GDPR Compliance
Last updated: February 1, 2026
Our Commitment
Agent Rush is committed to protecting the privacy and personal data of all individuals whose information we process. We comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the California Consumer Privacy Act (CCPA), and other applicable data protection regulations.
Roles and Responsibilities
As a Data Processor: When you use Agent Rush to operate chat agents for your customers, we act as a data processor on your behalf. You (the merchant) are the data controller and determine the purposes and means of processing your customers' data.
As a Data Controller: For your Agent Rush account data (email, name, billing), we act as the data controller and process this data to provide our Service to you.
Legal Basis for Processing
We process personal data under the following legal bases:
- Contract performance — processing necessary to provide the Service you signed up for (account management, agent operations, Shopify integration)
- Consent — where end-customers voluntarily provide personal information through the chat widget (lead capture)
- Legitimate interest — security monitoring, fraud prevention, service improvement, and aggregate analytics
- Legal obligation — where required by law (tax records, regulatory compliance)
Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Data Portability
Receive your data in a structured, machine-readable format (JSON).
Right to Restrict Processing
Request that we limit the processing of your personal data.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email privacy@agent-rush.com. We will respond within 30 days.
Data Processing Agreement
If you require a Data Processing Agreement (DPA) for GDPR compliance, please contact us at privacy@agent-rush.com. We provide a standard DPA that covers our obligations as a data processor under Article 28 of the GDPR.
Sub-Processors
We use the following sub-processors to deliver our Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database | US / EU |
| Vercel | Application hosting | US / Global Edge |
| Groq | AI model inference | US |
| OpenAI | AI model inference | US |
| Anthropic | AI model inference | US |
| Google (Gemini) | AI model inference | US / Global |
| Upstash | Rate limiting (Redis) | US / Global Edge |
| Shopify | E-commerce data (OAuth) | US / Canada |
We will notify you of any changes to our sub-processor list with at least 30 days' notice.
Cross-Border Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and adequacy decisions where applicable.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by Articles 33 and 34 of the GDPR.
Shopify GDPR Compliance
As a Shopify app, we implement mandatory GDPR compliance webhooks:
- Customer Data Request — we process requests from customers to view their personal data stored through our app
- Customer Data Erasure — we delete or anonymize customer personal data upon request
- Shop Data Erasure — when a merchant uninstalls our app, we delete all associated shop data within 48 hours
Contact
For GDPR-related inquiries, data subject requests, or to request a DPA: