GDPR Data Policy

Last updated: 19 February 2026

Our commitment to GDPR compliance:
Dagg Intelligence Services AB is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy describes how we process personal data, the legal bases we rely on, and your rights as a data subject.

1. Introduction and Scope

This GDPR Data Policy applies to all processing of personal data carried out by Dagg Intelligence Services AB in connection with the DIS platform — an agent-native software development platform with a knowledge machine that integrates with tools like GitHub, Linear, Slack, Notion, and Google Docs.

This policy applies to individuals in the European Economic Area (EEA) and, where applicable, to all personal data processed under GDPR regardless of the data subject’s location. It supplements our Privacy Policy with GDPR-specific details.

2. Data Controller

The data controller for the processing described in this policy is:

Dagg Intelligence Services AB
Registration number: 559543-9513
Country: Sweden
Contact: privacy@dagg.ai

Dagg Intelligence Services AB does not currently have a designated Data Protection Officer (DPO). Under Article 37 of the GDPR, appointment of a DPO is not required given our organization’s size and the nature of our processing activities. For all data protection inquiries, please contact us at the email address above.

3. Legal Bases for Processing

We process personal data under the following legal bases as set out in Article 6(1) of the GDPR:

• Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities, such as marketing communications or optional analytics.
• Contract performance (Art. 6(1)(b)): Processing necessary to provide the DIS platform and services under our Terms of Use, including account management, data ingestion, knowledge graph construction, and AI-powered analysis.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with legal obligations, such as tax and accounting requirements, responding to lawful authority requests, and data retention mandated by law.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security monitoring, fraud prevention, and usage analytics, where these interests are not overridden by your data protection rights.

4. Categories of Personal Data

We process the following categories of personal data:

• Account data: Email address, name, profile information from your SSO provider, user ID, workspace and project memberships, roles, and permissions.
• Usage data: Features used, agent interactions, query patterns, performance metrics, and product analytics.
• Integration metadata: Author information, timestamps, file names, and structural data from connected tools (GitHub, Linear, Slack, Notion, Google Docs).
• Technical data: IP addresses, browser types, device information, access times, and session data.
• Communication data: Messages and conversations from integrated platforms that customers choose to connect to DIS.

We do not intentionally process special categories of personal data (Article 9) such as health data, biometrics, or data revealing racial or ethnic origin.

5. Data Subject Rights

Under GDPR Articles 15 through 22, you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18): You may request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): You may request to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. DIS does not currently make such decisions.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@dagg.ai. We will respond to your request within 30 days. This period may be extended by up to two additional months for complex or numerous requests, in accordance with Article 12(3) of the GDPR. We will inform you of any such extension within the initial 30-day period.

We may ask you to verify your identity before processing your request.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

• Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery.
• Usage logs: Retained for 90 days for service improvement and debugging purposes.
• Audit logs: Retained for 1 year to support security monitoring and compliance.
• Backups: Encrypted backups are retained for up to 30 days and then automatically expired.

When a customer deletes a project, all associated data is hard-deleted from active stores within 24 hours. Remaining traces exist only in encrypted backups until they expire.

7. International Data Transfers

Our primary data processing infrastructure is located in GCP europe-west1 (Belgium), within the European Union. All customer data is stored in EU-based infrastructure by default.

Where data transfers outside the EEA are necessary (for example, through subprocessors with infrastructure outside the EU), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Subprocessors

We use the following subprocessors to provide the DIS platform:

• Google Cloud Platform (GCP): Infrastructure, storage, databases, and compute. Primary data location: Belgium, EU.
• Auth0 (Okta): Authentication and identity management. Data processed within the EU where available; SCCs in place for any non-EEA processing.

We maintain a list of subprocessors and will notify customers of any changes to subprocessors. Customers will have the opportunity to object to new subprocessors in accordance with our Data Processing Addendum.

9. Cookies and Tracking

DIS uses strictly necessary cookies only. These are limited to session cookies required for authentication and basic service functionality.

• We do not use third-party advertising or tracking cookies.
• We do not use social media tracking pixels.
• We do not use analytics cookies beyond essential operational metrics.

As we rely solely on strictly necessary cookies, no cookie consent banner is required under ePrivacy regulations.

10. Data Breach Notification

In the event of a personal data breach, we follow the notification requirements set out in the GDPR:

• Supervisory authority (Art. 33): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals.
• Data subjects (Art. 34): Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.

Breach notifications will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

11. Children’s Data

DIS is not directed at individuals under the age of 16. We do not intentionally collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@dagg.ai and we will promptly delete it.

12. Changes to This Policy

We may update this GDPR Data Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance.

When we make changes, we will:

• Update the “Last updated” date at the top of this policy.
• Notify affected users via email or through an in-app notification.
• For material changes, provide reasonable advance notice before they take effect.

13. Supervisory Authority

As a Swedish company, our lead supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

You have the right to lodge a complaint with IMY or with the supervisory authority in your EU/EEA member state of residence if you believe our processing of your personal data violates the GDPR.

14. Contact Us

For questions, concerns, or requests regarding this GDPR Data Policy or our data protection practices:

• Privacy inquiries: privacy@dagg.ai
• Legal inquiries: legal@dagg.ai
• Security reports: security@dagg.ai

Additional Resources:
For more information about how we protect your data and operate our service, please review:

• Privacy Policy - How we collect, use, and protect your data
• Data Processing Addendum - Our data processing terms and obligations
• Terms of Use - Legal terms governing your use of DIS
• Security & Trust - Our security architecture and practices