GDPR Compliance
Last updated: March 6, 2026
1. Introduction
FrontlineHQ ("we," "our," or "us") is committed to complying with the General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA) and the United Kingdom. This page outlines how we meet our obligations under GDPR and explains the rights available to you as a data subject.
2. Data Controller
FrontlineHQ acts as the data controller for the personal data we collect and process through our website and services. For data processed by our AI chatbot and voice agent features on behalf of our customers, FrontlineHQ acts as the data processor.
3. What Data We Collect and Why
We collect only the data necessary to provide our services. Below is a summary of the data categories, the purpose of collection, and the legal basis under GDPR:
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Account information (email, name) | Authentication, billing, support | Contract performance |
| Business details (name, phone, website) | Configure AI chatbot and voice agent | Contract performance |
| Chatbot conversations and messages | Provide AI chat service, analytics | Contract performance |
| Voice call recordings and transcripts | Provide AI voice agent service | Contract performance |
| Lead information (name, email, phone) | Capture and relay business leads | Legitimate interest / Consent |
| Google reviews and responses | Review management and AI response | Contract performance |
| Knowledge base content | Train AI on business-specific info | Contract performance |
| Usage analytics and audit logs | Security, compliance, service improvement | Legitimate interest |
4. How Data Is Stored and Protected
We take data security seriously. All personal data is protected using industry-standard security measures:
- Encryption at rest: Sensitive fields (messages, call transcripts, lead PII, business contact info) are encrypted using AES-256-GCM before storage. Encryption keys are stored separately from the database.
- Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS). No data is ever sent in plaintext.
- Tenant isolation: Each business's data is logically isolated using Row Level Security (RLS) policies in our database. No business can access another business's data.
- Access control: API keys are hashed before storage. The admin (service role) key is only used server-side in API routes, never exposed to client code.
- Audit logging: All significant actions (data access, modifications, deletions) are logged with timestamps, user IDs, and IP addresses.
5. Data Retention Policies
We retain your personal data only for as long as necessary. Business owners can configure custom retention periods in their dashboard settings:
- Chat conversations: Configurable, default 90 days. Automatically purged by our daily data retention job.
- Voice call recordings: Configurable, default 90 days.
- Lead data: Configurable, default 365 days. Can be set to "forever" if needed for the business.
- Audit logs: Retained for the lifetime of the account for compliance purposes.
- Deleted accounts: Soft-deleted businesses are hard-deleted after 90 days. All associated data (conversations, leads, knowledge base, voice calls, reviews, API keys) is permanently removed.
- Free chatbot data: Automatically deleted 14 days after the free trial expires.
6. Your Rights Under GDPR
If you are located in the EEA or the UK, you have the following rights regarding your personal data:
- Right to access (Article 15): You can download a complete copy of all your data at any time from your dashboard. Go to Settings → Export Data. The export includes all businesses, chatbots, conversations, messages, leads, voice calls, reviews, knowledge base content, API keys (masked), and audit logs in machine-readable JSON format.
- Right to rectification (Article 16): You can update your personal data at any time through your dashboard settings or by contacting us.
- Right to erasure (Article 17): You can permanently delete your account and all associated data from Settings → Delete Account. This action is irreversible and removes all data from our systems, including external service providers (Stripe subscriptions, Retell voice agents).
- Right to restriction (Article 18): You can request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Article 20): Your data export is provided in structured, commonly used, machine-readable JSON format that can be imported into other services.
- Right to object (Article 21): You can object to the processing of your personal data where we rely on legitimate interests as our legal basis.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe your data has been processed unlawfully.
To exercise any of these rights, contact us at info@frontlinehq.ai. We will respond within 30 days as required by GDPR.
7. Data Processing Agreement (DPA)
If your organization requires a Data Processing Agreement, we are happy to provide one. Our DPA covers the scope of processing, security measures, sub-processor obligations, data breach notification procedures, and data deletion upon termination. Contact us at info@frontlinehq.ai to request a signed DPA.
8. Sub-processors
We use the following third-party sub-processors to deliver our services. Each has been evaluated for GDPR compliance:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | US (AWS us-east-1) |
| Google (Gemini) | AI language model (chatbot responses, summarization) | US |
| Anthropic (Claude) | AI language model (review responses, content generation) | US |
| OpenAI | Text embeddings for knowledge base search | US |
| Cohere | Search result reranking | US / Canada |
| Vercel | Application hosting and deployment | US (Global Edge) |
| Stripe | Payment processing and billing | US / Global |
| Resend | Transactional email delivery | US |
| Retell AI | AI voice agent calls | US |
| Twilio | SMS messaging | US / Global |
We will notify you before adding or replacing a sub-processor that handles personal data. You may object to a new sub-processor within 30 days of notification.
9. International Data Transfers
FrontlineHQ is based in the United States, and your personal data may be processed and stored in the US. When we transfer personal data outside the EEA or the UK, we ensure appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements. Our sub-processors similarly maintain appropriate safeguards for cross-border data transfers.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Article 34).
11. AI and Automated Decision-Making
FrontlineHQ uses AI to generate chatbot responses, voice agent interactions, review responses, and lead follow-ups. These AI features assist business operations but do not make decisions that produce legal or similarly significant effects on individuals (GDPR Article 22). Business owners review and approve AI-generated content before it is published (e.g., review responses). You have the right to request human review of any AI-generated output by contacting the business or FrontlineHQ directly.
12. Contact for Data Requests
For any GDPR-related inquiries, data access requests, or complaints, contact us at:
FrontlineHQ Data Protection
Email: info@frontlinehq.ai
Phone: (470) 412-8678
We will respond to all GDPR requests within 30 days.
13. Related Policies
14. Updates
We may update this GDPR compliance page from time to time to reflect changes in our practices or applicable regulations. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically to stay informed about how we protect your data.