GDPR.

Diligent is GDPR-compliant by default. EU customers run on EU infrastructure. You have the full set of data-subject rights and can exercise them by emailing hi@diligent.sh.

A Data Processing Addendum (DPA) is available on request and pre-signed for new customers.

When you use Diligent in connection with your business, you are the controller of personal data you bring into the product (for example, information about your customers from your connected platforms). Diligent is the processor, acting on your instructions. For account data we hold about you directly (your name, your work email, how you use the product), Diligent is the controller.

We rely on the following lawful bases under Article 6 GDPR:

• Contract — to provide the service to you.
• Legitimate interests — to keep the service secure, improve it, and tell customers about meaningful changes.
• Consent — for marketing emails to non-customers, where required.
• Legal obligation — to comply with tax and accounting law.

If you are in the EU, EEA, or UK, you have the right to:

• Access the personal data we hold about you.
• Correct it if it's wrong.
• Have it deleted (the “right to be forgotten”).
• Restrict or object to how we use it.
• Receive a copy in a portable format.
• Withdraw any consent you've given, at any time.
• Lodge a complaint with your local supervisory authority. (For the UK, that's the ICO; for Ireland, the DPC.)

To exercise any of these, email hi@diligent.sh. We'll reply within 30 days. We won't charge you for reasonable requests.

EU customers run on EU infrastructure. Primary storage, backups, and analytics for EU accounts stay inside the EU. The only data that ever leaves the region is the narrow context we pass to AI providers for a specific task, and we use endpoints with zero data retention and no training on submitted data. Where transfers are necessary, we rely on Standard Contractual Clauses with supplementary measures.

We use a short list of subprocessors for hosting, monitoring, email, billing, and AI inference. The current list, along with their locations and purposes, is available on request from hi@diligent.sh. We'll notify customers of new subprocessors at least 30 days before they go live, so you can object.

Our DPA incorporates the EU Standard Contractual Clauses and the UK Addendum where applicable. New customers receive a pre-signed copy at onboarding. To request the DPA today, email hi@diligent.sh.

If we become aware of a personal data breach affecting your data, we'll notify you without undue delay and in any event within 72 hours of becoming aware, together with the information you need to meet your own GDPR obligations.

Diligent surfaces insights and recommendations. It does not make automated decisions that produce legal or similarly significant effects on individuals. You stay in the loop on any action that changes spend.

For privacy or GDPR questions, email hi@diligent.sh. For the wider policy, see our privacy page.

For an EU representative under Article 27, contact us at the address above and we'll put you in touch.