CustomerEagle Privacy Policy
Last updated: 14 July 2026
1. Who We Are
CustomerEagle is a business-to-business customer-support and AI-automation platform operated by RSG Digital, trading as CustomerEagle ("CustomerEagle", "we", "us" or "our").
RSG Digital is established in the Netherlands at Blauwven 7, 5508 RC Veldhoven, the Netherlands, and is registered with the Dutch Chamber of Commerce under number 42085647.
For privacy questions or requests, contact [email protected]. If we appoint a Data Protection Officer or another statutory privacy representative, the current contact details will be published in this Policy.
2. Scope of This Policy
This Privacy Policy explains how CustomerEagle handles personal data when we act as a controller, including when you visit customereagle.com or another CustomerEagle website, create or administer a CustomerEagle account, request a demonstration, contact us, receive our business communications, use our platform as an authorised user, or interact with our own support team.
CustomerEagle customers use the platform to communicate with their own customers, prospects and other end users. For personal data submitted to the Service by a customer, CustomerEagle generally acts as a processor or service provider on that customer's instructions. The customer remains responsible for its own privacy notice, legal basis, consent choices and instructions. Section 4 explains this distinction.
This Policy does not replace the privacy notices of businesses that use CustomerEagle, and it does not govern third-party websites, applications or services that have their own privacy policies.
3. Key Terms
“Customer” means a business or organisation that subscribes to or evaluates CustomerEagle. “Authorised User” means a person permitted by a Customer to use a CustomerEagle workspace. “End User” means a person who communicates with a Customer through a CustomerEagle-powered channel. “Customer Content” includes conversations, messages, emails, contact records, attachments, knowledge-base material, order or account information, prompts, AI outputs and other data processed for a Customer. “Personal data” means information relating to an identified or identifiable natural person.
4. When CustomerEagle Is Controller and When It Is Processor
We act as controller when we determine why and how personal data is processed for our own business purposes, such as account administration, billing, website operation, security, fraud prevention, product analytics, legal compliance, sales and our own customer support.
We generally act as processor when a Customer uses CustomerEagle to process End User conversations, imported contacts, help-centre content, ecommerce information, support tickets, attachments and connected-system data. In that situation, the Customer controls the processing and our Data Processing Addendum (DPA) governs our processing.
If you are an End User of one of our Customers and want to exercise privacy rights relating to a support conversation or customer record, contact that Customer first. We will assist the Customer as required by the DPA and applicable law. We may still process limited data as controller for security, abuse prevention, legal compliance and service integrity.
5. Personal Data We Collect
5.1 Account, Identity and Business Contact Data
We may collect your name, business email address, telephone number, job title, company name, workspace, role, profile image, preferred language, login identifiers, identity-provider information and multi-factor-authentication status.
5.2 Subscription, Billing and Transaction Data
We may collect subscription plan, purchased features, invoice details, billing address, VAT information, transaction status, payment method type, usage quantities and payment-provider references. Full payment credentials are generally processed directly by our payment provider rather than stored by CustomerEagle, depending on the payment method used.
5.3 Customer Content and End User Data
Depending on how a Customer configures the Service, Customer Content may include names, email addresses, telephone numbers, usernames, customer or order identifiers, account details, support messages, emails, chat transcripts, social or messaging-channel identifiers, uploaded files, attachments, notes, tags, satisfaction feedback, website activity shared during a support session and information retrieved through connected services.
Customers determine what Customer Content they submit. We ask Customers not to use the Service for special-category data, full payment-card data, passwords, authentication secrets, medical records, government identifiers or children's data unless the applicable product and written agreement expressly support that processing.
5.4 Knowledge, Website and Imported Content
The Service may process help-centre articles, internal documentation, product information, public webpages selected for crawling, files uploaded to a knowledge base and structured data imported from a Customer's systems. This content may contain names, authorship information or other personal data.
