GDPR Compliance

Last Updated: January 31, 2026

Our Commitment

Direct Sight is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page outlines how we handle data for users in the European Economic Area (EEA).

Data Controller

Direct Sight acts as a data controller for account and billing information. For session data and recordings, your organization is the data controller and Direct Sight is the data processor acting on your instructions.

Lawful Basis for Processing

We process personal data under the following legal bases:

  • Contract: Processing necessary to provide the Service you requested
  • Legitimate Interest: Analytics and service improvement
  • Consent: Marketing communications (where applicable)
  • Legal Obligation: Compliance with applicable laws

Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Revoke consent at any time

Exercising Your Rights

To exercise any of these rights, contact us at support@directsight.co. We will respond within 30 days. You may also delete your data directly through your account settings.

Data Processing Agreement

Enterprise customers can request a Data Processing Agreement (DPA) that outlines our obligations as a data processor. Contact us to request a copy.

International Transfers

When we transfer data outside the EEA, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Retention

  • Account data is retained while your account is active
  • Session recordings are retained for 90 days by default
  • Billing records are retained as required by law
  • You can request earlier deletion at any time

Security Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection
  • Incident response procedures

Sub-processors

We use the following sub-processors to deliver the Service:

  • Vercel: Hosting (USA)
  • Supabase: Database (USA/EU)
  • LiveKit: Video infrastructure (USA)
  • Stripe: Payment processing (USA)

Supervisory Authority

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority.

Contact

For GDPR-related inquiries, contact us at support@directsight.co