🚀

Protodesk is now in Early Access. Join hundreds of support teams scaling with AI.

Protodesk

Protodesk

Privacy Policy

Last updated: April 19, 2026

This policy describes how Protodesk handles personal data. It is written to be readable. If anything is unclear, email privacy@protodesk.io and we'll explain.

1. Overview

Protodesk ("Protodesk", "we", "us") provides a shared support inbox for businesses. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding it. It applies to https://protodesk.io, the Protodesk web application, and any related services.

2. Information we collect

  • Account data. Your name, email, and password hash; workspace name, industry, and team size provided during onboarding.
  • Content data. Tickets, messages, attachments, customer records, canned responses, and knowledge-base articles you create or that flow through connected channels.
  • Usage data. Pages visited, features used, interaction timestamps, and aggregated AI action counts.
  • Device & technical data. IP address, browser type, operating system, device identifiers, and approximate location derived from IP.
  • Cookies and similar technologies. Session cookies required to log in, plus optional analytics cookies (only set with consent where required).

3. How we use your information

  • To deliver, maintain, and secure the Protodesk service.
  • To improve product behavior in aggregate and anonymized form (never to train third-party AI models on your content).
  • To process billing, send invoices, and manage your subscription.
  • To send transactional communications (receipts, security alerts, service notices) and — with your consent — occasional product updates.
  • To prevent fraud, abuse, and violations of our Terms.
  • To comply with legal obligations.

4. Legal bases (GDPR)

We process personal data under the following legal bases: (a) contract — to deliver the service you signed up for; (b) legitimate interest — for security, fraud prevention, and product improvement; (c) consent — for optional marketing communications and non-essential cookies; (d) legal obligation — when we must comply with law.

5. Sharing & sub-processors

We do not sell personal data. We share data with the following categories of sub-processors solely to deliver the service, under contractual data-processing agreements:

  • MongoDB Atlas — primary database hosting
  • Upstash — Redis cache, vector search, and job queue
  • OpenRouter — AI inference proxy to underlying model providers (Anthropic, OpenAI, Google)
  • Postmark — inbound and outbound email delivery
  • Lemon Squeezy — merchant of record for subscription billing, payment processing, invoicing, and global tax compliance
  • Meta / WhatsApp Cloud API — WhatsApp Business messaging
  • Hosting provider — application infrastructure

A current list is available on request. DPAs are available at privacy@protodesk.io.

6. International data transfers

Protodesk is operated globally. Data may be transferred to and processed in countries other than your own. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers outside the EEA, UK, or Switzerland.

7. Data retention

We retain your data while your account is active. After account cancellation, we retain data for up to 90 days to allow recovery, then delete or anonymize it, except where longer retention is required by law (tax records, fraud prevention, legal holds).

8. AI-specific disclosures

  • AI inference runs through OpenRouter to underlying providers (Anthropic, OpenAI, Google). No customer data is used to train those providers' models — this is contractually guaranteed.
  • Embeddings for your knowledge base are generated locally via ONNX models on our infrastructure. The content being embedded is never sent to a third-party embedding API.
  • You can disable any AI feature per workspace. AI actions consume credits; we log the action type, timestamp, and credit cost — not the full prompt content beyond our standard data retention policy.

9. Your rights

Subject to applicable law, you have the right to: access your data, correct inaccurate data, request deletion ("right to be forgotten"), export your data ("data portability"), object to or restrict certain processing, and file a complaint with a supervisory authority.

To exercise any of these rights, email privacy@protodesk.io. We respond within 30 days.

10. Children's privacy

Protodesk is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Security

We use industry-standard security measures including encryption at rest and in transit (TLS 1.3), role-based access controls, logging and monitoring, and regular security reviews. In the event of a personal data breach likely to affect you, we will notify you within 72 hours of becoming aware.

12. Cookies

We use strictly necessary cookies for authentication and session management. Where required by law, we obtain consent for optional analytics or marketing cookies. You can manage cookie preferences in your browser settings.

13. Changes to this policy

We may update this policy from time to time. For material changes, we will notify you via email or in-app notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For privacy questions, data requests, or to reach our Data Protection Officer, email privacy@protodesk.io.

This policy is provided as a good-faith baseline. It is not legal advice. If your use case requires a specific data processing agreement or additional assurances, contact us.