GDPR & Data Residency Overview

Last Updated: 2025-11-13

Company: StoragePilot Ltd (“StoragePilot”, “we”, “us”, or “our”) Registered Office: Vancouver, British Columbia, Canada Website: https://www.storagepilot.ai

StoragePilot (“the Service”) is a business-to-business platform used by self-storage facilities to manage tenant communication, reservations, gate access, and workflow automation. This document summarizes how StoragePilot handles data protection and GDPR compliance for customers located in the European Union (EU).

1. Data Residency

StoragePilot runs entirely on Amazon Web Services (AWS) in Canada (ca-central-1).

• All application data, backups, and logs are stored in Canada.
• StoragePilot does not operate EU-region infrastructure at this time.
• EU customers using StoragePilot acknowledge that data will be processed and stored in Canada.

Cross-Border Transfers

Because data is hosted outside the EU, StoragePilot relies on:

• Standard Contractual Clauses (SCCs)
• Vendor-specific data privacy protections
• Processing only for the Controller’s documented instructions

2. Categories of Personal Data Processed

StoragePilot processes only the data required to operate a storage facility:

• Tenant identity: name, phone number, email, postal address
• Lease information: unit, dates, status, delinquency
• Communication logs: SMS, email, voice transcripts
• Gate access activity and codes
• Staff/admin user accounts
• Payment metadata (Stripe holds all PCI data)

No special-category (Art. 9) data is processed.

3. Legal Basis for Processing

StoragePilot acts as a Data Processor.
The facility is the Data Controller.

Processing is based on:

• Article 6(1)(b) — performance of a contract
• Article 6(1)(f) — legitimate interests (security, operational logging)

4. Subprocessors

Infrastructure

• AWS — Compute, storage, networking, backups
• Vercel — Application hosting, edge delivery

Communications

• Twilio — SMS and voice
• Resend — Transactional email
• Nylas — Email sync and ingestion

Payments

• Stripe — Billing and payment processing

AI Providers

• OpenAI
• Google
• Anthropic
• Other Vercel AI gateway-supported models as configured

Voice

• VAPI — Voice agent orchestration
• ElevenLabs — Text-to-speech

5. Security & Encryption

• Encryption at rest with AWS KMS (AES-256)
• Encryption in transit with TLS 1.2+
• Backups encrypted; retained 30–90 days
• Strict internal access controls
• Network protections through AWS and Vercel

6. Data Retention

• Customer data remains for the duration of the subscription.
• Communication logs: 12–24 months (configurable).
• Backups: 30–90 days, rolling.
• After contract termination, customer data is retained for up to 12 months for audit, financial, and security purposes, then permanently deleted.

Customer data exports are available at any time.

7. Data Subject Rights

StoragePilot assists the Controller with:

• Access
• Rectification
• Erasure
• Restriction
• Portability

Requests must be submitted by the Controller.

8. Breach Notification

If StoragePilot becomes aware of a breach affecting an EU customer:

• Notice is sent within 72 hours
• Follow-up includes scope, impact, mitigations, and recommendations.

9. Contact Information

StoragePilot Data Protection Contact
info@storagepilot.ai
Vancouver, BC, Canada