UK & International Data Protection Addendum
Last updated: March 22, 2026
Effective: March 22, 2026 · Last Updated: March 22, 2026
This UK & International Data Protection Addendum supplements our Privacy Policy and sets out additional information required under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA 2025).
This addendum applies if you are located in the United Kingdom, the European Economic Area (EEA), or any jurisdiction that provides equivalent data protection rights.
1. Data Controller
The data controller for your personal data is:
Bestia Technologies Inc.
1600 Rosecrans Ave, Bldg 7
Manhattan Beach, CA 90266
United States
Contact: privacy@bestia.ai
2. Lawful Basis for Processing
We process your personal data under the following lawful bases as defined in UK GDPR Article 6(1):
| Processing Activity | Lawful Basis | Article |
|---|---|---|
| Providing the WhatsDone service | Performance of contract | Art. 6(1)(b) |
| Processing Gmail data via Google OAuth | Consent | Art. 6(1)(a) |
| AI processing of email content | Performance of contract + Consent | Art. 6(1)(a) & (b) |
| Service improvement via feedback | Legitimate interest | Art. 6(1)(f) |
| Security monitoring | Legitimate interest | Art. 6(1)(f) |
| Responding to legal obligations | Legal obligation | Art. 6(1)(c) |
| Transactional communications | Performance of contract | Art. 6(1)(b) |
Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your fundamental rights and freedoms. You may request a copy of any LIA by contacting privacy@bestia.ai.
3. Your Rights
Under UK GDPR, you have the following rights. We will respond to any request within one calendar month (extendable by two months for complex requests, with notification).
3.1 Right of access (Article 15)
You have the right to request a copy of all personal data we hold about you, together with information about how we process it, the categories of data involved, the recipients, and the retention period.
3.2 Right to rectification (Article 16)
You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
3.3 Right to erasure (Article 17)
You have the right to request deletion of your personal data where: the data is no longer necessary for the purpose it was collected; you withdraw consent; you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed.
3.4 Right to restriction of processing (Article 18)
You have the right to request that we restrict processing of your personal data while we verify accuracy, assess an objection, or determine whether our legitimate interests override yours.
3.5 Right to data portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit that data to another controller without hindrance.
3.6 Right to object (Article 21)
You have the right to object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
3.7 Rights related to automated decision-making (Article 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. WhatsDone's human-in-the-loop design means no decision about you is fully automated — all AI suggestions require your explicit approval before any action is taken.
3.8 Right to withdraw consent (Article 7(3))
Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent by revoking Google OAuth access through your Google account settings or by deleting your WhatsDone account.
4. Data (Use and Access) Act 2025 (DUAA 2025)
In compliance with the UK's Data (Use and Access) Act 2025:
- Smart data provisions: We support data portability and interoperability as required by the Act's smart data provisions. You can request your data in machine-readable formats at any time.
- Digital verification: We use Google OAuth 2.0 as our digital verification mechanism, consistent with the Act's framework for trusted digital identity services.
- Automated decision-making: Consistent with the Act's provisions on automated decision-making, WhatsDone provides meaningful human oversight of all AI-generated outputs. No solely automated decisions with significant effects are made.
- Data intermediaries: Where we act as a data intermediary (processing your email data to provide the Service), we do so transparently and in accordance with the Act's requirements for data intermediation services.
5. International Data Transfers
Your data is processed and stored in the United States. We protect international transfers through the following mechanisms:
- UK International Data Transfer Agreement (IDTA): We use the UK's approved International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses for transfers from the UK.
- Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) to evaluate the data protection framework of each destination country and implement supplementary measures where necessary.
- Supplementary measures: We implement technical measures (encryption in transit and at rest, pseudonymisation, access controls) and organisational measures (data handling policies, staff training, incident response procedures) to ensure equivalent protection.
6. Data Protection Impact Assessment (DPIA)
We have conducted a Data Protection Impact Assessment for WhatsDone's processing activities, as required by UK GDPR Article 35. The DPIA covers:
- The necessity and proportionality of processing email data via AI
- Risks to the rights and freedoms of data subjects
- Measures to mitigate identified risks (encryption, human-in-the-loop, data isolation, access controls)
- Consultation with relevant stakeholders
The DPIA is reviewed annually or when processing activities materially change. A summary is available upon request from privacy@bestia.ai.
7. Information Commissioner's Office (ICO)
If you are not satisfied with our response to your request or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
We encourage you to contact us first at privacy@bestia.ai so we can attempt to resolve your concern directly.
8. Contact
- Data Protection Officer: privacy@bestia.ai
- Privacy enquiries: privacy@bestia.ai
- Postal: Bestia Technologies Inc., Attn: Data Protection, 1600 Rosecrans Ave, Bldg 7, Manhattan Beach, CA 90266