5.5 Integration and Connected-Service Data
When a Customer connects a third-party service, we may receive account identifiers, access tokens, installation information, channel metadata and the data the Customer authorises that service to provide. The precise data depends on the integration, permissions selected and the third party's API.
5.6 AI Inputs, Outputs and Configuration
We process prompts, conversation context, retrieved knowledge, instructions, model settings, confidence information, classifications, summaries, suggested replies, automated replies and feedback about AI outputs. We may also process safety and audit signals used to prevent misuse and investigate errors.
5.7 Device, Usage, Log and Security Data
We may automatically collect IP address, approximate location derived from IP, browser type, device and operating-system information, language, referring page, timestamps, session identifiers, pages and features used, clicks, error reports, API activity, authentication events, audit logs, performance information and security or fraud signals.
5.8 Communications, Sales and Support Data
If you contact us, request a demo, attend an event, respond to a survey or communicate with our sales or support teams, we may process your contact details, correspondence, meeting details, support records, call notes and preferences. Calls or screen-sharing sessions are recorded only where enabled and with any notice or consent required by law.
5.9 Cookies and Similar Technologies
We use cookies, local storage, pixels, SDKs and similar technologies for essential operation, authentication, preferences, security, analytics and, where enabled, marketing. Section 10 provides more information.
6. Sources of Personal Data
We receive personal data directly from you; from the Customer or organisation you represent; from End Users communicating with a Customer; from connected ecommerce, email, messaging, identity, collaboration or payment services; from public websites selected by a Customer; from service providers; and from automatically collected usage and security events.
Where a Customer provides personal data about another person, that Customer is responsible for having an appropriate legal basis and providing required information to that person.
7. How and Why We Use Personal Data
We process personal data only for specified purposes and under an applicable legal basis. The legal basis may differ depending on the relationship, jurisdiction and context. Our principal purposes and GDPR legal bases are summarised below.
| Purpose | Data | Legal basis |
|---|---|---|
| Create and administer accounts, workspaces and permissions | Account, identity, company, role, authentication and usage data | Performance of a contract; legitimate interests in administering business accounts and preventing misuse |
| Provide, maintain and support the Service | Account data, Customer Content, integration data, device data, support communications | Performance of a contract; legitimate interests in operating and improving a reliable B2B service |
| Process subscriptions, invoices and payments | Billing, transaction, company and contact data | Performance of a contract; compliance with tax and accounting obligations |
| Operate AI and automation features | Prompts, conversation context, retrieved knowledge, outputs, settings and feedback | Performance of a contract when providing the requested feature; Customer instructions where we act as processor |
| Secure the Service and prevent fraud or abuse | Login events, IP address, logs, device information, audit and security signals | Legitimate interests in protecting users, Customers and the Service; legal obligations where applicable |
| Analyse performance and improve the product | Usage, error, performance and aggregated or de-identified data | Legitimate interests in improving functionality and reliability; consent for non-essential analytics where required |
| Provide support and communicate about the Service | Contact details, correspondence, account and diagnostic data | Performance of a contract; legitimate interests in customer service and business communications |
| Send marketing and measure campaigns | Business contact details, preferences, engagement and campaign data | Consent where required; otherwise legitimate interests in relevant B2B marketing |
| Comply with law and protect legal rights | Relevant account, billing, communication, log and Customer data | Compliance with legal obligations; legitimate interests in establishing, exercising and defending legal claims |
7.1 When Providing Data Is Required
Certain account, authentication, billing and contract information is required to create or administer a paid CustomerEagle account. If it is not provided, we may be unable to open the account, process payment or provide the requested Service. Other information, including optional profile fields, survey responses and non-essential cookie choices, is voluntary. A Customer may separately require End Users to provide information for its own support purposes; that Customer is responsible for explaining the consequences of not providing it.
8. Providing the Service as a Processor
When we act as processor, we process Customer Content to host, transmit and organise conversations; operate inboxes, widgets and help centres; search and retrieve knowledge; generate AI-assisted content; execute configured workflows; connect integrations; provide analytics; prevent abuse; troubleshoot; back up the Service; and follow the Customer's documented instructions.
