Privacy Policy

OneGlimpse B.V. is a private limited company registered in the Netherlands, Chamber of Commerce number 78315654, VAT NL861343529B01. We act as the Data Controller for personal data relating to our customers’ accounts, billing, support requests and our own service operations. We act as the Data Processor for personal data contained in messages, contacts and conversations that you and your end users process through the Services.

This policy applies to dmchamp.com, app.dmchamp.com, our APIs and webhooks, and any sub-account on an Agency Customer’s white-label domain where DM Champ acts as processor. For end users of an Agency’s white-label deployment, the Agency’s own privacy policy controls and DM Champ is the back-end processor (see Section 15).

The Effective Date of this policy is May 19, 2026.

Information you give us directly

• Account information: name, email address, phone number, company name, role, billing address and tax identifiers
• Profile data: profile picture, time zone, language preferences, notification settings
• Workspace configuration: campaign settings, bot instructions, FAQ resources, custom function configurations, integration settings
• Communications with us: support tickets, chats and emails, including any attachments you choose to share

Business data you upload or process through the Services

• Contacts you import or that arrive through inbound messages (name, phone, email, social profile identifiers and any custom fields you add)
• Conversation content across supported channels (text, voice notes, images, videos and documents your end users send)
• AI training resources such as FAQs, documents, knowledge base content and product information
• Custom function configurations and the inputs and outputs of any custom functions you run

Payment information

When you subscribe to a paid plan or top up credits, payment information is processed by Stripe. We do not store full card numbers or other sensitive payment credentials on our servers. We do store a token, the last four digits of your card, the card brand, and the billing address associated with your account.

Information we receive from third parties

• OAuth profile data from Google and Meta when you connect those accounts (for example, to enable Calendar booking or to authenticate Instagram or Messenger pages)
• Meta-supplied data about the Facebook Pages and Instagram accounts you connect, including page identifiers, names and messages directed to those pages
• Information from your end users that they send through any channel you have connected to DM Champ

Information we collect automatically

• Usage telemetry: pages visited, features used, actions taken, errors encountered
• Device and connection: IP address, browser type and version, operating system, device identifiers, referrer URL
• Approximate location derived from your IP address (typically city-level)
• Server logs and security events, including authentication attempts and rate-limit triggers

• To provide, operate, maintain and improve the Services
• To process AI conversations through Anthropic Claude and, for media understanding and selected helper tasks, Google Gemini
• To deliver and meter messages across supported channels (WhatsApp, Instagram, Messenger, SMS, web chat)
• To provide customer support and respond to your requests
• To process billing, manage your subscription and detect billing fraud
• To secure the Services, including by detecting and preventing abuse, fraud and security incidents
• To create aggregate, de-identified analytics that help us improve the Services
• To send service emails (security alerts, billing notices, account changes) and, with your separate consent, marketing emails
• To comply with legal obligations and respond to lawful requests

We do not sell personal data and we do not share personal data with third-party advertisers for cross-context behavioural advertising.

AI conversations are routed primarily to Anthropic Claude. Specialised tasks (including transcription of voice notes, understanding of images and videos, and selected helper calls) are routed to Google Gemini. We have entered into enterprise agreements with both providers that prohibit them from training their generally available models on your data.

If you connect your own Anthropic API key (BYOK), AI calls that would otherwise be billed by us are billed by Anthropic directly to your account. Your relationship with Anthropic and the terms of your Anthropic account govern that usage in addition to this policy.

You are the Data Controller for end-user messages that you process through DM Champ. We act as the Processor of that data and process it only on your documented instructions, in accordance with our DPA.

• Contract performance: processing necessary to provide the Services you have signed up for
• Legitimate interests: security, fraud prevention, product improvement, defending legal claims, business-to-business prospecting (with an easy opt-out)
• Consent: marketing emails, optional analytics and marketing cookies, and any sensitive processing where consent is required
• Legal obligation: tax, accounting, anti-money-laundering and other regulatory requirements that apply to us

Where we rely on legitimate interests, we have carried out a balancing assessment and we can share a summary on request. You can object at any time by contacting hi@dmchamp.com.

We share personal data with Sub-processors who help us provide the Services. We require all Sub-processors to enter into data protection agreements that meet GDPR Article 28 requirements.

We do not sell personal data and we do not share personal data with third-party advertisers. We may share personal data with professional advisors (legal, accounting, audit) under confidentiality obligations, and we may share data in connection with a merger, acquisition or sale of assets subject to appropriate protections.

Personal data is primarily processed in the European Union (the Netherlands and Germany). Where personal data is transferred outside the European Economic Area, including to the United States for Anthropic, Stripe, Twilio, Meta, Composio and the US regions of Algolia, we rely on the following safeguards:

• The European Commission’s Standard Contractual Clauses (Decision 2021/914)
• The UK International Data Transfer Addendum to the EU SCCs
• Where applicable, the EU-US Data Privacy Framework for participating recipients
• Adequacy decisions where available for the destination country

A copy of the SCCs we rely on is available on request, with confidential pricing and security details redacted.

• Active account data: retained for the life of your account
• Conversation and message data: three years after the last activity on a contact, by default; configurable in your dashboard to a shorter period
• Financial records: seven years, in line with Dutch tax law
• Backups: up to 90 days after deletion from active systems
• Marketing consent records: retained until you withdraw consent, plus a reasonable period for audit purposes
• Server logs and security events: typically up to 12 months
• Aggregated and de-identified analytics: retained indefinitely; this data does not identify any individual

When you cancel your subscription, you can export your data for 30 days. After that we will delete Customer Data from active systems in the normal course and from backups within the retention window above.

