Privacy Policy

Last updated: February 20, 2026

Your privacy matters to us. This policy details how ServiceDesk collects, uses, and protects your data — built on PostgreSQL and designed for compliance with GDPR, CCPA, and other applicable regulations.

Introduction

ServiceDesk ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered service desk platform, website, and related services (collectively, the "Service").

By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

Information We Collect

Personal Information You Provide

  • Account information: name, email address, password, and profile photo
  • Organization information: company name, URL slug, logo, and business details
  • Ticket and communication data: ticket content, comments, attachments, and internal notes
  • Contact form submissions: name, email, subject, and message content
  • Payment information: billing details processed securely through Stripe (we do not store full card numbers on our servers)
  • Knowledge base content: articles, categories, and documentation you create

Information Collected Automatically

  • Usage data: pages visited, features used, session duration, click patterns, and interaction sequences
  • Device information: browser type, operating system, screen resolution, device identifiers, and time zone
  • Log data: IP addresses, access times, referring URLs, HTTP method, response status, and error logs
  • Cookies and similar technologies: session cookies, preference cookies, and analytics cookies (see Section 9)
  • Performance data: page load times, API response times, and feature usage frequency for service improvement

Information from Third Parties

  • Authentication providers: Google, GitHub, or Azure AD profile data (name, email, avatar) when you use SSO
  • Integration data: information from connected services (Slack, Microsoft Teams, email providers) as configured by you
  • Analytics services: aggregated, anonymized usage data from analytics providers
  • Payment processor: transaction status, billing address, and payment method details from Stripe

How We Use Your Information

We use collected information for the following purposes, which we consider necessary for the performance of our contract with you and/or our legitimate business interests:

  • Provide, operate, and maintain the Service, including ticket management, knowledge base, SLA tracking, and team collaboration features
  • Process AI-powered features such as ticket auto-categorization, priority suggestions, summary generation, and response recommendations
  • Authenticate users and manage access control, roles, and permissions across your organization
  • Send transactional communications including ticket notifications, SLA alerts, account updates, and security notices
  • Process payments and manage subscription billing through our payment processor (Stripe)
  • Provide customer support and respond to technical inquiries and bug reports
  • Analyze usage patterns, performance metrics, and feature adoption to improve the Service and develop new features
  • Generate aggregated, anonymized analytics and benchmarking data across our customer base
  • Detect, prevent, and address technical issues, security threats, fraud, and abuse
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of other users
  • Send optional marketing communications about product updates, new features, and offers (only with your explicit opt-in consent, which you can withdraw at any time)

AI and Data Processing

Our Service uses artificial intelligence to enhance your experience. We are transparent about how AI processes your data:

Ticket Intelligence: When tickets are submitted, our AI analyzes the title and description to suggest categories, priority levels, and summaries. This processing occurs in real-time using OpenAI's API. Ticket data sent for AI analysis includes only the ticket subject and description, not user identifiers.

Voice-to-Ticket: Audio submissions are transcribed and processed to create ticket content. Audio data is processed by the AI provider in real-time and is not permanently stored by us or the AI provider after transcription is complete.

Response Suggestions: AI may suggest responses based on ticket context and your organization's knowledge base articles. These suggestions are generated on-demand and not stored separately.

Data Isolation: AI processing is scoped to your organization's data. We do not use your content to train, fine-tune, or improve third-party AI models. Each organization's data is processed independently.

Opt-Out: AI features can be disabled at the organization level through Settings. Disabling AI features will stop all AI processing of your organization's data.

Accuracy: AI-generated content is provided as-is and may contain errors. You are responsible for reviewing and verifying all AI output before relying on it.

Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share data only in the following circumstances:

  • Service providers (Sub-Processors): We work with trusted third parties who process data on our behalf under strict data processing agreements. Current Sub-Processors include: Supabase (PostgreSQL database hosting), Stripe (payment processing), Resend (transactional email delivery), Azure Blob Storage (file attachments), and OpenAI (AI features)
  • Within your organization: Data is shared with members of your organization according to the roles and permissions configured by your organization administrator
  • Integrations you enable: When you connect third-party integrations (Slack, Microsoft Teams, email, webhooks), data flows to those services as configured by you and subject to their privacy policies
  • Legal requirements: We may disclose information if required by law, regulation, subpoena, court order, or governmental request. We will notify you of such requests where legally permitted
  • Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, user data may be transferred as a business asset. We will notify affected users before data is transferred and becomes subject to a different privacy policy
  • Protection of rights: We may share information to protect our rights, property, or safety, or the rights, property, or safety of our users or the public as required or permitted by law
  • With your explicit consent: We may share information for any other purpose with your explicit written consent

Data Infrastructure and Storage

Database Technology: Your data is stored in PostgreSQL — the world's most advanced open-source relational database, trusted by organizations worldwide including Apple, Instagram, Spotify, and NASA. PostgreSQL provides ACID-compliant transactions, ensuring data integrity and consistency.

Hosting: Our infrastructure is hosted on industry-leading cloud platforms with SOC 2 Type II certification. Data is stored in secure, geographically redundant data centers.