The Customer determines the legal basis and purposes for this processing. We do not independently use Customer Content for advertising to End Users or sell Customer Content. Our DPA describes confidentiality, security, subprocessors, international transfers, deletion and assistance with rights requests.
We may use aggregated or de-identified information for service reliability, capacity planning, analytics, security and product improvement where individuals and Customers are not identifiable and we do not attempt to re-identify them.
9. Artificial Intelligence and Automated Processing
CustomerEagle uses AI systems to classify messages, identify intent and sentiment, retrieve relevant knowledge, create summaries, recommend actions, draft or send replies, detect gaps and support other configured automations.
AI outputs are probabilistic and may be inaccurate or incomplete. Customers control whether features are enabled, which knowledge is used, confidence and escalation settings, whether human approval is required and how outputs are used. Customers should apply human review where an error could materially affect a person.
Unless a Customer expressly opts in under a separate and clearly described programme, CustomerEagle does not use Customer Content to train a general-purpose or cross-customer AI model. We may use Customer-specific retrieval indexes, embeddings and configuration solely to provide the Service to that Customer.
We may send limited, purpose-specific AI inputs to OpenAI or DeepSeek when the Customer enables a feature that uses those providers. Before outbound AI processing, CustomerEagle applies its configured personal-data filtering and sends only the context needed for the requested function. These providers act under contractual data-protection terms. Current processing locations and transfer safeguards can be requested at [email protected].
CustomerEagle does not itself make decisions producing legal or similarly significant effects about End Users solely through automated processing. A Customer may configure automated workflows; the Customer is responsible for determining whether automated-decision rules apply, providing required notices and implementing human review, objection and appeal mechanisms.
10. Cookies and Similar Technologies
Strictly necessary technologies support login, load balancing, fraud prevention, security, consent preferences and core functionality. These generally cannot be disabled through our preference centre because the Service cannot operate correctly without them.
With consent, we use PostHog EU Cloud for anonymous website and product analytics, limited surveys and session replay on public marketing pages. Analytics events use allow-listed screen categories and do not include account identity, Customer identity, End User identity, message content, Customer Content or full page URLs. Replay masks all text and form inputs and blocks media. We do not currently use non-essential technologies for targeted advertising.
You can accept or reject analytics in the consent banner and change your choice at any time using the Cookie settings button below this Policy. Withdrawal stops further non-essential analytics collection. Browser settings can also block or delete storage, although this may affect functionality. The consent choice itself is stored in your browser's local storage until you change it or clear site data.
11. Marketing and Business Communications
We may send service messages needed to administer an account, including security alerts, invoices, support updates and important product or legal notices. These are not promotional messages and may be required to provide the Service.
We may send business marketing communications where permitted by law, based on consent or our legitimate interest in promoting relevant B2B services. You may unsubscribe using the link in a message or by contacting [email protected]. Opting out of marketing does not stop necessary service communications.
We may retain limited suppression information to ensure that a marketing opt-out continues to be respected.
12. How We Share Personal Data
We may disclose personal data to the following categories of recipients only where necessary and subject to appropriate safeguards:
12.1 Service Providers and Subprocessors
Our core provider categories currently include Railway for application hosting, Cloudflare for content delivery, storage and custom domains, Stripe for billing and payments, Resend for transactional email, OpenAI and DeepSeek for enabled AI functions, PostHog EU Cloud for consent-based anonymous analytics, and Sentry-compatible monitoring where configured. Other infrastructure, integration and professional-service providers are used only as needed. For the current legal entities, processing locations, purposes and transfer safeguards, contact [email protected].
12.2 Customers and Authorised Users
Customer Content is available to the Customer that controls the relevant workspace and to Authorised Users according to the Customer's permissions. Customers are responsible for assigning appropriate access.
