EU Compliance

GDPR Compliance

WealthSight is committed to protecting the privacy and rights of individuals in the European Union and European Economic Area under the General Data Protection Regulation (GDPR).

Our Commitment to GDPR

The General Data Protection Regulation (GDPR) represents the gold standard for data protection worldwide. At WealthSight, we embrace GDPR not just as a legal requirement but as a framework that aligns with our core values of transparency, security, and respect for user privacy.

As a platform that processes sensitive financial data, we hold ourselves to the highest standards of data protection. Our GDPR compliance program is overseen by our Data Protection Officer and reviewed regularly to ensure ongoing adherence.

Data Processing AgreementAvailable for all enterprise customers

Data Protection OfficerDedicated DPO overseeing compliance

Privacy by DesignBuilt into our development process

Regular AuditsAnnual GDPR compliance reviews

Legal Bases for Processing

Under GDPR, we process personal data only when we have a valid legal basis. Here are the bases we rely on:

Contract Performance

Processing necessary to provide you the Service (account management, financial analysis, report generation).

Examples: Account creation, AI analysis, session history

Legitimate Interest

Processing necessary for our legitimate business interests, balanced against your rights and freedoms.

Examples: Service improvement, security monitoring, fraud prevention

Consent

Processing based on your explicit consent, which you may withdraw at any time.

Examples: Marketing emails, optional analytics, cookies

Legal Obligation

Processing necessary to comply with applicable laws and regulations.

Examples: Tax records, financial compliance, legal requests

Your Rights Under GDPR

As an EU/EEA data subject, you have comprehensive rights regarding your personal data.

Right of Access

Request a copy of all personal data we hold about you, including how it is processed and who it is shared with.

Right to Rectification

Request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.

Right to Erasure

Request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.

Right to Restriction

Request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.

Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object

Object to processing of your personal data for direct marketing purposes or where processing is based on legitimate interests.

To exercise any of these rights, contact our Data Protection Officer at dpo@wealthsight.ai

We will respond to all valid requests within 30 days in accordance with GDPR requirements.

International Data Transfers

How we handle cross-border data flows

Our primary infrastructure is hosted on Amazon Web Services (AWS) with data centers in the United States. When personal data is transferred from the EU/EEA to the US, we ensure appropriate safeguards are in place.

Transfer Mechanisms

Standard Contractual Clauses (SCCs) — We execute EU-approved SCCs with all sub-processors

Data Processing Agreements (DPAs) — Available for all customers upon request

Technical Safeguards — End-to-end encryption and access controls during transfer

Sub-processor Oversight — Regular assessment of sub-processor compliance

Sub-processors

We use a limited number of sub-processors to provide the Service. Each is bound by data processing agreements and undergoes regular security assessments.

Sub-processor	Purpose	Location
Amazon Web Services	Cloud infrastructure, AI processing (Bedrock), storage (S3)	US (Virginia, Oregon)
Clerk	Authentication and user management	US
Stripe	Payment processing and billing	US
Vercel	Application hosting and deployment	US (Global CDN)

We will notify customers of any changes to our sub-processor list at least 30 days in advance.

Technical & Organizational Measures

We implement comprehensive measures to ensure the security and privacy of personal data as required by Article 32 of the GDPR.

Encryption

TLS 1.3 in transit, AES-256 at rest for all personal and financial data

Access Control

Role-based access with MFA, least-privilege principle, and quarterly reviews

Data Minimization

We only collect data necessary for the stated processing purposes

Pseudonymization

Internal identifiers are pseudonymized where technically feasible

Audit Logging

All data access is logged and monitored with automated alerting

Incident Response

Documented procedures with 72-hour breach notification to supervisory authorities

Employee Training

Mandatory GDPR and security awareness training for all staff

Privacy Impact Assessments

Conducted for new features that involve processing personal data

GDPR Questions?

Our Data Protection Officer is available to address any GDPR-related inquiries, data subject requests, or DPA negotiations.

dpo@wealthsight.ai

Contact DPO Privacy Policy