GDPR Compliance

1. Our Commitment to GDPR

Wingman is committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. We respect the privacy rights of individuals in the European Economic Area (EEA) and the United Kingdom and take our obligations as a data processor and data controller seriously.

This page explains our approach to GDPR compliance and how we handle personal data of EU and UK residents. For full details on how we use data, please also read our Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

Wingman Technologies Inc.
British Columbia, Canada

For data protection enquiries, contact our privacy team at privacy@thewingman.io.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Wingman Service under our Terms of Service, including processing call transcripts to generate coaching suggestions
• Legitimate interests (Art. 6(1)(f)): Improving our AI models, fraud prevention, and security monitoring
• Legal obligation (Art. 6(1)(c)): Retaining billing records as required by applicable tax and financial law
• Consent (Art. 6(1)(a)): Marketing communications, where we request explicit opt-in consent

4. Data Subject Rights

Under the GDPR, individuals in the EEA and UK have the following rights regarding their personal data:

• Right to access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17): Request deletion of your personal data (the "right to be forgotten"), subject to legal retention requirements
• Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances

To exercise any of these rights, contact us at privacy@thewingman.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

5. Data Transfers

Data may be transferred to and processed in the United States and other countries outside the EEA. Where such transfers occur, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs are in place with all sub-processors receiving EEA personal data
• Data Processing Agreements (DPAs): All third-party sub-processors have signed DPAs meeting GDPR requirements

Customers requiring copies of our SCCs or DPAs for compliance purposes should contact privacy@thewingman.io.

6. Data Retention

We retain personal data only for as long as necessary:

• Call transcripts: Automatically deleted after 90 days
• Account data: Retained while the subscription is active; deleted within 30 days of account closure upon request
• Billing records: Retained for 7 years as required by tax law (financial data only; no call content)
• Marketing data: Retained until consent is withdrawn

7. Third Party Processors

We use the following sub-processors to deliver the Service. Each has been assessed for GDPR compliance and has appropriate safeguards in place:

• Auth0 (Okta): Authentication and identity management — United States
• Stripe: Payment processing — United States
• Supabase: Database and storage — United States
• RecallAI: Call bot infrastructure — United States
• Deepgram: Speech-to-text transcription — United States
• Anthropic: AI coaching generation — United States

Each processor is bound by contractual obligations to process data only as instructed by Wingman and to implement appropriate technical and organisational security measures.

8. Contact Our DPO

For all GDPR-related enquiries, data subject rights requests, or to request our Data Processing Agreement, contact our Data Protection Officer:

privacy@thewingman.io

Wingman Technologies Inc.
British Columbia, Canada

You also have the right to contact your national data protection supervisory authority if you believe your rights under the GDPR have not been respected.