Raisolve

Legal

GDPR Compliance

Last updated: March 12, 2026

Raisolve is GDPR compliant. We are committed to protecting the rights of individuals in the European Economic Area (EEA) and United Kingdom under the General Data Protection Regulation (GDPR) and UK GDPR.

1. Our Role Under GDPR

Raisolve acts in different capacities depending on the data:

  • Data Controller: For account data, billing information, and usage analytics of our users (you, the merchant)
  • Data Processor: For end-customer data (your customers' emails and Shopify data) that we process on your behalf

As a Data Processor for your customers' data, you remain the Data Controller and are responsible for ensuring you have a lawful basis to process that data.

2. Data Processing Agreement (DPA)

As required by GDPR Article 28, Raisolve provides a Data Processing Agreement to all customers in the EEA. The DPA is incorporated into these terms by reference and covers:

  • Subject matter, duration, nature, and purpose of processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Sub-processor list and notification of changes

To request a signed DPA, email dpa@raisolve.com.

3. Your Rights Under GDPR

As a data subject, you have the following rights which we will fulfill within 30 days (extendable to 90 days for complex requests):

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): "Right to be forgotten" — delete your data where legally permitted
  • Right to restriction (Art. 18): Limit processing in certain circumstances
  • Right to data portability (Art. 20): Receive your data in JSON/CSV format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions with legal effects

4. Legal Bases for Processing

Data TypeLegal Basis
Account registration dataContract (Art. 6(1)(b))
Gmail OAuth accessConsent (Art. 6(1)(a))
Shopify store dataContract (Art. 6(1)(b))
Usage analyticsLegitimate interest (Art. 6(1)(f))
Billing recordsLegal obligation (Art. 6(1)(c))

5. International Data Transfers

Raisolve transfers data outside the EEA only under adequate safeguards:

  • Standard Contractual Clauses (SCCs): Used for all US-based sub-processors
  • EU-US Data Privacy Framework: Applicable where certified
  • Adequacy decisions: Used for transfers to countries with approved adequacy status

6. Sub-Processors

We maintain an up-to-date list of sub-processors. All sub-processors are bound by DPAs:

  • Supabase, Inc. (USA) — Database
  • Anthropic, PBC (USA) — AI inference
  • Stripe, Inc. (USA) — Payments
  • Vercel, Inc. (USA) — Hosting
  • Google LLC (USA) — Gmail API

We will notify you of any new sub-processors at least 14 days before they are engaged.

7. AI Processing and Automated Decision-Making

Raisolve uses artificial intelligence (Anthropic Claude) to process customer support emails and generate draft responses. Here is how this affects your GDPR obligations:

  • AI inference provider: Anthropic, PBC processes data through its Claude API. Anthropic operates under a zero data retention policy for API inference — your email content is not stored or used to train Anthropic's models.
  • Data minimization: We send only the minimum necessary data to Claude for inference (email content, relevant order data). We do not transmit payment card numbers, passwords, or other sensitive credentials.
  • Human oversight: AI-generated drafts are surfaced to your agents for review. In manual mode, no response is sent without human approval. You can audit, edit, or discard any AI suggestion at any time.
  • Automated decisions: Raisolve may automatically triage or classify emails using AI. These classifications do not produce legal effects on end customers — a human agent can always override them.
  • Your customers' rights: As the Data Controller for your customers' data, you are responsible for ensuring your use of AI processing is disclosed in your own privacy policy and complies with GDPR Article 22 regarding automated decision-making.

We provide a Data Processing Agreement (DPA) that covers the AI processing activities. Email dpa@raisolve.com to obtain your signed copy.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you within 72 hours of becoming aware. Notification will be sent to your registered email address and will include the nature of the breach, categories of data affected, and remediation steps.

9. Data Protection Officer

You can reach our Data Protection Officer at dpo@raisolve.com.

10. Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

11. Contact

GDPR inquiries: gdpr@raisolve.com
DPA requests: dpa@raisolve.com
DPO: dpo@raisolve.com