Legal Document

GDPR Compliance

ChatPilo is committed to protecting the privacy rights of individuals in the European Union and European Economic Area in compliance with the General Data Protection Regulation (GDPR).

Effective Date: January 1, 2025Last Updated: July 1, 2025

Our Commitment to GDPR

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a comprehensive European Union data protection law that took effect on May 25, 2018. As a global platform serving businesses worldwide, ChatPilo — operated by Shah Technology at House 42, Road 5, Dhanmondi, Dhaka, Bangladesh — is committed to upholding the GDPR rights of all EU/EEA data subjects who interact with our platform or whose data is processed through our services.

ChatPilo acts as a Data Controller for the personal data of our customers and platform users. When our customers use ChatPilo to process messages from their end-users, ChatPilo acts as a Data Processor on behalf of those customers.

Lawful Bases for Processing

6

Contractual Necessity

Art. 6(1)(b)

Account creation, service delivery, billing processing, customer support

6

Legitimate Interests

Art. 6(1)(f)

Platform security, fraud prevention, service improvement, internal analytics

6

Consent

Art. 6(1)(a)

Marketing communications, analytics cookies, optional integrations, promotional notifications

6

Legal Obligation

Art. 6(1)(c)

Tax record retention, responding to lawful law enforcement requests, regulatory compliance

Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights regarding your personal data. To exercise any of these rights, contact us at info@chatpilo.com. We will respond within 30 days of receiving your verified request.

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data along with information about how it is used.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data we hold about you.

Right to Erasure (Art. 17)

Also known as the 'right to be forgotten', you may request deletion of your personal data when it is no longer necessary for the original purpose, when you withdraw consent, or when it has been unlawfully processed.

Right to Restriction (Art. 18)

You may request that we restrict the processing of your personal data in specific circumstances, such as when you contest the accuracy of the data or have objected to processing.

Right to Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

Right to Object (Art. 21)

You may object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights re: Automated Decisions (Art. 22)

You have the right not to be subject to solely automated decisions, including profiling, that produce legal or similarly significant effects on you, unless you have given explicit consent or it is necessary for a contract.

International Data Transfers

When data from EU/EEA data subjects is transferred outside the EEA, we ensure adequate protections are in place through the following mechanisms:

EU/EEA UsersChatPilo Servers (Bangladesh)Standard Contractual Clauses (SCCs)

EU Commission-approved SCCs for transfers to third countries

EU/EEA UsersAWS / Google Cloud (US)Data Processing Agreements (DPAs)

Processors with EU-U.S. Data Privacy Framework certification

EU/EEA UsersMeta Platforms (WhatsApp/Instagram/Facebook)Meta's Platform Terms

Meta's intra-company transfer mechanisms under GDPR

Data Breach Procedures

In accordance with GDPR Article 33, in the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33)

Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34)

Document all breaches, including those that do not require notification, in our internal breach register

Implement immediate containment measures and conduct a full root-cause analysis

Data Processing Agreements (DPA)

If your organization is subject to GDPR and you use ChatPilo to process personal data of EU/EEA individuals, you may require a Data Processing Agreement (DPA) as required by GDPR Article 28.

To request a DPA or for GDPR-related inquiries from Enterprise customers, please contact our Data Protection team at info@chatpilo.com with the subject line "GDPR DPA Request". We will respond within 5 business days.

Contact Our Data Protection Team

For any GDPR-related requests, questions, or to exercise your data subject rights, please contact us. We are committed to responding to all requests within the timeframes required by GDPR.

Data Controller

Chat Pilo / Shah Technology

GDPR Contact Email

info@chatpilo.com

Registered Address

House 42, Road 5, Dhanmondi, Dhaka, Bangladesh

Response Time

Within 30 days (as required by GDPR)

Right to Lodge a Complaint: If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority (EU Data Protection Authority). A full list of EU supervisory authorities is available at edpb.europa.eu.