GDPR Compliance

Our Commitment to GDPR

HN30 LLP, operating the MessageSync.ai brand and service, is committed to protecting the privacy and personal data of all users, including those in the European Union (EU) and European Economic Area (EEA). We comply with the General Data Protection Regulation (GDPR) and have implemented comprehensive measures to ensure the rights of data subjects are respected.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to organizations that process personal data of individuals located in the EU/EEA, regardless of where the organization is located. GDPR establishes strict requirements for data protection and gives individuals greater control over their personal data.

Our Role Under GDPR

As a Data Controller

When we collect personal data directly from you (such as when you create an account or contact us), we act as a data controller. In this capacity, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with GDPR requirements.

As a Data Processor

When you use our platform to manage your customers' data, we act as a data processor on your behalf. You (our customer) are the data controller for the personal data you upload to our platform, and we process that data according to your instructions and our Data Processing Agreement (DPA).

Legal Basis for Processing

Under GDPR, we must have a legal basis for processing personal data. The legal bases we rely on include:

• Contractual Necessity: Processing necessary to perform our contract with you (providing the Services).
• Consent: Processing based on your explicit consent (such as commercial communications).
• Legitimate Interests: Processing necessary for our legitimate interests, balanced against your rights (such as fraud prevention and security).
• Legal Obligation: Processing necessary to comply with legal requirements.

Your GDPR Rights

If you are located in the EU/EEA, you have the following rights under GDPR:

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer:

Please include your name, email address, and a description of your request. We will respond within 30 days. In complex cases, we may extend this period by up to 60 days, and we will notify you if such an extension is necessary.

International Data Transfers

We may transfer personal data outside the EU/EEA to countries that may not provide the same level of data protection. When we do so, we implement appropriate safeguards to protect your data:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers located outside the EU/EEA.
• EU-U.S. Data Privacy Framework: We work with service providers that participate in the EU-U.S. Data Privacy Framework where applicable.
• Adequacy Decisions: Where the European Commission has determined that a country provides adequate protection, we may transfer data to that country.

Data Processing Agreement

For customers who need us to process personal data on their behalf, we offer a Data Processing Agreement (DPA) that meets GDPR requirements. Our DPA includes:

• Detailed description of processing activities
• Data security obligations
• Sub-processor management procedures
• Assistance with data subject requests
• Data breach notification procedures
• Data return and deletion procedures
• Audit rights

To request a copy of our DPA, please contact us at legal@messagesync.ai.

Sub-Processors

We use certain third-party service providers (sub-processors) to help us provide our Services. All sub-processors are contractually obligated to implement appropriate security measures and comply with data protection requirements.

Our key sub-processors include cloud hosting providers, payment processors (Stripe), email delivery services, and analytics providers. A complete list of our sub-processors is available upon request.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Our retention periods vary based on the type of data and our legal obligations. Upon account termination, we retain data for 30 days to allow for data export, after which it may be permanently deleted unless we are required by law to retain it longer.

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

Your Customers' Data

If you use MessageSync.ai to process personal data of your own customers (who may be located in the EU/EEA), you are responsible for:

• Obtaining valid legal basis for processing (including consent where required)
• Providing privacy notices to your customers
• Responding to data subject requests from your customers
• Ensuring your use of our platform complies with GDPR

We provide tools to help you manage data subject requests, including data export and deletion capabilities.

Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

Updates to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices or legal requirements. We encourage you to review this page periodically. If we make material changes, we will notify you through our platform or by email.

Contact Us

If you have any questions about GDPR compliance or our data protection practices, please contact us: