GDPR Compliance
Last updated: March 2026
Oneway is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR) and the UK GDPR. We apply the same high data protection standards to all users, regardless of location.
This page explains how Oneway meets each key GDPR requirement. For full details on what data we collect and how we use it, see our Privacy Policy.
If your company needs to ensure its tools are GDPR-compliant, this page is designed to give you the information you need.
Our compliance, point by point
1. Lawful basis for processing
We process personal data under two lawful bases: contract performance (processing your data to deliver the service you signed up for) and legitimate interest (improving the service, security, fraud prevention). We do not rely on consent for core service delivery — consent is only used for optional marketing communications.
2. Data minimisation
We only collect data that is necessary to provide the service. We do not collect data speculatively or for unrelated purposes. When connecting sub-processors, we share only the minimum data required for each to perform its function.
3. Right of access
You can access your data directly within the Oneway application at any time. For formal Subject Access Requests, we respond within 7 days (GDPR allows up to 30 days). Access requests are processed free of charge.
4. Right of rectification
You can update and correct your personal data directly in the application — account settings, contact information, and workspace details. For data you cannot edit yourself, contact us and we'll process the correction promptly.
5. Right of erasure (right to be forgotten)
You can delete your account and all associated data from your account settings. We process erasure requests within 7 days. After account deletion, all data is permanently removed from our systems. Backups containing deleted data are purged within 30 days.
6. Right to data portability
Full data export is available from within the application at any time. Your data is exported in standard, machine-readable formats (JSON/CSV). This includes conversations, contacts, articles, feedback, and all other content you've created in Oneway.
7. Consent management
Where we rely on consent (marketing emails about Oneway), consent is freely given, specific, informed, and unambiguous. You can withdraw consent at any time by unsubscribing from marketing emails — every email includes an unsubscribe link. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
8. Data breach notification
In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. We will also notify affected users without undue delay, in accordance with Article 34, including a description of the breach, likely consequences, and measures taken to address it.
9. Data Processing Agreement (DPA)
We are preparing a standard Data Processing Agreement for customers who require one for their own GDPR compliance. If you need a DPA before our standard one is available, please contact us at privacy@oneway.tools and we'll work with you to establish appropriate data processing arrangements.
10. Sub-processors
We maintain a transparent list of sub-processors and share only the minimum data necessary with each. Current sub-processors:
- Supabase — database, authentication, real-time (EU/US)
- Amazon Web Services / AWS SES — email delivery (EU/US)
- Anthropic — AI features (US)
- Together AI — vector embeddings (US)
- Vercel — hosting and CDN (Global)
- Stripe — payment processing (US/EU)
We will notify affected customers before adding or changing sub-processors.
11. International data transfers
Some sub-processors are based in the United States. For transfers of personal data from the UK/EU to the US, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Our sub-processors also maintain their own transfer mechanisms, including AWS and Stripe's SCCs and Supabase's EU hosting options.
12. Data storage and security
All data is encrypted at rest and in transit (TLS 1.2+). Access to production systems is restricted through role-based access controls. We maintain regular encrypted backups. Passwords are salted and hashed. No employee accesses customer conversation content without explicit permission. See our Privacy Policy for full security details.
13. AI and customer data
We do not use your customer data to train AI models. AI features (chat agent, article drafting, knowledge intelligence) process data only within the context of your workspace to generate responses for your customers. No data is shared between tenants — your workspace is completely isolated. When the AI answers a customer, it searches only your knowledge base and your indexed website content.
Your responsibility as a data controller
When you use Oneway to communicate with your customers and process their data, you act as the data controller and Oneway acts as the data processor. This means:
- You are responsible for having a lawful basis to collect and process your customers' data
- You should have your own privacy policy that informs your customers about your use of Oneway and similar tools
- If you use the email marketing features, you are responsible for ensuring you have appropriate consent or another lawful basis to send marketing emails to your contacts
- If your customers exercise their GDPR rights (access, erasure, etc.), you can fulfil those requests using Oneway's data export and deletion features
Supervisory authority
For the UK, the relevant supervisory authority is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
EU users may also contact their local supervisory authority.
GDPR questions?
For any questions about our GDPR compliance, data processing, or to request a DPA, contact our privacy team: