1. Data Controller and Data Protection Officer

Data Controller

Emiri sp. z o.o.
ul. Przykładowa 1
00-001 Warsaw, Poland
hello@emiri.io

Data Protection Officer (DPO)

For GDPR matters, contact the DPO directly:
dpo@emiri.io
Response within 30 calendar days.

2. Roles under GDPR

Emiri acts in two different roles depending on the category of data:

Controller — User account data

Emiri independently determines the purposes and means of processing registration, billing, and technical data of platform Users.

Processor — Visitor data on the User's website

Conversations through the widget and lead data are processed on behalf of the User (who is the controller toward their own visitors). The legal basis is a Data Processing Agreement (DPA), available on request.

3. Data Subject Rights

The GDPR grants the following rights. We fulfil all of them upon request sent to dpo@emiri.io:

Art. 15

Right of access

You will receive confirmation of whether we process your data, and a copy of that data.

Art. 16

Right to rectification

We correct inaccurate or complete incomplete data at your request.

Art. 17

Right to erasure

We delete data when the legal basis has ceased or you have withdrawn consent.

Art. 18

Right to restriction

We suspend active processing in contested cases.

Art. 20

Data portability

Data export in JSON or CSV format is available in the panel or on request.

Art. 21

Right to object

You may object to processing based on legitimate interest.

4. Legal Bases for Processing

Data category	Legal basis	Retention period
Account data (email, password)	Art. 6(1)(b) — performance of contract	Duration of contract + 30 days
Billing data	Art. 6(1)(c) — legal obligation	5 years (tax regulations)
Session and security logs	Art. 6(1)(f) — legitimate interest	12 months
Chatbot conversation content	Art. 6(1)(b) — performance of contract (DPA)	24 months from last activity
Newsletter	Art. 6(1)(a) — consent	Until consent is withdrawn

5. Transfers Outside the EEA

Some sub-processors are based in the US. Data transfers take place solely on the basis of Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914. The list of sub-processors can be found in the Privacy Policy.

Message content sent to the Anthropic and OpenAI APIs is minimised (we send only the current conversation and a knowledge base excerpt) and is not used to train models in accordance with signed DPA agreements.

6. Data Security

Encryption of data at rest (AES-256) and in transit (TLS 1.3).
Passwords stored exclusively as argon2id hashes — Emiri has no access to passwords in plain text.
Row-Level Security (RLS) at the PostgreSQL level — data isolation between workspaces.
Regular penetration tests and security code reviews.
Principle of least privilege — Emiri staff have access only to data necessary for their role.
In the event of a data breach, Emiri will notify the supervisory authority within 72 hours and inform affected individuals without undue delay.

7. Cookies and Tracking

Emiri uses only technically necessary cookies for session management. We do not use any cookies for advertising or analytics purposes. Details in the Privacy Policy §4.

8. Complaint to a Supervisory Authority

If you believe that the processing of your data infringes GDPR, you have the right to lodge a complaint with a supervisory authority. You may contact the authority in your country of residence, or the Polish supervisory authority as our lead authority:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Tel.: +48 606 950 000
uodo.gov.pl

Questions about GDPR?

Our Data Protection Officer answers all questions about the processing of your personal data.

Contact DPO — dpo@emiri.io

GDPR Compliance

EU Data Storage

Data Isolation

Full Audit Log