Last updated:
Overview
Companies in the EEA, the UK, and Switzerland use Rills to run workflows over personal data — prospect lists, CRM records, customer emails. This page explains, in plain language, how Rills supports the obligations the GDPR places on you when you do that, and links to the documents that make it contractual. The short version:
- A Data Processing Agreement with EU Standard Contractual Clauses applies to every customer automatically — no signature round-trip required.
- Every subprocessor we use is published, with 30 days' email notice before we add one.
- Your data is never used to train AI models, and AI providers do not retain it beyond serving your request.
- The product itself is an accountability tool: every consequential action can wait for human approval, and every decision leaves a record of who approved what, and when.
Who Is Responsible for What
For the data you route through your workflows — your contacts, your prospects, your tables — you are the controller and Rills is your processor. We process that data only on your instructions: the workflows you build, the integrations you connect, and the terms of the DPA.
For your own account data — registration details, billing, support conversations, product analytics — Rills is the controller, and our Privacy Policy governs.
Getting a DPA
Our DPA is incorporated into the Terms of Service, so it applies to your account from the moment you sign up. There is nothing to request and nothing to sign. If your compliance process needs a countersigned copy on file, email privacy@rills.ai and we will return an executed copy.
Where Your Data Lives
Rills is a US company and processes data in the United States. Transfers of GDPR- protected data to the US are covered by the EU Standard Contractual Clauses (Module Two), which are incorporated into the DPA, together with the UK Addendum for UK transfers and the Swiss adaptations for Switzerland. This is the same transfer mechanism relied on by most US-based SaaS providers serving European customers.
Subprocessors
The full list of third parties that process customer data on our behalf — who they are, what they do, and where they process — is public at rills.ai/subprocessors. Before a new subprocessor touches customer data, we update the list and email workspace owners at least 30 days ahead, and you can object on data protection grounds as described in the DPA.
AI & Your Data
AI requests are routed through a gateway that only uses providers with verified no-training agreements: your data is never used to train, improve, or develop AI models, and providers do not retain it beyond what is needed to serve the request. Workflow optimization runs only on your own workspace's history and never improves other customers' workflows. Details are in the Privacy Policy and on the Security page.
Data Subject Rights
When a data subject exercises their rights against you — access, rectification, erasure, restriction, portability, objection — you can handle most requests directly in the product: view, correct, export, and delete the relevant data yourself. Where you need our help, the DPA commits us to assist. If a data subject contacts us directly about your data, we forward the request to you rather than answering on your behalf.
For rights in data Rills controls — your account data — see the Privacy Policy or email privacy@rills.ai.
Retention & Deletion
You can export your data at any time. When your account ends, we delete customer data within 30 days, except where the law requires us to keep something longer. Execution history is retained according to your plan's retention schedule, and decision records are kept for at least 365 days on every plan so your audit trail survives.
If Something Goes Wrong
If a personal data breach affects your data, we notify you without undue delay — and in any event within 72 hours of becoming aware — with the details you need for your own notifications to regulators and data subjects. The commitment is contractual, in the DPA.
Contact
Privacy and GDPR questions: privacy@rills.ai. Security reports: security@rills.ai. Postal mail: Rills AI, LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, United States.