GDPR Compliance & Data Protection Policy
Effective Date: May 23, 2024
1. Introduction
Dawent ("we," "us," or "our") respects your privacy and is committed to protecting personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This statement outlines how Dawent's Google Workspace Add-ons access, process, and safeguard user data.
This policy applies to any individual ("you," "your," or "user") whose personal data is processed in the context of our operations within the European Economic Area (EEA), regardless of nationality.
For the purpose of this document, "Google Workspace Services" refer to, but are not limited to, Google Docs, Google Forms, Google Slides, Google Sheets, Google Calendar, Gmail, Google Meet, Google Chat, and Google Drive.
2. Roles & Responsibilities
You as Data Controller
You, as the user, act as the data controller, meaning you determine which data is accessed and processed through the Google Workspace Add-ons.
We as Data Controller and Data Processor
As a Data Controller
Dawent acts as a data controller when processing personal data explicitly collected from users who upgrade to a licensed version of the add-on. This includes:
Licensing and subscription details (e.g., name, email address, subscription status, billing information).
Transaction-related data received from payment processors (e.g., transaction ID, subscription status, and payment confirmation).
Customer support inquiries that include personally identifiable information (PII).
Dawent does not store or process payment card details. Payment transactions are handled exclusively by third-party payment processors (see [Section 10: Payment Processing]).
As a Data Processor
Dawent acts as a data processor when its add-ons process Google Workspace data strictly within your account.
Data access is limited to the OAuth scopes explicitly authorized by you during installation and use.
No Google Workspace data is stored, transferred, or retained outside of your account.
Some add-ons facilitate third-party integrations, where data is transmitted only as explicitly authorized by you (see [Section 3: Third-Party Processing]).
Third-Party Services
Dawent may use third-party services that act as sub-processors to facilitate specific functionalities.
Each third-party service operates under its own GDPR-compliant policies (see [Section 10]).
Before enabling third-party integrations, users must explicitly authorize data sharing.
3. Legal Basis for Data Processing
Dawent processes data in accordance with the following lawful bases under the GDPR:
Contractual Necessity (Article 6(1)(b))
When you install our add-ons via the Google OAuth flow, you grant access to your Google Workspace Services and data, allowing us to provide essential functionalities as part of the service agreement.
For users purchasing a subscription, we process subscription-related data (e.g., transaction ID, subscription status, and payment confirmation) as part of our contractual obligation to manage licensing and billing. However, payment card processing is handled exclusively by third-party payment processors (see [Section 10: Payment Processing]).
We do not store or process payment card details.
Legitimate Interest (Article 6(1)(f))
We collect and process certain non-personally identifiable technical and diagnostic data to enhance security, maintain functionality, and resolve errors.
Third-Party Processing
Users may explicitly authorize our add-ons to integrate with third-party services, resulting in data transmission. This may occur in the following ways:
OAuth Authorization – You initiate an OAuth flow to grant our add-ons permission to process your third-party data, enabling integration and functionality.
Credential-Based Access – You provide API keys, tokens, or security credentials stored within your Google account, allowing our add-ons to interact with third-party services.
Cookies & Tracking Technologies
Our website uses cookies from Google to provide services and analyze traffic. Information about your use of the site is shared with Google. When visiting the website, you have the option to Accept or Reject cookies.
For more details, refer to Google’s Cookie Policy.
Additionally, users can manage or disable cookies through their browser settings.
4. Data Collection & Processing
4.1 Data Not Stored with Us
Google Workspace Service Data
Processed directly within Google Workspace without being stored on our servers.
Access is limited to the OAuth scopes explicitly authorized by you during installation and use.
Processing Scope: Restricted to essential operations required for the add-on’s functionality.
Payment & Subscription Data
When users purchase a subscription, payment details (e.g., card information) are entered directly on third-party payment processors (see [Section 10: Payment Processing]).
We do not store, process, or have direct access to users' payment card details.
We only access subscription-related data (e.g., transaction ID, subscription status, and payment confirmation) via third-party payment processors to manage licensing and billing.
4.2 Data Stored with Us
User-Provided Data (PII)
Collected when users interact with our services, including purchasing a license, subscribing to the add-on, or seeking support.
Subscription & Licensing Data
Collected when users subscribe to a licensed version of the add-on by making a payment.
Examples: Name, email, subscription plan, billing information, and communication preferences.
Processing Scope: Used for licensing, invoicing, and customer support.
Support & Communication Data
Collected when users engage with our support team or submit service-related inquiries, issues, or explicit debug information.
Examples: Emails, chat messages, customer support tickets, and diagnostic logs shared for troubleshooting.
Processing Scope: Used solely for responding to inquiries, resolving issues, and debugging. AI models (such as GPT and Gemini) may assist with customer support inquiries, but PII is anonymized. Users may request exclusion from AI-based support by contacting us.
System & Diagnostic Data / Debug Logs
Non-personally identifiable data used for maintaining service functionality and debugging.