12.3 Integration Providers
When a Customer enables an integration, data may be exchanged with the connected service according to the Customer's instructions and the third party's terms and privacy policy.
12.4 Professional Advisers and Authorities
We may share data with auditors, insurers, lawyers, accountants and other professional advisers, and with courts, regulators, law-enforcement bodies or public authorities where required by law or reasonably necessary to establish, exercise or defend legal claims, protect rights and safety, investigate fraud or enforce our agreements.
12.5 Corporate Transactions
Personal data may be disclosed in connection with a financing, merger, acquisition, reorganisation, insolvency or sale of all or part of our business or assets, subject to confidentiality and applicable law.
13. International Data Transfers
CustomerEagle is established in the Netherlands, but service providers and integration partners may process personal data in other countries. Some countries may not provide the same statutory level of protection as the European Economic Area.
Where EU or EEA personal data is transferred to a country without an adequacy decision, we use an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses, together with supplementary technical, contractual and organisational measures where required. For restricted transfers governed by UK law, we may use the UK International Data Transfer Agreement or the UK Addendum to the EU clauses.
Information about relevant transfers and a copy of applicable safeguards, with confidential information removed where necessary, may be requested at [email protected].
14. Data Retention
We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including to provide the Service, comply with law, resolve disputes, enforce agreements and maintain security. Workspace owners can configure retention for conversations and AI logs. Deletion may be delayed where a legal hold, security investigation or statutory duty applies.
| Category | Retention |
|---|---|
| Customer Content in an active paid workspace | For the Subscription Term, subject to Customer-configured retention and the DPA. |
| Customer Content after termination or a verified deletion instruction | Deleted or anonymised in accordance with the Customer's configuration, documented instructions, Order Form and DPA. Residual encrypted backups are isolated from ordinary use and overwritten during the normal backup cycle. |
| Trial or inactive free workspace data | For the trial or account relationship and then until the workspace is deleted or anonymised under the applicable account terms and operational deletion cycle. |
| Account profile and workspace administration data | For the account relationship and afterwards only as needed for support, fraud prevention, security, legal compliance or dispute handling. |
| Invoices, payments and tax records | Generally 7 years where required for Dutch business administration, or longer where another legal rule applies. |
| Security, authentication and audit logs | Organisation audit logs are normally kept for 90 days and platform-administration audit logs for 180 days. Relevant records may be kept longer for an active incident, investigation, legal hold or contractual audit requirement. |
| Direct-marketing records | Until opt-out or while there is a current business relationship or demonstrable marketing purpose. A minimal suppression record may be retained to honour opt-outs. |
| CustomerEagle support cases and legal correspondence | For as long as needed to resolve and document the matter and afterwards where necessary for a dispute, security investigation or legal obligation. |
| Cookie and consent choice | Stored in the browser until the visitor changes the choice or clears site data. |
15. Security
We use technical and organisational measures designed to protect personal data, including encryption in transit, access controls, role-based permissions, tenant separation, secrets management, logging, monitoring, backups, vulnerability management and incident-response procedures, as appropriate to the risk and Service configuration.
No method of transmission or storage is completely secure. Customers are responsible for account permissions, identity-provider security, endpoints, API keys, integration credentials, safe configuration and avoiding sensitive information in ordinary conversations where the Service is not intended to process it.
If we become aware of a personal-data breach affecting Customer Content, we will notify the relevant Customer without undue delay in accordance with the DPA. When CustomerEagle acts as controller, we will notify affected individuals and authorities where required by law.
16. Your Privacy Rights
Depending on applicable law and our role, you may have the right to request access to personal data; correction of inaccurate or incomplete data; deletion; restriction of processing; portability; objection to processing based on legitimate interests; and withdrawal of consent at any time without affecting earlier lawful processing.
You also have the right to object at any time to direct marketing. Where a decision is based solely on automated processing and produces legal or similarly significant effects, you may have rights to human intervention, to express your point of view and to challenge the decision.
