Appenso

GDPR Compliance Statement

Last Updated: June 17, 2025

Introduction

At AppEnso, we are committed to protecting the personal data of all our users, including those in the European Union. This GDPR Compliance Statement outlines how Awesome Enterprises Private Limited (operating as "AppEnso," "We," "Us," or "Our") complies with the General Data Protection Regulation (GDPR) when processing personal data of EU residents.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. For each processing activity, we rely on one of the following:

1. Contractual Necessity (Article 6(1)(b) GDPR)

  • Purpose: Providing our software, applications, and Google Workspace add-ons, and fulfilling our obligations under the Terms of Service.
  • Data: Account information, usage data necessary for service delivery, payment management.
  • Examples: Processing your email to authenticate access, managing your subscription, storing preferences essential for service functionality.

2. Consent (Article 6(1)(a) GDPR)

  • Purpose: Marketing communications, optional features or services where consent is explicitly required.
  • Data: Email address for newsletters, tracking preferences for non-essential cookies.
  • Examples: Sending product updates or promotional offers (only with explicit opt-in).

3. Legitimate Interests (Article 6(1)(f) GDPR)

  • Purpose: Service improvement, security, fraud prevention, analytics, and internal business operations, provided these interests do not override your fundamental rights and freedoms.
  • Data: Usage analytics, security logs, aggregated service performance data.
  • Examples: Analyzing usage patterns to improve features, preventing abuse or unauthorized access, maintaining system stability.

4. Legal Obligation (Article 6(1)(c) GDPR)

  • Purpose: Compliance with applicable laws, regulations, or legal processes.
  • Data: As required by law (e.g., tax records, responding to legal requests).
  • Examples: Retaining transaction records for tax purposes, responding to valid governmental requests.

Your Rights Under GDPR

As an EU resident, you have specific rights regarding your personal data:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you, including:

  • What data we process.
  • Why we process it.
  • Who we share it with.
  • How long we keep it.

Right to Rectification (Article 16)

You can request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • It's no longer necessary for the original purpose.
  • You withdraw consent (where consent was the lawful basis) and there is no other lawful basis for processing.
  • You object to processing based on legitimate interests and there are no overriding legitimate grounds.
  • The data was unlawfully processed.

Right to Restriction of Processing (Article 18)

You can request we limit how we use your data while:

  • You contest its accuracy.
  • You've objected to processing based on legitimate interests.
  • Processing is unlawful but you don't want erasure.
  • We no longer need the data for processing, but you require it for legal claims.

Right to Data Portability (Article 20)

You can receive your personal data, which you have provided to us, in a structured, commonly used, machine-readable format and have the right to transmit that data to another controller where the processing is based on consent or contract and is carried out by automated means.

Right to Object (Article 21)

You can object to processing based on legitimate interests (unless we demonstrate compelling legitimate grounds that override your interests) or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

Data Protection Measures

Privacy by Design and by Default

  • Minimal Data Collection: We only collect data necessary for specific purposes.
  • Data Protection Impact Assessments: Regular assessments are conducted for new features and processing activities to identify and mitigate risks.
  • Security by Default: Our systems are designed with security in mind, including encryption, access controls, and secure development practices from the outset.

Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: All data transmissions are encrypted using TLS/SSL protocols. Data at rest is also encrypted where appropriate.
  • Access Controls: Strict role-based access controls limit who can access your data based on the principle of least privilege.
  • Regular Audits: We conduct regular security assessments, vulnerability scans, and penetration testing.
  • Employee Training: Our employees receive regular privacy and security awareness training.
  • Data Minimization: We retain data only for as long as necessary for the stated purposes.

International Data Transfers

As AppEnso is based in India, personal data from the EU may be transferred to and processed in India, a country currently not deemed to provide an adequate level of data protection by the European Commission. We ensure adequate protection for such transfers through:

Standard Contractual Clauses (SCCs)

We use European Commission-approved Standard Contractual Clauses (SCCs) as the legal mechanism for all data transfers from the EU to India and other non-adequate countries.

Supplementary Measures

In addition to SCCs, we implement supplementary technical and organizational measures, including:

  • Technical: Strong encryption in transit and at rest, pseudonymization where feasible.
  • Contractual: Additional contractual commitments with sub-processors to ensure robust data protection safeguards.
  • Organizational: Strict access controls, data handling procedures, and regular security audits.

For organizational users, the processing of Customer Personal Data is further governed by our Data Processing Agreement (DPA), which outlines our specific data processing obligations as a processor and incorporates the necessary transfer mechanisms.

Data Breach Notification

In the unlikely event of a personal data breach:

Our Commitment

  • 72-Hour Notification: We will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • User Notification: If the personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.
  • Documentation: We maintain records of all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken.

Breach Response Plan

Our internal procedures ensure a swift and effective response, including:

  1. Immediate containment and assessment of the breach.
  2. Notification to relevant authorities and affected users (if required).
  3. Thorough investigation and remediation of the root cause.
  4. Implementation of measures to prevent future occurrences.

Sub-Processors

We use carefully selected third-party processors to help provide our services and process personal data on our behalf:

  • Google Cloud Platform: For secure infrastructure and data storage (primarily in the USA).
  • Payment Processors: PayPal, Stripe, Paddle (for payment processing only).
  • Analytics: Google Analytics (primarily processes anonymized and aggregated data only).

All sub-processors are carefully vetted and bound by appropriate data processing agreements ensuring compliance with GDPR and other applicable data protection laws. We maintain a list of our sub-processors, which can be provided upon request.

Data Protection Contact

While we are not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, we have designated a privacy contact for all GDPR-related inquiries:

Email: [email protected] Subject Line: GDPR Inquiry

Supervisory Authority

EU residents have the right to lodge a complaint with their local data protection supervisory authority if they believe their rights under GDPR have been infringed. You can find contact details for your local authority at: https://edpb.europa.eu/about-edpb/board/members

Google Workspace Add-ons Specific Information

For our Google Workspace add-ons, our data handling practices are specifically designed with Google's policies and user privacy in mind:

Data Location

  • All data accessed by our add-ons (e.g., from Google Sheets, Docs, Gmail, Drive) resides strictly within your Google account.
  • We do not store copies of your Google Workspace data on our servers.
  • Processing of this data primarily occurs within your Google environment via Google Cloud Functions or client-side operations.

Access Scope and Control

  • We only request the minimum necessary Google permissions (scopes) required for the add-on's advertised functionality.
  • You can review and revoke these permissions at any time through your Google account security settings (myaccount.google.com/permissions).
  • Uninstalling the add-on immediately stops all data access and processing by AppEnso.

Compliance Features for Google Workspace Data

  • Data Portability: Your data within Google Workspace remains fully portable and controllable by you directly through Google's tools.
  • Right to Erasure: By deleting your data from your Google account or uninstalling the add-on, you effectively exercise your right to erasure concerning the data processed by our add-on.
  • Transparency: We provide clear permission requests during add-on installation and detail data handling in this Privacy Policy.

Updates to This Statement

We may update this GDPR Compliance Statement from time to time to reflect changes in our data processing practices, services, or legal requirements. We will notify you of any material changes via:

  • Sending an email to the address specified in your account.
  • Displaying a prominent notice in our applications.
  • An update notice on our website.

Contact Us

For any GDPR-related questions or to exercise your rights:

Email: [email protected]
Subject: GDPR Request/Inquiry
Address: Awesome Enterprises Private Limited
65, Mangal Vihar Gopalpura Bypass
Jaipur, Rajasthan, 302018
India

We take GDPR compliance seriously and are committed to protecting your privacy rights.

↑ Back to top