Privacy

Privacy and data handling

Last updated: 11 June 2026

1. Who this notice covers

This notice explains how Service Desk Builder handles personal data when you visit the website, create an account, contact us, make a payment, apply for or receive an Service Desk Performance Audit, or run an automated AI Readiness Audit against a connected service desk platform such as Freshservice or Zendesk.

For account, billing, website, support, and product analytics data, Service Desk Builder acts as controller. For personal data read from your organisation's connected service desk platform solely to provide the audit, Service Desk Builder generally acts as processor for your organisation. Our Data Processing Addendum applies to that processor activity unless we agree a separate signed DPA.

2. Contact

For privacy, deletion, or procurement questions, email hello@servicedeskbuilder.com.

3. What we collect

  • Account details such as name, email address, authentication ID, plan, and subscription status
  • Billing and payment status from Stripe, not full card details
  • Support and enquiry messages you send to us
  • Website and product usage events needed to operate, secure, and improve the Service
  • Email address and optional first name when you choose to receive your free audit report, plus your marketing preference
  • Connected platform, platform subdomain, selected workspace where applicable, and computed audit metrics when you run an audit
  • Generated reports, scores, and remediation outputs created by the Service

4. AI Readiness Audit data

AI Readiness Audit data handling

What we read

Freshservice

  • Solution categories, folders, and articles for knowledge-base health
  • Canned responses, including content and variable usage
  • SLA policies and business hours configuration
  • Agent groups and agent list for counts and group-size metrics
  • Ticket fields configuration, including category and dropdown choices
  • Service catalogue categories and items
  • Tickets from the last 90 days for category, priority, assignment, SLA, subject, and description quality metrics

Zendesk

  • Help Centre articles, categories, and sections for knowledge-base health
  • Macros for response coverage, freshness, and duplication metrics
  • SLA policies where available on your Zendesk plan
  • Triggers, automations, groups, brands, and request-path configuration
  • Ticket forms, ticket fields, and tags for categorisation and self-service metrics
  • Tickets from the last 90 days for channel, tags, assignment, priority, SLA, subject, and description quality metrics

What we write (only when you ask)

If you use the optional task-to-ticket feature, we create Freshservice or Zendesk tickets only after you enable ticket creation and confirm the action. We write the remediation task subject, recommended fix, dimension, effort, impact, estimated score recovery, source report link, and Service Desk Builder task ID. We do not create, update, or close tickets unless you explicitly trigger that action.

If you configure Slack or Microsoft Teams notifications, we send messages to the incoming-webhook URL you provide. Those destinations are chosen and controlled by you, and the messages contain only the audit score, affected dimension names, and a link — never ticket or knowledge-base content.

What we store

We store computed scores, metrics, audit history, your connected platform, platform subdomain, selected workspace where applicable, limited category diagnostics, report access state, client labels, white-label branding assets for MSP-plan accounts, generated report outputs where needed to provide the Service, and platform ticket IDs/URLs returned when you ask us to create remediation tickets. Raw API keys are not stored.

What we never read or store

  • Your API key — held in server memory only for the duration of the audit or ticket-creation request. It is not written to any database, log file, cache, or persistent storage at any point before or after the request completes.
  • Raw ticket bodies, requester names, requester emails, or end-user contact details
  • Ticket descriptions — description length is measured in memory and the text is immediately discarded
  • Full raw Freshservice or Zendesk API responses, except limited diagnostic samples needed to debug category extraction
  • Attachments, linked files, or embedded content from tickets or KB articles

5. Service Desk Performance Audit data

Performance Audit data handling

When you enquire

The enquiry form collects your name, work email, company, job title, and structured details about your service (team size, platform, ticket volume, challenges, and your written context). We use it solely to assess whether the audit is a suitable fit and to respond to you. Enquiry details are sent to us by email through our email provider and are not exposed in client-side logs or product analytics. Please do not include passwords, API keys, or sensitive ticket contents in the form.

Audit evidence

If we proceed, the evidence used for the audit — such as exported service desk metrics, existing reports, SLA and workflow information, and questionnaire responses — is agreed with you in advance. We prefer anonymised or minimised data wherever the full content is not needed, and most analysis runs on ticket-level metrics and metadata rather than the contents of individual tickets. Where you choose to use an optional read-only integration for Freshservice or Zendesk, the AI Readiness Audit data handling described above applies to that connection.

What we ask you not to send

Passwords, API keys, and sensitive ticket contents should never be sent through the enquiry form or by email. If any evidence needs to contain sensitive material, we will agree a secure method for sharing it rather than accepting it through the website.

6. How we use data and lawful bases

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases as applicable:

  • Contract: to create accounts, run audits, provide reports, manage subscriptions, and support the Service
  • Legitimate interests: to secure, debug, improve, and understand use of the Service
  • Legal obligation: to keep accounting, tax, and compliance records
  • Consent: where we ask for optional marketing or analytics consent

We record anonymous product-usage events (for example, that an audit was started or a report viewed) to understand and improve the Service. These use a random, first-party session identifier only — we do not use them to track you across other websites, and they are not sold or shared with advertisers.

7. Subprocessors and service providers

We use third-party providers to operate the Service. Current key providers include:

  • Clerk for authentication and account management
  • Stripe for payments, billing, tax, and subscription status
  • Vercel for hosting, deployment, analytics, and serverless infrastructure
  • Vercel KV or equivalent managed storage for audit records and product state
  • Resend for transactional emails and support communications
  • Anthropic for optional AI-generated remediation content where enabled
  • Freshservice APIs when you connect your own Freshservice instance for an audit
  • Zendesk APIs when you connect your own Zendesk instance

We require providers to handle data only for the services they provide to us. A current subprocessor list or security questionnaire response is available by emailing hello@servicedeskbuilder.com.

8. International transfers

Some providers may process data outside the United Kingdom or European Economic Area. Where required, we rely on appropriate safeguards such as adequacy regulations, Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent contractual protections used by our providers.

9. Retention

  • Account and audit history are retained while your account remains active unless you delete audits or request deletion
  • Billing and transaction records may be retained for tax, accounting, and legal compliance
  • Support messages are retained while needed to respond and maintain a support history
  • Security logs and operational diagnostics are retained for a limited period needed to protect and debug the Service

You can request deletion at any time. Some records may need to be retained where required by law, fraud prevention, dispute handling, or legitimate business recordkeeping.

10. Your rights

Depending on where you are located, you may have rights to access, correct, delete, restrict, or object to the use of your personal data, and to request a copy of your data. You can exercise these rights by emailing hello@servicedeskbuilder.com.

If you are in the UK and are unhappy with our response, you can complain to the Information Commissioner's Office at ico.org.uk.

11. Security

We use reasonable technical and organisational measures to protect data, including managed authentication, encrypted provider infrastructure, limited credential handling, and least-data collection for audits. No internet service can be guaranteed completely secure.

12. Changes to this notice

We may update this notice as the Service changes. Material updates will be reflected by changing the last updated date and, where appropriate, notifying active customers.