GDPR Compliance

Introduction

This page describes how Banana Intelligence, LLC ("we," "us," or "our") complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 for users in the European Economic Area (EEA), United Kingdom, and Switzerland.

If you are located in the EEA, UK, or Switzerland, you have specific rights under GDPR regarding your personal data. This page explains those rights and how to exercise them.

1. Data Controller Information

We are the data controller for the personal information we process through the Sticky Calls API service.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

2.1 Contract Performance (Article 6(1)(b))

Processing is necessary to perform our contract with you when you use the Service:

• Account creation and authentication
• API service provision
• Usage tracking and credit management
• Billing and payment processing
• Customer support

2.2 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests:

• Security and fraud prevention
• Service improvement and analytics
• Technical troubleshooting and debugging
• Business operations and administration

We have assessed that these interests do not override your fundamental rights and freedoms.

2.3 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations:

• Tax and accounting records retention
• Compliance with law enforcement requests
• Regulatory compliance

2.4 Consent (Article 6(1)(a))

For marketing communications, we obtain your explicit consent. You may withdraw consent at any time.

3. Your Rights Under GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain:

• Confirmation whether we process your personal data
• A copy of your personal data
• Information about how we use your data

How to exercise: Contact nate@bananaintelligence.ai with subject "GDPR Access Request"

3.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your data through the dashboard at https://stickycalls.com/dashboard or contact us at nate@bananaintelligence.ai

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: We may retain certain data where we have a legal obligation to do so (e.g., tax records).

How to exercise: Contact nate@bananaintelligence.ai with subject "GDPR Erasure Request"

3.4 Right to Restriction of Processing (Article 18)

You have the right to request we limit how we use your data when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

How to exercise: Contact nate@bananaintelligence.ai with subject "GDPR Restriction Request"

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and transmit it to another controller.

How to exercise: Contact nate@bananaintelligence.ai with subject "GDPR Portability Request". We will provide your data in JSON format within 30 days.

3.6 Right to Object (Article 21)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (including profiling)
• Processing for scientific, historical, or statistical purposes

How to exercise: Contact nate@bananaintelligence.ai with subject "GDPR Objection"

3.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Unsubscribe from marketing emails using the link in any email, or contact nate@bananaintelligence.ai

3.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have violated GDPR.

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

4. Data Processing Details

4.1 Personal Data We Collect

• Account Data: Email address, name (optional)
• API Usage Data: API keys, request logs, timestamps, IP addresses, error logs
• Customer Data (via API): Phone numbers, customer IDs, conversation context (as provided by you)
• Billing Data: Stripe customer ID, subscription details, billing history
• Automatically Collected: Browser type, OS, log data, cookies

4.2 Data Retention Periods

4.3 International Data Transfers

Our Service is hosted in the United States (Google Cloud Platform). We transfer personal data from the EEA to the United States.

Safeguards:

• We rely on standard contractual clauses (SCCs) approved by the European Commission
• Our infrastructure providers (Google Cloud Platform, Stripe) have appropriate safeguards in place
• Data is encrypted in transit (HTTPS/TLS) and at rest

5. Third-Party Data Processors

We use the following third-party processors (sub-processors) who may access personal data:

All processors are contractually required to comply with GDPR and use appropriate safeguards.

6. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

We use automated systems for:

• Caller identification confidence scoring (does not make legal decisions)
• Rate limiting and fraud detection (security purposes)
• Analytics and usage tracking (aggregated data)

7. Security Measures

We implement appropriate technical and organizational measures to protect personal data:

• Encryption: TLS 1.3 for data in transit, encryption at rest for database
• Access Controls: API key authentication, role-based access control
• Network Security: VPC, firewalls, DDoS protection, rate limiting
• Monitoring: Security logging, intrusion detection, error reporting
• Data Minimization: We collect only necessary data
• Pseudonymization: Customer references use UUIDs, not PII

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours (where required by Article 33)
• Notify affected data subjects without undue delay if the breach poses a high risk (Article 34)
• Document all breaches in accordance with Article 33(5)

9. Response Timeframes

We will respond to GDPR requests within the following timeframes:

• Initial Acknowledgment: Within 5 business days
• Full Response: Within 30 days of receipt
• Extension (if needed): We may extend by 2 months for complex requests, with explanation

10. Contact and Questions

For GDPR-related questions or to exercise your rights, contact:

We will verify your identity before processing GDPR requests to protect your personal data.

11. Updates to This Page

We may update this GDPR Compliance page from time to time. Material changes will be communicated via:

• Email notification to registered users
• Notice on this page
• Update to the "Last Updated" date