> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GDPR

> How botBrains supports compliance with the GDPR and DSGVO

botBrains supports compliance with the EU General Data Protection Regulation (GDPR), known in Germany as the DSGVO. This page answers the questions data protection teams ask most often.

## Is botBrains a controller or processor?

For the personal data in your conversations, botBrains acts as the processor and you remain the controller. For the account and billing data of your team, botBrains acts as the controller; see our [Privacy Policy](https://botbrains.io/privacy-policy).

## Do you offer a Data Processing Agreement?

Yes. Our [Data Processing Agreement](/data-processing-agreement) governs how botBrains processes personal data on your behalf, including the rules for engaging subprocessors. To request a copy, email [legal@botbrains.io](mailto:legal@botbrains.io).

## Where do you store and process personal data?

botBrains stores Customer Data in the EU and runs AI inference within the EU. Account and billing data, and other personal data for which botBrains is the controller, follow the GDPR. Service providers outside the EU may process this data under a valid transfer mechanism. See [Subprocessors](/trust/subprocessors) for the full list of services and data locations.

## Do you transfer personal data outside the EU?

Your conversation data (Customer Data) never leaves the EU: no third-country transfer takes place, from our systems or from those of our [subprocessors](/trust/subprocessors). For account and billing data, and other personal data where botBrains is the controller, we may use service providers outside the EU under a valid transfer mechanism, such as an adequacy decision, the EU-US Data Privacy Framework, or standard contractual clauses.

## Data Subject Access Request (DSAR)

Under applicable data protection laws, you may have the right to request access to the personal data botBrains holds about you. You may also update and correct inaccuracies, restrict or object to processing, have the data anonymized or deleted, or exercise your right to data portability.

Which rights apply, and who fulfills them, depends on the data:

* **Conversation data.** botBrains acts as the processor, so end users should direct their request to the customer (the controller) whose product they interacted with. We assist that controller in responding, and you can search, [export](/concepts/data-export), and delete this data directly in the platform.
* **Account and website data.** Where botBrains is the controller, you can exercise these rights directly with us.

To submit a Data Subject Access Request, email [legal@botbrains.io](mailto:legal@botbrains.io). We respond within the time limits that applicable law requires.

## What security measures protect personal data?

botBrains applies technical and organizational measures and is working on getting ISO 27001 certified. See [Technical and Organizational Measures](/trust/toms) and [ISO 27001](/trust/iso-27001).

## How do you handle a data breach?

botBrains notifies you without undue delay after becoming aware of a personal data breach, following our [Breach Notification Policy](/trust/policies/breach-notification-policy).

## How long do you keep personal data?

botBrains keeps personal data for as long as you operate your service and deletes it according to your configuration and our [Data Retention Policy](/trust/policies/data-retention-policy).

## Contact

For data protection questions, email [legal@botbrains.io](mailto:legal@botbrains.io).
