AnrieBack to site

GDPR & Data Protection

Effective date: 2026-06-01 · Last updated: 2026-06-01

Anrie is a product of Unreal Labs, Inc. ("Unreal Labs", "we", "us"). This page explains how we handle personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable data protection laws, and how you can exercise your rights. It is provided for transparency and does not by itself constitute a contract; where a signed Data Processing Agreement (DPA) exists, the DPA governs.

1. Our role: controller and processor

Anrie acts in two capacities depending on the data involved:

  • As a data processor. When you use Anrie to do your work — for example, when Anrie reads and posts Slack messages, accesses your connected ad, commerce, and CRM platforms, and generates ad creatives — we process personal data on your behalf and under your instructions. You (the customer) are the controller of that data. This includes the content of Slack conversations Anrie participates in, creative briefs, uploaded assets, and data fetched from your connected accounts.
  • As a data controller. For a limited set of data we determine the purposes and means of processing ourselves — for example, account and workspace identity (administrator email, Slack user and team identifiers), authentication sessions, billing/usage records, security logs, and error-monitoring telemetry. For this data, we are the controller.

The remainder of this page distinguishes the two roles where it matters.

2. Lawful bases for processing

Where Unreal Labs acts as controller, we rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)) — to create and operate your account and workspace, authenticate you, and deliver the service.
  • Legitimate interests (Art. 6(1)(f)) — to secure our systems, prevent abuse, monitor errors and performance, and improve reliability, balanced against your rights and interests.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable law, including responding to lawful requests and retaining records where required.
  • Consent (Art. 6(1)(a)) — where we rely on consent (for example, optional integrations you choose to connect, or any optional communications), you may withdraw it at any time.

Where Unreal Labs acts as processor, the lawful basis for processing personal data contained in your content is determined by you, the controller. You are responsible for ensuring you have a valid lawful basis to instruct us to process that data.

3. Data subject rights

If you are an individual whose personal data we process, you have the following rights under the GDPR:

  • Right of access — to obtain confirmation of whether we process your personal data and a copy of it.
  • Right to rectification — to have inaccurate or incomplete personal data corrected.
  • Right to erasure ("right to be forgotten") — to have your personal data deleted in the circumstances set out in Art. 17.
  • Right to data portability — to receive personal data you provided in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to object — to object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Right to restriction of processing — to limit how we use your personal data in certain circumstances.
  • Rights related to automated decision-making — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable. Anrie does not make decisions producing legal or similarly significant effects without human review; spend-affecting actions require human approval.
  • Right to withdraw consent — where processing is based on consent.
  • Right to lodge a complaint — with your local supervisory authority.

Exercising your rights

  • If we are the processor (most content and connected-account data): your rights are typically exercised through the customer that controls the data — i.e., the organization whose workspace you belong to. Please contact your workspace administrator first. We will assist that customer in fulfilling verified requests as required by our DPA.
  • If we are the controller (account/identity, security, billing data): contact us directly at [email protected]. We will verify your identity before acting and respond within the statutory timeframe (without undue delay and within one month, extendable by two further months for complex requests, with notice).

To help us respond, please include the email address associated with your account and a description of the right you wish to exercise.

4. Data protection terms

For customers subject to GDPR or UK GDPR, the data protection commitments set out in this page, our Privacy Policy, and our Terms of Service — including those relating to security, subprocessors, international transfers, retention, deletion, and assistance with data subject requests — govern our processing of personal data on your behalf.

Customers requiring an additional signed Data Processing Agreement may contact [email protected], and we will work with you to put suitable terms in place before Customer Content is processed.

5. International data transfers and safeguards

Anrie's primary processing infrastructure is operated on Google Cloud Platform (GCP) in the europe-west1 region (Belgium, European Union). Our production database (Cloud SQL / PostgreSQL), analytics warehouse (BigQuery), object storage, and core application services are located in the EU.

Data residency note (important): Customer data is stored in the European Union (Google Cloud europe-west1); some object-storage buckets use the multi-region EU location. LLM inference for the Anrie agent is served via Google Vertex AI using a multi-region (global) configuration, so prompts and the conversation context Anrie reasons over may be processed outside the EU. We rely on our Google Cloud agreement and Standard Contractual Clauses for any such transfers.

