GDPR & privacy
We do not store your client data.
This is the plain-language version of how Lowkey handles data across its tools. It is written to be read, not to cover us. If you are a firm working with us and need the formal data processing agreement, ask and we will send it.
The short version
- We do not keep the documents or client facts you put into a Lowkey tool. They are processed to produce your form or memo, then discarded.
- Everything that touches your data runs on EU infrastructure. No client data is sent outside the EU.
- We keep only what running an account and invoicing require: who you are, and that a document was produced and when. Not its contents.
- Your firm stays the controller of your clients' data. Lowkey acts as your processor.
What we process, and what we keep
Uploads and client facts
The contract, pay slip, structure details, or other facts you give a tool are read only to generate your result. They live in memory for the length of that request and are not written to a database or a file store. We do not build profiles and we do not reuse your inputs to train anything.
Account and billing data
For the portal we keep your name, work email, firm, VAT number, and payment status, so we can run your account and invoice you. Payments and invoicing run through Stripe. We never see or store full card numbers.
Usage records
We store one line per finished document: which tool, and the timestamp, so billing is correct and you can see your own history. That line holds no client content.
Where it runs: EU only
Lowkey is built so that data residency holds by construction, not by promise. Each layer that can touch your data sits in the EU:
| Hosting / front door | Cloudflare (Pages and Workers), served from EU edge locations. |
| Reading uploads (AI) | AWS Bedrock in the EU region (Ireland), using EU-resident Claude inference profiles. We do not call US inference endpoints. |
| Database | Cloudflare D1, Western Europe region. |
| Document processing | A dedicated server at Hetzner in Nuremberg, Germany. |
| Payments | Stripe, for billing and contact data only, under its EU processing terms. |
We deliberately do not use any model or service that would move client data outside the EU. The parts that do the actual form-filling and the figures are plain, deterministic code. A model only reads messy uploads so a human does not have to retype them.
Who else processes data for us
We use a small, fixed set of processors, listed above: Cloudflare (hosting and database), Amazon Web Services (EU Bedrock, for reading uploads), Hetzner (document processing), and Stripe (payments). Each is bound by a data processing agreement and, where a transfer would otherwise occur, by EU standard contractual clauses. We do not sell data and we do not share it for advertising.
Your rights
Under the GDPR you can ask us to give you a copy of your personal data, correct it, delete it, restrict or object to how we use it, or hand it to you in a portable form. Because we do not keep the documents themselves, most requests concern your account and billing data. Email us and we will respond within one month.
You also have the right to complain to the Dutch supervisory authority, the Dutch Data Protection Authority.
Who we are, and how to reach us
Lowkey is operated by Lowkey Automation, a sole proprietorship registered with the Dutch Chamber of Commerce (KvK) under number 42057580, based in Amsterdam, the Netherlands. For any privacy question or to exercise a right above, email privacy@lowkeyautomation.com.