These rights are not absolute. We may refuse or limit a request where an exemption applies, the request concerns data we process only on a Customer's instructions, or we must retain information for legal, security or claims purposes.
17. How to Exercise Your Rights
Send a request to [email protected] and describe the information and relationship concerned. We may request proportionate information to verify identity and authority. Do not send a copy of an identity document unless we specifically request a secure form of verification.
If your request concerns a business that used CustomerEagle to communicate with you, contact that business first. If you contact us directly, we may forward the request to the relevant Customer and assist it in responding.
We aim to respond within the period required by applicable law. Under the GDPR, this is generally one month, although it may be extended for complex or numerous requests after notice. Requests are normally free, but the law may allow a reasonable fee or refusal for manifestly unfounded or excessive requests.
18. Complaints
Please contact us first so we can investigate your concern. You also have the right to complain to the supervisory authority in the country where you live or work or where the alleged infringement occurred.
Our lead supervisory authority in the Netherlands is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority). Information about submitting a complaint is available on its official website.
19. Children
CustomerEagle is a B2B service and is not directed to children. We do not knowingly create accounts for persons under 18. Customers must not intentionally use the Service to collect personal data directly from children where parental consent or other special protection is required unless they have implemented the required notices, consent mechanisms and safeguards.
If you believe personal data from a child has been submitted improperly, contact [email protected] and identify the relevant Customer or workspace where possible.
20. Third-Party Websites and Services
Our websites and Service may link to or integrate with third-party services. Those parties determine their own processing for activities outside CustomerEagle's instructions. Review their privacy information before providing data or enabling an integration. We are not responsible for third-party privacy practices.
21. Changes to This Policy
We may update this Policy to reflect changes in law, technology, providers or our processing. We will update the date at the top and provide additional notice of material changes where appropriate. If we rely on consent for a materially different purpose, we will request new consent where required.
22. Contact Details
RSG Digital, trading as CustomerEagle
Blauwven 7, 5508 RC Veldhoven, the Netherlands
Chamber of Commerce (KvK): 42085647
Privacy email: [email protected]
Legal email: [email protected]
Schedule 1 - Additional US State Privacy Disclosures
This Schedule applies only where CustomerEagle is subject to an applicable US state consumer privacy law and acts as a business or controller, rather than solely as a processor or service provider for a Customer. Terms such as “consumer”, “personal information”, “sale”, “sharing”, “targeted advertising” and “sensitive data” have the meanings given by the applicable law.
In the preceding 12 months, we may have collected the categories described in Section 5, including identifiers; customer-record and commercial information; internet or electronic-network activity; approximate geolocation; professional or employment-related information; audio or visual information where a call or session is recorded; inferences such as product interests or support classifications; and account credentials or other sensitive information where required for authentication and security.
We use and disclose these categories for the purposes described in Sections 7 through 13, including account and service delivery, security, billing, support, analytics, legal compliance, integrations and marketing where permitted. Recipient categories include service providers, contractors, Customers, integration partners, professional advisers, authorities and transaction counterparties.
We do not sell personal information for money and do not use personal information for cross-context behavioural or targeted advertising. Our consent-based PostHog analytics is configured for anonymous, allow-listed product and website events and excludes Customer Content and direct account, Customer and End User identifiers. You may disable it at any time through Cookie settings.
Subject to applicable law, residents may have rights to know or access, correct, delete and obtain a portable copy of personal information, and to opt out of sale, sharing, targeted advertising or certain profiling. Residents may also have a right to limit certain uses of sensitive personal information and to appeal a refusal. We will not unlawfully discriminate against a person for exercising a privacy right.
Requests may be submitted to [email protected] or through the CustomerEagle contact page. We may verify identity and authority. An authorised agent may submit a request where permitted, subject to proof of authority and identity verification. Where we process data solely for a Customer, we will direct the request to that Customer.
Where applicable law requires an additional notice at collection, we provide it at or before the relevant collection. We review these disclosures regularly and update them when our practices materially change.