Some of our subprocessors may process limited personal data outside the EEA (for example, certain AI model providers, integration brokers, and SaaS tooling). Where personal data is transferred to a country without an EU adequacy decision, we rely on appropriate safeguards under Chapter V GDPR, including:

  • EU Standard Contractual Clauses (SCCs), where applicable, with our subprocessors and within our DPA;
  • the UK International Data Transfer Addendum for UK transfers, where applicable; and
  • supplementary technical and organizational measures (encryption in transit and at rest, access controls).

A current list of subprocessors and their processing locations is maintained at /subprocessors.

Notable transfer-relevant facts:

  • Our error-monitoring provider (Sentry) ingests data in its EU (Germany) region.
  • LLM reasoning for the Anrie agent is served via Google Vertex AI (Anthropic Claude models) in a multi-region (global) configuration, which may process prompts and conversation context outside the EU under our Google Cloud agreement (Standard Contractual Clauses where applicable).

6. Subprocessors

We use a defined set of subprocessors to deliver Anrie, including cloud hosting (GCP), AI/LLM providers, integration brokering (Pipedream), communications (Slack), error monitoring (Sentry), and network/CDN services (Cloudflare). Customer-connected platforms (e.g., Meta Ads, Google Ads, Shopify, HubSpot, Notion, Google Sheets) are processed only when you choose to connect them.

The authoritative, current list — including each subprocessor's purpose, data categories, and location — is published at /subprocessors. We will provide reasonable prior notice of any new subprocessor that materially affects how Customer data is processed, by updating that page and by email or in-product notice to workspace administrators. Customers subject to GDPR or UK GDPR may object to a new subprocessor; if the objection cannot be resolved, the Customer may terminate the affected portion of the Service.

7. Our security posture

Anrie implements technical security controls including encryption in transit and at rest, network isolation in a private cloud environment, secrets management, access controls, and operational monitoring. Specific measures include:

  • Encryption in transit. TLS 1.2+ is enforced at the edge via Cloudflare (TLS 1.3 enabled, HTTPS always enforced). Database connections require TLS (sslmode=require). Internal service-to-service traffic runs over TLS.
  • Encryption at rest. Data is encrypted at rest using Google-managed encryption keys across Cloud SQL, Cloud Storage, and BigQuery. Customer-managed encryption keys (CMEK) are not currently offered.
  • Access controls. Access to production data is governed by GCP IAM with service-account scoping and least-privilege roles; internal tooling is gated behind Cloudflare Access with an email allowlist. Customer sign-in is via Slack (OIDC); enterprise SSO/SAML is on our roadmap.
  • Network isolation. Services run inside a private GCP VPC with private subnets and private database IPs; the Kubernetes cluster has no public node IPs; egress is via Cloud NAT.
  • Secrets management. Secrets are managed in GCP Secret Manager, sourced from 1Password (Production vault). Slack bot tokens are stored server-side only and never exposed to browser clients; third-party platform OAuth tokens are held by our integration broker (Pipedream), with Anrie storing only references and metadata.
  • Monitoring. Error and performance monitoring (Sentry) and GCP Cloud Logging/Monitoring with alerting are in place.
  • Backups and recovery. Cloud SQL is configured with point-in-time recovery (7-day transaction-log retention) and backup retention (14 backups), with a high-availability (regional) deployment.

We are an early-stage company and do not yet hold third-party security certifications such as SOC 2 or ISO 27001. Customers with formal compliance requirements may request a security overview at [email protected], and we will work with you to address specific questions, controls, or due diligence questionnaires.

8. Data we store (data residency and content)

To set accurate expectations:

  • Account and workspace identity (administrator email, Slack user/team identifiers, bot credentials) is stored in our EU PostgreSQL database.
  • Connected-account references (e.g., which ad accounts/campaigns are linked, platform OAuth scopes and metadata) are stored; the underlying platform OAuth tokens are held by Pipedream, not by Anrie.
  • Slack conversation content. When the Anrie bot is added to a Slack channel, we store messages, threads, and metadata from that channel on EU-hosted infrastructure (Google Cloud, europe-west1), with a BigQuery archive in the same region, to provide the agent with conversational context. Anrie only stores content from channels where the bot has been added; it does not access or store content from other channels. This is customer content processed on your behalf as processor. You can request deletion at any time by emailing [email protected]; on a verified request we delete the relevant content within 30 days.
  • Uploaded assets and generated creatives are stored in EU object storage, several buckets with automatic lifecycle/deletion policies (e.g., temporary upload buckets auto-delete after 30 days).