No Vendor Lock-In: Because we use PostgreSQL and standard data formats, your data is always portable. You can export all your data at any time in CSV or JSON format using our Data Export feature. We do not use proprietary database formats that would lock you into our platform.

Backups: Automated daily backups with point-in-time recovery capability. Backups are encrypted and stored in a separate geographic region for disaster recovery.

Data Residency: By default, data is processed in the United States (AWS us-east-1 region). Enterprise customers may request specific data residency configurations. Contact us for details on available regions.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

Active accounts: Data is retained for the duration of your active subscription and account activity.

Deleted accounts: Upon account termination, we retain data for 30 days to allow data export. After 30 days, data is removed from active systems. Residual copies may persist in encrypted backups for up to 90 additional days before automatic purging.

Ticket data: Organizations can configure auto-close and auto-archive rules. Deleted tickets are purged from active systems within 30 days.

Audit logs: Retained for 12 months for security, compliance, and debugging purposes.

Analytics data: Aggregated, anonymized analytics data may be retained indefinitely as it cannot be linked to individual users.

Legal holds: We may retain data longer if required for ongoing legal proceedings, regulatory investigations, or compliance obligations.

You or your organization administrator can export your data at any time using our Data Export feature on eligible plans.

Data Security

We implement industry-standard and above security measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all data
  • PostgreSQL row-level security (RLS) enforcing strict tenant isolation at the database layer
  • Multi-factor authentication (MFA) support and enforcement options
  • Role-based access control (RBAC) with granular, customizable permissions
  • Regular security audits, penetration testing, and vulnerability assessments
  • Isolated multi-tenant architecture — each organization's data is logically separated and access-controlled at the database level
  • Secure API key management with rotation capabilities and webhook signing for integrity verification
  • Session management with configurable timeout policies and concurrent session controls
  • Password policy enforcement including minimum length, complexity requirements, and account lockout after failed attempts
  • Comprehensive audit logging of all administrative actions and data access
  • Automated security monitoring and anomaly detection
  • Incident response procedures with defined escalation paths and notification timelines

Your Rights

Depending on your location, you may have the following rights regarding your personal data. We will respond to verified requests within the timeframes required by applicable law:

Under GDPR (European Economic Area)

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten") subject to legal retention requirements
  • Right to restrict processing: Request that we limit the processing of your data in certain circumstances
  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format (CSV, JSON)
  • Right to object: Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority

Under CCPA (California)

  • Right to know: What personal information is collected, used, shared, or sold
  • Right to delete: Request deletion of personal information held by us, subject to exceptions
  • Right to opt-out: Opt-out of the sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to correct: Request correction of inaccurate personal information

Exercising Your Rights

  • Self-service: Many data rights can be exercised directly through your account Settings (profile editing, data export, account deletion)
  • Email request: Send a verified request to privacy@servicedesk.example.com
  • Organization administrators: For organization-level data requests, contact your organization administrator who can manage data through the admin panel
  • Response time: We aim to respond to all verified requests within 30 days. Complex requests may take up to 60 days with prior notice

Cookies and Tracking

We use cookies and similar technologies to operate and improve the Service:

Essential cookies: Required for authentication, security, CSRF protection, and core functionality. These cannot be disabled as the Service cannot function without them.

Preference cookies: Remember your settings such as language preference, theme (dark/light mode), sidebar state, and display preferences. These improve your experience but can be disabled.

Analytics cookies: Help us understand how the Service is used so we can improve it. We use privacy-respecting analytics that do not track individual users across websites. Analytics data is aggregated and anonymized.

Session cookies: Temporary cookies that expire when you close your browser, used for session management and security.

You can control cookie preferences through your browser settings. Disabling non-essential cookies may affect some personalization features of the Service. We do not use third-party advertising cookies or sell cookie data.

International Data Transfers

Our Service is primarily hosted in the United States. When data is transferred across international borders, we ensure appropriate safeguards are in place:

- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers of personal data from the EEA/UK to the United States - Data Processing Agreements (DPAs): We maintain DPAs with all Sub-Processors that include appropriate data transfer mechanisms - Encryption: All data is encrypted in transit and at rest, regardless of where it is processed - Access controls: Access to personal data is limited to authorized personnel who need it to provide the Service

Your organization administrator can review the list of Sub-Processors and their locations in the platform settings. Enterprise customers may have additional options for data residency configuration.

Children's Privacy

The Service is not intended for or directed at children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information without parental or guardian consent, please contact us immediately at privacy@servicedesk.example.com and we will take steps to delete such information and terminate the associated account.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

- We will update the "Last updated" date at the top of this page - For material changes, we will notify registered users via email or prominent in-app notification at least 14 days before the changes take effect - We will provide a summary of significant changes

Your continued use of the Service after the effective date of changes constitutes acceptance of the revised policy. If you disagree with any changes, you may close your account before the changes take effect.

We recommend reviewing this Privacy Policy periodically for any updates.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

Privacy inquiries: privacy@servicedesk.example.com General contact: [Contact Page](/contact) Data Protection Officer: dpo@servicedesk.example.com Mailing address: Available upon request for formal legal communications

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection supervisory authority.

We aim to respond to all privacy-related inquiries within 30 days.