Examples: System performance metrics, timestamps, and error codes.
Processing Scope: Retained for 30 days for troubleshooting purposes.
5. Data Storage & Security
Data Location: Your data remains within Google Workspace and is not transferred to our servers.
Security Measures: We implement encryption, access controls, and authentication protocols to safeguard data integrity.
Error Logging: Non-personally identifiable error logs are retained for 30 days for debugging and error reporting.
Licensing & Subscription Data: If you purchase a license, we securely store the explicitly provided data (see 4. Data Collection & Processing – User-Provided Data) within our Google Workspace account for invoicing and communication.
6. User Rights Under GDPR
We only store licensing, subscription, and communication data. Under the GDPR, you have the right to:
Access Your Data – Request a copy of the data we store.
Rectify Inaccuracies – Correct or update incorrect or outdated information. However, changing the email associated with a license is not permitted.
Erase Data ("Right to be Forgotten") – Request permanent deletion of your data, subject to legal or contractual obligations.
Restrict Processing – Request limitations on how we process your data.
Data Portability – Obtain a structured, machine-readable copy (e.g., CSV or JSON format) of your data for reference.
Object to Processing – Opt out of certain processing activities, including direct marketing.
To exercise these rights, contact us at support@dawent.com. We will respond within the legally required timeframe and comply where legally permissible.
7. Data Retention & Deletion Policy
We retain user data only for as long as necessary to fulfill contractual, legal, and operational obligations.
7.1 Retention Periods
Error Logs & Analytics
Retained for 30 days to enhance security, maintain functionality, and assist in debugging. Logs are automatically deleted afterward unless needed for ongoing issue resolution.
Licensing & Subscription Data
Active Users – Data is retained throughout the subscription period.
Inactive/Expired Subscriptions – Data is automatically deleted after 3 years, unless legally required for a longer period.
User Deletion Requests – Users may request data deletion where legally permissible.
Support & Communication Data
Retained for the duration of the subscription + 3 years after the last interaction to ensure issue resolution and service continuity.
After this period, data is anonymized or securely deleted, unless legally required for a longer retention period.
Users may request data deletion where legally permissible.
7.2 Add-On Uninstallation & Data Access Revocation
When you uninstall the add-on, Google Workspace immediately revokes our add-on’s access to your Google Workspace data, meaning we can no longer process your data.
If you previously authorized third-party integrations, you may need to manually revoke access through the respective third-party provider’s settings.
7.3 Data Deletion Requests
Users may request deletion of stored data (as outlined in Section 4.2) by contacting us.
Some data may be retained to fulfill legal, contractual, or operational obligations.
Error logs and system diagnostic data are anonymized and do not contain PII.
Verified deletion requests are processed within 30 days, unless an extended retention period is legally required.
8. Data Transfers Outside the EU
The data stored with us, (as outlined in [Section 4.2: Data Stored with Us]), is processed using Google’s global infrastructure, including data centers in the U.S., Europe, and Asia-Pacific. Where applicable, we rely on Standard Contractual Clauses (SCCs) to ensure GDPR-compliant data transfers outside the European Economic Area (EEA).
Google Workspace services comply with GDPR and Data Processing Addendums (DPAs). For EU-based users, Google also offers data residency options to store certain data within the EEA. More details are available in Google’s GDPR Compliance Center.
If users authorize third-party integrations via our add-on, data may be transmitted to those services based on the permissions granted. Each third-party service operates under its own GDPR-compliant policies, and we recommend reviewing their privacy terms before enabling integrations.
For further details, refer to: Google’s GDPR Compliance Center
9. Data Breach Notification
In the event of a security breach affecting personal data, we will:
Notify the relevant EU Data Protection Authority (DPA) within 72 hours, as required by GDPR.
Affected users will be informed via email, an in-app notification, or a public notice on our website, depending on the severity and legal requirements.
If direct user notification is impractical or not legally required, a public notice will be issued on our website outlining the nature of the breach and recommended actions.
10. Third-Party Services & Sub-Processors
We utilize GDPR-compliant third-party services, including:
Google Workspace services (Google LLC)
ClickSend, MessageBird, Telesign, Textlocal, Twilio – SMS and notification services.
BL.INK, T.LY – URL shortening services.
Klaviyo, Brevo, Mailchimp, HubSpot – Marketing and CRM integrations.
QuickBooks – Accounting and invoicing services.
We select GDPR-compliant providers, but we recommend users review each service’s privacy policies and terms to understand how their data is handled. Users who enable third-party integrations via our add-ons should review the respective privacy policies before authorizing data sharing.
Payment Processing
Payment transactions are handled exclusively by Stripe, PayPal, and Razorpay.
We do not store or process payment card details.
Our access is limited to subscription-related data (e.g., transaction ID, subscription status, and payment confirmation) necessary for managing licensing and billing.
11. Contact Information
For GDPR inquiries, contact: Data Protection Officer, Dawent, support@dawent.com