Your data rights matter
FRITH is committed to full compliance with the General Data Protection Regulation (GDPR). This page explains how we process personal data, your rights, and how to exercise them.
Last updated: March 2025 · Data Controller: FRITH (Webblab Ltd) · privacy@frithai.com
Data Controller
The data controller responsible for personal data processed through the FRITH platform is:
For US users, FRITH also operates from 3260 Hillview Avenue, Palo Alto, CA 94304. Data processing for UK/EU customers is governed by UK GDPR and EU GDPR respectively.
Lawful bases for processing
Contract performance
Processing necessary to provide the FRITH platform service to customers under a subscription agreement.
Examples: Account management, matter data storage, billing, invoicing.
Legitimate interests
Processing necessary for FRITH's legitimate business interests, balanced against data subject rights.
Examples: Security monitoring, fraud prevention, service improvement analytics, abuse detection.
Legal obligation
Processing required to comply with applicable law.
Examples: Anti-money laundering (AML) checks, regulatory reporting obligations, responding to lawful court orders.
Consent
Where required by law and where we rely on explicit consent.
Examples: Marketing emails, optional analytics cookies, testimonials and case studies.
Your rights under GDPR
Right of access
You may request a copy of all personal data FRITH holds about you. We respond within 30 days.
How: Submit request via privacy@frithai.com
Right to rectification
You may request correction of inaccurate or incomplete personal data.
How: Update directly in-app or contact support
Right to erasure
You may request deletion of your personal data where there is no overriding legal basis to retain it.
How: Submit request via privacy@frithai.com
Right to portability
You may request your personal data in a structured, machine-readable format (JSON or CSV).
How: Use in-app Data Export or email privacy@frithai.com
Right to object
You may object to processing based on legitimate interests or for direct marketing purposes.
How: Opt-out in account settings or email privacy@frithai.com
Right to restrict processing
You may request restriction of processing while a dispute about accuracy or lawfulness is resolved.
How: Submit request via privacy@frithai.com
Response timeframe: We respond to all data subject requests within 30 days. For complex requests we may extend this by a further 60 days — we will notify you within the initial 30 days if this is required.
Sub-processor list
The following third parties process personal data on FRITH's behalf. All sub-processors are contractually bound under GDPR-compliant Data Processing Agreements.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | US / EU (AWS) |
| Vercel | Web hosting & edge delivery | Global (AWS/edge) |
| Stripe | Payment processing | US / EU |
| Resend / SendGrid | Transactional email delivery | US |
| OpenAI (optional) | AI model inference (BYOK) | US |
| Anthropic (optional) | AI model inference (BYOK) | US |
| Groq (optional) | AI model inference (BYOK) | US |
| Google (optional) | AI model inference / Workspace integration | US / EU |
AI providers marked (optional) are only engaged when you configure BYOK. FRITH does not send data to AI providers by default.
Data retention schedule
| Data category | Retention period |
|---|---|
| Account & profile data | Duration of subscription + 90 days post-termination |
| Matter and case data | Duration of subscription + 90 days; extended retention available on request |
| Billing records | 7 years (legal and tax obligation) |
| Audit logs | 12 months rolling |
| AI query logs | 30 days (not used for training) |
| Support tickets | 3 years from resolution |
| Marketing data | Until consent withdrawn or 3 years of inactivity |
Data Processing Agreement (DPA)
Enterprise customers can request our standard DPA or negotiate custom terms. All customers processing EU/UK personal data through FRITH are covered by our standard DPA by default.