Back to Internalize

GDPR & Data Protection

Last updated: April 19, 2026

GDPR and Data Protection

This page explains how Internalize ("we", "us") complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar data protection laws. It supplements our Privacy Policy and Terms of Service.

Contact for data protection matters: [email protected]

1. Our Roles

Depending on the data, we act as either a controller or a processor:

  • Controller — for account, billing, marketing (if any), and service-usage analytics. We determine why and how this data is processed.
  • Processor — for customer data you submit or generate through the Service (your flows, requests, responses, logs, and other content). You are the controller of that data.

Where we act as processor, these GDPR terms (together with our Privacy Policy and Terms) form our Data Processing Agreement with you for the purposes of Article 28 GDPR. If your organization requires a signed DPA on separate paper, email [email protected].

2. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract — to provide the Service you signed up for and process payments.
  • Legitimate interests — to secure the Service, prevent abuse, improve the product, and run our business, balanced against your rights and interests.
  • Consent — where required (for example, optional communications); you may withdraw consent at any time.
  • Legal obligation — tax, accounting, and statutory disclosure requirements.

We do not rely on special-category processing and do not intentionally collect special-category data.

3. Your Rights

If GDPR or UK GDPR applies to you, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion, subject to retention we are required or permitted to maintain.
  • Restriction — request that we limit processing in certain circumstances.
  • Portability — receive your data in a structured, commonly used, machine-readable format, where technically feasible.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects; we do not make such decisions.
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email [email protected]. We may need to verify your identity. We will respond within 30 days, or within the period required by applicable law.

4. Processor Obligations (when we process your customer data)

When we act as processor on your behalf:

  • we process your customer data only on your documented instructions, unless required otherwise by law;
  • personnel with access to your data are bound by confidentiality;
  • we implement appropriate technical and organizational measures (see §7);
  • we engage sub-processors only under written terms that impose equivalent data-protection obligations (see §5);
  • we assist you, to the extent reasonably feasible, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations;
  • at the end of the contract, we delete or return your customer data, subject to any legal retention obligation and the time required for backups to expire;
  • we make available information reasonably necessary to demonstrate compliance with Article 28 GDPR.

5. Sub-processors

We use the following categories of sub-processors to deliver the Service. The specific providers may be updated; our Privacy Policy lists current providers.

Purpose Examples
Application hosting and database Cloud infrastructure provider
Payments Stripe
Transactional email Postmark
CDN / DDoS protection / object storage Cloudflare
AI features (if you enable them) Anthropic, OpenAI

We will notify customers of material changes to sub-processors by updating the Privacy Policy and, where practicable, by email or in-app notice. If you reasonably object to a new sub-processor for legitimate data-protection reasons, contact us; if we cannot accommodate your objection, you may terminate your subscription and receive a pro-rata refund of prepaid, unused fees.

6. International Transfers

Personal data may be transferred to and processed in jurisdictions outside your own, including the United States and the European Union. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK's International Data Transfer Addendum where applicable) or on adequacy decisions.

7. Security Measures

We implement measures proportionate to the risk, including:

  • encryption in transit (HTTPS/TLS) for all connections to the Service;
  • encryption at rest for stored secrets;
  • role-based access controls and principle of least privilege for internal access;
  • audit logging of sensitive operations;
  • regular dependency patching and security updates;
  • isolation of customer data at the application layer;
  • secure software development practices.

No system is completely secure. You remain responsible for the credentials and endpoints you configure, and for rotating any secrets you suspect have been compromised.

8. Breach Notification

If we become aware of a personal data breach that affects your data and is likely to result in a risk to the rights and freedoms of data subjects, we will notify you without undue delay and in accordance with applicable law, and assist you in meeting your own breach-notification obligations.

9. Data Retention

We retain personal data for as long as necessary to provide the Service and to comply with legal and contractual obligations. See §7 of our Privacy Policy for details. On termination, we delete or anonymize account and configuration data within a reasonable period, subject to retention required by law (for example, invoicing records).

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children.

11. Contact and Representatives

For all GDPR matters, contact [email protected]. If you are in the EU or UK, you have the right to lodge a complaint with your local data-protection authority. If we are required to appoint an EU or UK representative under Article 27 GDPR, we will publish the representative's contact details here.

12. Changes

We may update this page to reflect changes in our processing or in applicable law. The "Last updated" date reflects the most recent change. Material changes will be communicated as described in our Privacy Policy.