounts.
Consent
Marketing communications. Optional analytics cookies. Customer testimonials. Use of customer data in shared training datasets (opt-in only, never default).
Legal obligation
Tax records. Audit logs required for SOC 2 / regulated industries. Law-enforcement requests served under valid legal process.
Data Subject Rights
Under GDPR Articles 15 to 22, you can exercise the following rights. To file a request, email dpo@cyndra.ai from the address associated with your account, or use the in-product data-export tool.
Right of Access (Art. 15)
Request a copy of the personal data we hold about you. We respond within 30 days with a structured export.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete data. For account data, you can also self-serve through the dashboard.
Right to Erasure (Art. 17)
Request deletion of your personal data. We delete within 30 days unless retention is required by law (eg. invoice records for tax).
Right to Restrict Processing (Art. 18)
Limit how we use your data. We can pause specific processing categories while keeping your account active.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON or CSV) for transfer to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We honor objections to marketing immediately.
International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where relevant, supplementary measures including encryption in transit and at rest. For enterprise customers requiring EU data residency, processing can be pinned to EU regions on request.
Sub-processors
We maintain Data Processing Agreements with every sub-processor that handles personal data on our behalf, including our model providers, cloud hosting, telemetry, and email infrastructure. The current sub-processor list is available on request and published in customers' admin dashboards. We notify customers 30 days before adding a material sub-processor.
Data Protection Officer
Our Data Protection Officer handles GDPR-related inquiries, Data Subject Access Requests (DSARs), DPIA support, and regulator correspondence. Contact dpo@cyndra.ai. We respond within 30 days on substantive requests; urgent or regulator-driven requests are prioritized.
Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully. In the UK that's the ICO. In the EU it's your member state's data protection authority.