9. No training on customer data

We do not use your content to train our own or third-party foundation models. Your data — including Slack content, connected-account data, prompts, and generated creatives — is used solely to operate Anrie for you (agent reasoning, generation, and delivery of results).

Where we use third-party AI providers (e.g., Anthropic via Google Vertex AI, and, on the creative-generation path, providers such as OpenAI, Google Gemini/Vertex, and media-generation services), we rely on contractual and technical controls intended to prevent training on your content. Specific retention practices vary by provider — providers may, for example, retain inputs for a short period for abuse monitoring or safety review as described in their own terms. Current provider practices are summarized on our Subprocessors page.

10. Data retention

We retain personal data only as long as needed for the purposes described here or as required by law.

  • Account/workspace and identity records are retained for the life of the account and deleted within within 30 days after account closure or uninstalling the Anrie app.
  • Slack channel history / communications ledger is retained while your installation is active and deleted within within 30 days after you uninstall the Anrie app, close your account, or make a valid deletion request.
  • Object-storage assets follow per-bucket lifecycle policies (e.g., temporary uploads auto-archived/deleted within 7–90 days depending on bucket).
  • Error-monitoring data (Sentry) is retained per that provider's configured retention. Sentry retains events for within 90 days and is configured with default PII protections (sendDefaultPii disabled; replay masking enabled).
  • Backups roll off per the schedules above (PITR 7 days; 14 retained backups).

Retention periods are aligned across our systems so that, on a verified deletion request or contract termination, customer personal data — across PostgreSQL, object storage, the channel-history store, and the BigQuery ledger — is deleted or returned in accordance with the DPA.

11. Personal data breach notification

In the event of a personal data breach affecting customer personal data, we will notify affected customers without undue delay after becoming aware, consistent with our obligations as a processor under Art. 33 GDPR, and will provide the information reasonably necessary for the customer to meet their own notification obligations. Where we are a controller, we will notify the competent supervisory authority and affected individuals as required by law.

Security concerns and suspected vulnerabilities can be reported to [email protected].

12. California privacy (CCPA / CPRA)

For California residents, Unreal Labs supports rights under the California Consumer Privacy Act, as amended by the CPRA, including the rights to know, access, correct, and delete personal information, and to opt out of the "sale" or "sharing" of personal information.

  • We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising.
  • When we process customer content to provide Anrie, we act as a service provider under the CCPA/CPRA and use that information only to perform the services.

To exercise California rights, contact [email protected]. Because we do not sell or share personal information, we do not maintain a separate "Do Not Sell or Share My Personal Information" mechanism.

13. UK and EU representatives; contact

UK and EU representatives

Anrie is operated by Unreal Labs, Inc. (United States). Our UK affiliate, London Unreal Labs Ltd (company number 16697867, registered at 3rd Floor 1 Ashley Road, Altrincham, Cheshire, WA14 2DT), is our establishment in the United Kingdom. Accordingly, UK data subjects and the UK Information Commissioner's Office may contact us through this UK establishment, and a representative under Article 27 UK GDPR is not required.

For the European Economic Area, Unreal Labs, Inc. has assessed its obligations under Article 27 EU GDPR. Anrie's processing of personal data of individuals in the EEA is conducted on behalf of business customers, is limited in scope to the operation of the Service, does not involve large-scale processing of special category data, and is not directed at consumers. We will appoint a representative in the EEA where and when required by applicable law, and will update this page accordingly.

No formal Data Protection Officer has been appointed; the contact below is responsible for data-protection inquiries.

Contact

For any data protection question, or to exercise your rights where Unreal Labs is the controller, contact us at [email protected]. EEA and UK data subjects may use the same address.

Unreal Labs, Inc. (a Delaware corporation; the entity behind Anrie) Registered address: 131 Continental Dr, Suite 305, Newark, DE 19713, USA Principal place of business: 2261 Market St, San Francisco, CA 94114, USA

London Unreal Labs Ltd (UK affiliate, company number 16697867) 3rd Floor 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom

This page may be updated as our practices and infrastructure evolve. Material changes will be reflected here with a revised "last updated" date.