Platform
🤖 AI Chatbot ⚡ Live Chat 📊 Visitor Analytics 📱 Mobile App 🎨 White-Label
More
💲 Pricing 📝 Blog 🏗️ Enterprise / License
Legal
🔒 Privacy Policy 📋 Terms of Service 💰 Refund Policy 🍪 Cookie Policy 🇪🇺 GDPR Compliance 📜 SLA / Uptime
Get Started Free → Sign In
Legal

GDPR Compliance

How ICTDesk handles personal data under the EU General Data Protection Regulation and equivalent privacy laws.

1. Our Commitment

ICTDesk is built and operated by ICT Innovations, headquartered in Multan, Pakistan. We process personal data of visitors, customers, and end users of the businesses that deploy ICTDesk. We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and equivalent privacy laws in other jurisdictions where they apply to our customers.

This page explains the roles we play, the rights you have, and how we protect personal data when you use the ICTDesk platform.

2. Controller vs. Processor

Under GDPR, our role depends on whose data we are handling:

  • For our own business contacts (people who visit ictdesk.net, sign up for a trial, contact sales) we act as the data controller.
  • For end-user chat conversations and tickets processed inside a customer's workspace, the customer is the controller and ICTDesk is the data processor. We process that data only on the customer's documented instructions.

3. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the GDPR:

  • Contract — to provide the ICTDesk Service you signed up for and to bill for it.
  • Legitimate interests — to keep the platform secure, prevent abuse, and improve our products. We balance these against your rights and freedoms.
  • Consent — for non-essential cookies, marketing email, and product newsletters. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation — to retain invoicing records and respond to lawful requests from public authorities.

4. Your Rights

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that grants similar rights, you may:

  • Request a copy of the personal data we hold about you (right of access).
  • Ask us to correct inaccurate data (rectification).
  • Ask us to delete data we no longer have a lawful reason to keep (erasure, also known as the "right to be forgotten").
  • Object to processing based on legitimate interests, or restrict it while a complaint is being resolved.
  • Receive your data in a portable, machine-readable format and transfer it elsewhere (portability).
  • Withdraw consent for marketing or analytics cookies at any time.
  • Lodge a complaint with your local supervisory authority. In Pakistan we cooperate with the Ministry of IT & Telecom; in the EU you may contact your national Data Protection Authority directly.

To exercise any of these rights, open a ticket at service.ictinnovations.com or reach us at the address in the Privacy Policy. We respond within 30 days.

5. International Data Transfers

ICTDesk infrastructure is hosted in data centers operated by reputable cloud providers (currently Vultr) in regions chosen to minimise latency for our customer base. Where personal data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission and conduct transfer impact assessments where required by Schrems II.

Customers on Enterprise plans can request EU-only data residency. Contact sales for the current list of supported regions.

6. Sub-Processors

We use a small number of trusted sub-processors to operate the Service. The current list includes:

  • Vultr Holdings — primary application hosting and storage.
  • Cloudflare — DNS, DDoS protection, and edge caching.
  • Postmark / Amazon SES — transactional email delivery for ticket notifications.
  • Stripe — payment processing for paid plans (we never store full card numbers).

We sign Data Processing Agreements (DPAs) with all sub-processors. The current list is reviewed quarterly. Material changes are announced 30 days in advance to customers on the Pro and Enterprise plans.

7. Data Protection by Design

We bake privacy controls into the product, not bolted on after:

  • All traffic uses TLS 1.2+ in transit. Storage volumes are encrypted at rest.
  • Customer workspaces are isolated at the database row level; tenant IDs are enforced on every query.
  • Operators can purge a visitor's chat history on demand from the agent dashboard.
  • Logs containing personal data are retained for 30 days unless a security investigation requires otherwise.
  • Production access is limited to named on-call engineers and gated behind MFA + audit logging.

8. Data Processing Agreement (DPA)

Customers using ICTDesk to process personal data of EU or UK residents can request a signed DPA. Our standard DPA incorporates the EU SCCs and the UK International Data Transfer Addendum. Contact sales to receive a copy for review and signature.

9. Breach Notification

If we discover a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we notify the affected customer without undue delay and, where feasible, within 72 hours of becoming aware. The notice describes the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed.

10. Contact

For any GDPR-related question or to make a rights request, please open a ticket at service.ictinnovations.com. Our Data Protection lead reviews all requests personally.