GDPR Compliance
Last updated: March 30, 2026
1. Our Commitment to GDPR
Cintrico, Inc. ("Cintrico," "we," "us," or "our") is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. We comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR in our collection, processing, and storage of personal data.
This page describes how we meet our obligations under the GDPR and how individuals can exercise their data protection rights. This document should be read in conjunction with our Privacy Policy, which provides additional detail on our data practices.
2. Lawful Basis for Processing
Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following lawful bases depending on the context:
- Consent (Article 6(1)(a)): Where you have given clear, affirmative consent for us to process your personal data for a specific purpose. This includes marketing communications, optional analytics cookies, and AI model training data usage. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
- Performance of Contract (Article 6(1)(b)): Processing necessary to fulfill our contractual obligations to you, including providing the BOSS platform, managing your account, processing payments, and delivering the services described in our Terms of Service
- Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes platform security, fraud detection, service improvement, and essential analytics. We conduct legitimate interest assessments to balance our interests against your rights
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with a legal obligation to which we are subject, including tax and financial reporting, responding to lawful data access requests, and maintaining security records
3. Data Subject Rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of Access (Article 15): You have the right to obtain confirmation as to whether we process your personal data and, if so, to request a copy of that data along with information about the purposes of processing, categories of data, recipients, and retention periods
- Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay
- Right to Erasure (Article 17): You have the right to request deletion of your personal data where the data is no longer necessary for the purpose it was collected, you withdraw consent, you object to processing, or the data has been unlawfully processed. This right is subject to certain exceptions, including legal retention requirements
- Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another controller without hindrance
- Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, including while we verify the accuracy of your data or assess an objection to processing
- Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately
4. Data Protection Officer
Cintrico has designated a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance program, handling data subject requests, and serving as the point of contact for supervisory authorities. You can reach our DPO at:
- Data Protection Officer
- Cintrico, Inc.
- Email: legal@cintri.co
Our DPO is authorized to act independently and reports directly to the highest level of management. We ensure that the DPO has the resources and access necessary to carry out their duties effectively.
5. AI and GDPR
The BOSS platform uses artificial intelligence agents to process data, generate content, and automate workflows. We are committed to transparency about how AI interacts with your personal data:
- Automated Decision-Making Transparency (Article 22): Where AI agents process personal data to make automated decisions that significantly affect you, we provide meaningful information about the logic involved, the significance of the processing, and the envisaged consequences. Currently, no fully automated decisions with legal or similarly significant effects are made by AI agents within BOSS without human oversight
- Right to Human Review: You have the right to request human review of any automated decision that significantly affects you. To request a review, contact our DPO or use the "Request Human Review" option available in affected workflows
- AI Data Processing Scope: AI agents only access personal data within the scope of your workspace and the specific task they are performing. Agent memory and context windows are isolated per workspace and do not persist across unrelated sessions unless you explicitly configure persistent memory
- Model Training Opt-Out: Your AI interaction data is not used for model training by default. If training use is enabled in the future, we will obtain your explicit consent and provide a clear opt-out mechanism
6. International Data Transfers
Cintrico is headquartered in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the United States or other third countries, we ensure that appropriate safeguards are in place:
- EU-US Data Privacy Framework: We participate in the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework, as administered by the U.S. Department of Commerce
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we use Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) as the legal mechanism for cross-border data transfers
- Supplementary Measures: In addition to SCCs, we implement supplementary technical and organizational measures, including encryption in transit and at rest, pseudonymization where feasible, and access controls limited to authorized personnel
7. Sub-Processors
We engage the following sub-processors to provide the Service. Each sub-processor is bound by data processing agreements that require GDPR-equivalent data protection:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, and real-time data services | United States |
| Vercel | Application hosting, edge networking, and analytics | United States (global edge) |
| Anthropic | AI model provider for Claude-based agents | United States |
| OpenAI | AI model provider for GPT-based agents | United States |
| Google Cloud | Infrastructure services and AI model provider (Gemini) | United States / EU |
| Stripe | Payment processing and subscription billing | United States |
We will notify you of any changes to our sub-processor list at least 30 days in advance, giving you the opportunity to object to the new sub-processor. Notifications are sent via email to workspace administrators.
8. Data Breach Notification
In accordance with Articles 33 and 34 of the GDPR, Cintrico maintains a comprehensive data breach response plan:
- Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals
- Data Subject Notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, providing clear information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach
- Breach Documentation: All breaches, including those that do not require notification, are documented with details of the breach, its effects, and the remedial actions taken. This documentation is available for supervisory authority review upon request
9. Children's Data
The BOSS platform is not directed to children under the age of 16. We do not knowingly collect or process personal data from children under 16 in the EEA or under 13 in other jurisdictions. Where consent is required for the processing of a child's personal data under Article 8 of the GDPR, we require verifiable parental consent.
If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly. Parents or guardians who believe their child has provided personal data to Cintrico should contact our DPO at legal@cintri.co.
10. How to Exercise Your Rights
You can exercise your data protection rights through the following channels:
- Email: Send a request to legal@cintri.co with the subject line "GDPR Data Subject Request." Please include your full name, the email address associated with your account, and a description of the right you wish to exercise
- In-Platform Settings: Many rights can be exercised directly from your BOSS account settings, including data export (portability), preference management (consent withdrawal), account deletion (erasure), and AI training opt-out
- Response Timeline: We will acknowledge your request within 5 business days and fulfill it within 30 days. If additional time is required due to the complexity or volume of requests, we will notify you of the extension and the reasons for the delay, as permitted under Article 12(3)
- Verification: To protect your privacy, we may need to verify your identity before processing your request. This may involve confirming your email address or providing additional identification
If you are not satisfied with our response to your request, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
11. Contact Information
For GDPR-related inquiries, please contact us:
- Cintrico, Inc.
- Data Protection Officer
- Email: legal@cintri.co
- Website: cintri.co