Privacy Policy

How Available Core collects, uses, and protects personal data. We're a Danish company, we operate under GDPR, and we process your workspace's data only to run the service you're paying us for.

Last updated · April 2026

1. Who we are

Available ApS ("Available", "we", "our", "us") is a Danish company headquartered in Denmark. Available Core is our customer-support helpdesk product. When you sign up, create a workspace, or communicate with our service, Available is the data controller for any personal data we collect about you directly, and the data processor for personal data contained inside your workspace (your customers' tickets, end-user records, knowledge-base articles, etc.).

Contact us at [email protected] for anything in this policy.

2. Data we collect

Account data (we are the controller):

  • Your name and email address, for sign-in and account notifications.
  • Your workspace slug, plan, and billing status.
  • Your role inside a workspace (owner, admin, agent).
  • Minimal usage telemetry: which pages you visited, which AI tools were invoked, response latencies. We do not run third-party analytics; this data lives in our own database and is used only to operate the service and protect our margins.

Workspace data (we are the processor):

  • Tickets, messages, internal notes, side conversations.
  • End-user records (requesters) and organizations.
  • Knowledge-base articles and collections.
  • Configuration: views, triggers, automations, SLA policies, macros, intents.
  • Audit log entries recording every mutating action.

Workspace data is yours. You decide what goes into it, how long it stays, and when it's exported or deleted. Our Data Processing Addendum (DPA) covers the terms under which we process it.

3. Why we process your data

Account data is processed on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR) — to provide and bill for the service.
  • Legitimate interest (Art. 6(1)(f)) — to operate the service securely, prevent abuse, debug errors, and protect our margin via per-ticket AI-spend ceilings.
  • Consent (Art. 6(1)(a)) — where explicitly requested, such as optional product updates by email. Consent can be withdrawn at any time.

Workspace data is processed solely on your documented instructions as data controller.

4. Retention

  • Account data is retained for as long as you have an active workspace, plus 12 months after account deletion for accounting and legal obligations. You can request earlier deletion where no legal retention period applies.
  • Workspace data is retained for as long as your workspace is live. When a workspace is deleted, we perform a 30-day soft-delete (the workspace is read-only and recoverable) followed by a hard delete.
  • AI usage events are retained for up to 24 months in aggregated form for pricing math + margin analysis. Raw per-call records are pruned after 90 days.
  • Audit logs are retained for the life of the workspace so customers can meet their own compliance obligations.

5. Where your data lives

Primary data storage is in the European Union (AWS eu-west-1 / Ireland or eu-north-1 / Stockholm, as elected at provisioning time). Backups are stored in the same region.

Some subprocessors process data outside the EU (for example Anthropic and OpenAI, for LLM inference). Transfers are governed by EU Standard Contractual Clauses and the 2023 EU–US Data Privacy Framework where applicable. See the Subprocessors page for the complete list.

6. Your rights under GDPR

If we hold personal data about you, you have the right to:

  • Access a copy of that data (right to access).
  • Correct inaccurate data (right to rectification).
  • Have data deleted where no legal retention applies (right to erasure).
  • Export your data in a common machine-readable format (right to portability).
  • Object to processing based on legitimate interest.
  • Withdraw consent you previously gave.
  • Lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.

For account data held by Available directly, email [email protected]. For workspace data where Available is the processor (tickets, end users, etc.), please contact the workspace owner — they are the controller of that data.

7. Security

Workspace data is isolated at the database level via Postgres row-level security policies, enforced in Postgres itself, not just the app. The application role does not have BYPASSRLS. Access between workspaces is impossible through the query path.

Secrets (API keys, OAuth credentials) are stored in AWS Secrets Manager in production. Passwords are not stored — authentication uses email magic links and session cookies. All traffic is HTTPS-only with HSTS.

Every mutating action by a human, AI, or system is logged in the workspace's audit log with actor, subject, and cause attribution.

8. Cookies + tracking

We use strictly necessary cookies for authentication (session cookie) and CSRF protection. We do not use third-party analytics, advertising, or tracking cookies. There is no cookie-consent banner because there is nothing to consent to beyond what's required to log you in.

9. Changes to this policy

We'll post material changes here and notify active workspace owners by email. Continuing to use the service after a change constitutes acceptance of the updated policy. Previous versions are available on request.