Privacy Policy
Effective date: 1 June 2026 · ServiceChanger B.V.
Who We Are
ITSM Autopilot is a service of ServiceChanger B.V., a private limited company registered in the Netherlands (Oost Gelre). We provide AI-powered automation for IT service desks.
- Controller: ServiceChanger B.V.
- Contact: info@servicechanger.com
- Supervisory authority: Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl
What Data We Collect and Why
- Account data: Name, business email address, and company name when you create an account. Used to provide the service and communicate with you.
- IT support ticket data: Content of tickets received via webhook from your ITSM platform (subject, description, status, priority, category, assigned team). Processed solely to run your configured AI agents. We are a data processor for this data — your organization is the controller.
- Activity and audit logs: Records of which agents ran on which tickets and what actions were taken. Used for transparency, debugging, and your own monitoring. Ticket logs are automatically deleted after 180 days.
- Knowledge base articles: Content extracted from resolved tickets, including problem descriptions, root causes, and workarounds. All personal data is masked before storage (see PII Masking below).
- Billing data: Payment information is processed by Stripe. We do not store card details. We store Stripe customer and subscription identifiers.
- Authentication data: Hashed passwords and session tokens managed by Supabase Auth. We do not have access to plaintext passwords.
- Service usage data: Basic usage patterns for improving the service (e.g., which features are used). No third-party analytics or advertising trackers.
Legal Basis for Processing
We process personal data on the following legal grounds under GDPR:
- Contract performance: processing your account data and ticket data is necessary to deliver the service you subscribed to (Art. 6(1)(b) GDPR).
- Legitimate interest: maintaining security logs and audit trails (Art. 6(1)(f) GDPR).
- Legal obligation: compliance with applicable EU and Dutch law (Art. 6(1)(c) GDPR).
- For special category data: we do not intentionally process special category data. If ticket content happens to include such data, it is subject to the same PII masking procedures.
PII Masking
Structured personal data is automatically detected and replaced with placeholders before being stored in our database. This applies to all knowledge base articles and activity logs.
- Email addresses → [EMAIL]
- Phone numbers → [PHONE]
- IP addresses → [IP]
- Credit card numbers → [CARD]
- Social security / BSN numbers → [SSN]
Sub-Processors
We use the following sub-processors to deliver the service. All sub-processors are contractually bound to process data only on our instructions and in compliance with GDPR.
- Supabase (database and authentication): Data stored in the European Union. supabase.com
- OpenAI (AI processing): Ticket data is sent to OpenAI using your own API key. You have a direct data processing relationship with OpenAI. We act as a technical intermediary only.
- Stripe (billing and payments): Processes payment information. stripe.com/privacy
- Resend (transactional email): Sends account-related emails (verification, welcome, billing notifications). resend.com
- Vercel (hosting and infrastructure): Application is hosted on Vercel. vercel.com/legal/privacy-policy
Data Retention
We retain personal data only as long as necessary for the stated purpose.
- Account data: retained for the duration of the subscription and deleted within 30 days of account deletion.
- Ticket activity logs: automatically deleted after 180 days, regardless of account status.
- Knowledge base articles: retained until manually deleted by the Customer, or within 30 days of account deletion.
- Billing records: retained for 7 years in accordance with Dutch bookkeeping requirements (Art. 2:10 BW).
- Security and audit logs: retained for 180 days.
Data Security
We apply the following security measures to protect your data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest.
- Row-level security: Each organization's data is isolated at the database level. No organization can access another's data.
- Credential vault: API keys and credentials are stored in an encrypted vault (Supabase Vault). We do not have access to plaintext secrets.
- Access controls: Access to production systems is limited to authorized personnel. Two-factor authentication is enforced internally.
- Breach notification: In the event of a personal data breach, we will notify the supervisory authority within 72 hours (GDPR Art. 33) and affected Customers without undue delay (Art. 34) where legally required.
Your Rights Under GDPR
As a data subject, you have the following rights. To exercise them, contact us at info@servicechanger.com.
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure: request deletion of your personal data under certain conditions.
- Right to restriction: request that we restrict processing of your data.
- Right to data portability: request your data in a machine-readable format.
- Right to object: object to processing based on legitimate interest.
- Right to lodge a complaint: with the Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl.
Cookies
ITSM Autopilot uses only essential cookies necessary for authentication and session management. We do not use:
- Tracking or advertising cookies
- Third-party analytics (Google Analytics, Hotjar, etc.)
- Social media pixels
OpenAI and Your Data
When you configure AI agents, ticket content is sent to OpenAI using your own API key. This means:
- You have a direct contractual relationship with OpenAI. Review their data usage policies at openai.com/policies.
- OpenAI does not use API data for model training by default.
- We act as a technical intermediary. We do not control how OpenAI processes this data.
- With Pre-AI masking enabled: structured personal data is stripped before sending, and store=false prevents temporary retention by OpenAI.
- We do not sell, share, or use your ticket data for any purpose other than operating your configured agents.
Policy Updates
We may update this Privacy Policy from time to time. We will notify you of significant changes via email at least 30 days before they take effect. The updated policy will be published on this page with its effective date. Continued use after the effective date indicates acceptance. If you do not agree, you may terminate your subscription before the effective date.