If you are in the European Economic Area, the United Kingdom or Switzerland, you have the following rights:

• Right of access to the personal data we hold about you
• Right of rectification of inaccurate personal data
• Right of erasure (the “right to be forgotten”) subject to legal limits
• Right to restriction of processing
• Right to data portability in a structured, commonly used, machine-readable format
• Right to object to processing carried out on the basis of legitimate interests, including profiling
• Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal

To exercise these rights, contact us at hi@dmchamp.com. We respond within 30 days; we may extend the response window by up to a further 60 days for complex requests, in which case we will tell you within the first 30 days.

You also have the right to lodge a complaint with a supervisory authority. The Dutch supervisory authority is the Autoriteit Persoonsgegevens, https://autoriteitpersoonsgegevens.nl/. You can also complain to your local supervisory authority in your country of residence or place of work.

If you are a California resident, you have the following rights under the California Privacy Rights Act:

• Right to Know what personal information we collect, use, disclose and (if applicable) sell or share
• Right to Delete personal information we hold about you, subject to legal exceptions
• Right to Correct inaccurate personal information
• Right to Opt-Out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising)
• Right to Limit the use of sensitive personal information to what is necessary to provide the Services
• Right to Non-Discrimination for exercising your CPRA rights
• The right to designate an authorised agent to make a request on your behalf

To exercise these rights, email hi@dmchamp.com with the subject line “CPRA request”. We will verify your identity through your account or by other reasonable means before fulfilling the request.

Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados that are broadly equivalent to GDPR rights. We honour these rights on request through hi@dmchamp.com.

Canada (PIPEDA)

Canadian residents can submit access and correction requests under the Personal Information Protection and Electronic Documents Act. We respond to PIPEDA requests through the same email address.

United Kingdom (UK GDPR)

UK residents have rights that mirror the EU GDPR. The Information Commissioner’s Office (ICO) is the UK supervisory authority.

The Services are intended for business use only and are not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If we discover that we have collected such data, we will delete it. If you believe a child has provided personal data to us, contact hi@dmchamp.com.

We use cookies and similar technologies for the following purposes:

• Essential cookies: authentication, session management and security. These are required for the Services to function
• Functional cookies: remember your preferences (language, time zone, UI settings)
• Analytics cookies: usage analytics, including aggregated metrics about how the Services are used. Set only with your consent
• Marketing cookies: measurement of marketing campaigns and conversions on our public website. Set only with your consent

You are presented with a cookie banner on your first visit. You can change your preferences at any time through the banner or by clearing cookies in your browser. We respect Global Privacy Control (GPC) signals as a request to opt out of the sale or sharing of personal information where applicable.

If we use a third-party analytics provider such as Google Analytics, we configure it to anonymise IP addresses and to disable data sharing for advertising purposes.

We use a combination of administrative, technical and physical safeguards to protect personal data, including:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest for sensitive fields, including credentials and integration tokens
• Role-based access control with least-privilege principles
• Comprehensive audit logging of administrative actions
• Regular vulnerability scanning and periodic third-party penetration tests
• Mandatory security training for employees with access to production systems
• A documented incident response plan with on-call rotations

No system can be completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and we will notify affected users without undue delay, in line with GDPR Articles 33 and 34.

When you interact with an Agency’s white-label deployment of DM Champ, the Agency is the Data Controller for your personal data and DM Champ acts as the Processor. End users of a white-label deployment should consult the Agency’s own privacy policy for information about how the Agency uses their data.

The DPA between the Agency and DM Champ governs our processor obligations for that data. We process the Agency’s end-user data only on the Agency’s documented instructions and in line with this policy and our DPA.

AI components used by the Services include Anthropic Claude (primary model) and Google Gemini (media understanding and selected helper tasks). The AI agents respond to inbound messages, generate content suggestions, score and route conversations, and execute structured tool calls (custom functions) on behalf of the workspace owner.

The AI does not make legally binding decisions about individuals. We provide a human-in-the-loop mode and recommend its use for high-value transactions and any interaction that materially affects a person’s legal rights or significant interests. You can request human oversight at any time by contacting your account owner.

Some AI processing is essential to provide the Services. You may opt out of optional AI processing (for example, certain analytics or summary generation features) from your dashboard, although doing so may limit functionality.

Marketing emails from DM Champ are sent only with your separate consent or where permitted under legitimate interest for existing customers with a similar product opt-out. Every marketing email contains an unsubscribe link, and you can also manage email preferences from your account.

Service emails (security alerts, billing notices, important account changes and platform incidents) are sent to you regardless of marketing preferences because they are necessary to operate the Services.

We may disclose personal data where we believe in good faith that disclosure is required by law, by a court order, by a subpoena or by a regulatory request, or where disclosure is necessary to protect the rights, safety or property of DM Champ, our customers or the public. Where lawful, we will notify you in advance of any compelled disclosure that affects you.

We may update this policy from time to time. For material changes, we will provide at least 30 days’ notice by email or in-app notice before the changes take effect. For non-material changes, we will post the updated policy here with a revised “Last updated” date.

For privacy questions or to exercise your rights, email hi@dmchamp.com. Please include enough information for us to verify your identity and to act on your request.

OneGlimpse B.V. is established in the Netherlands, so an Article 27 EU representative is not required. For UK GDPR purposes, we will appoint a UK representative if and when our processing activities make one required; the current placeholder is “UK representative to be appointed if required” and we will update this page when an appointment is made.

• OneGlimpse B.V., the Netherlands
• Chamber of Commerce (KvK): 78315654
• VAT: NL861343529B01
• Email: hi@dmchamp.com

This policy is published in English. We may provide translations for convenience. In case of any conflict between the English version and a translation, the English version controls.