Summary (TL;DR)
- Gaia Public is a free Chrome extension by Gorgias that helps e-commerce support teams optimize their helpdesk AI agent.
- We process data as a processor on behalf of the customer (the merchant). The customer is the controller.
- We do not sell or share personal information. We do not use it for cross-context behavioral advertising.
- Conversation content is not stored beyond what is needed for security. Prompts and LLM responses live in server memory for the duration of a single HTTP request, then are garbage collected. A copy is retained for up to 30 days in our EU-hosted observability platform solely for security monitoring (see below).
- We mask personal data before sending it to OpenAI. Emails, phone numbers, credit card numbers, and English-suffixed street addresses are replaced with placeholders.
- OpenAI processes content under a Zero Data Retention contract — no training, no retention beyond a 30-day abuse monitoring window.
- We log operational metadata (IP, Zendesk subdomain, hashed agent email identifier, anonymized PII counts) to provide and secure the Service.
- We retain conversation content for up to 30 days solely to detect prompt injection, abuse, and security incidents. This data is not used to train AI models or for quality improvement.
- Transfers: data is processed in the USA by OpenAI, Vercel, and Upstash under the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
- Data subject rights requests should be directed to the merchant whose helpdesk you interacted with. Gorgias will assist the merchant in responding.
- Contact: legal@gorgias.com.
1. Who we are
Gaia Public is provided by Gorgias, Inc. ("Gorgias," "we," "us"), a Delaware corporation with offices in New York, NY, and San Francisco, CA. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Gaia Public Chrome extension and associated services (the "Service"). This extension is not affiliated with, endorsed by, or sponsored by Zendesk, Inc.
2. Scope
This policy applies to personal data processed when the Service connects to a Zendesk account and when a user interacts with the extension. It covers data of agents (users of the extension) and data of end consumers visible in helpdesk tickets. It does not cover data collected through gorgias.com or the core Gorgias platform.
3. Roles under data protection law
Gorgias acts as a data processor (GDPR) / service provider (CCPA) when processing helpdesk data on behalf of the customer (controller / business). Processing is governed by the Data Processing Agreement Addendum incorporated into the Terms of Service. Where Gorgias processes its own operational data (usage metrics, security logs, rate-limit counters), Gorgias is the controller for that limited set of data.
4. What we collect and why
| Purpose | Data | Lawful basis (GDPR) | Retention |
|---|---|---|---|
| Authenticate and authorize the agent | Agent email address (hashed before logging), Zendesk API token (held in browser memory only) | Legitimate interest (security) | Token: session only. Email hash: 30 days in logs. |
| Provide AI-generated suggestions | Ticket content (subjects, messages, tags, metadata), AI Agent instructions, Copilot procedures | Performance of a contract | Duration of one HTTP request (RAM only), then garbage collected. |
| Detect prompt injection, abuse, and security incidents | Conversation content (prompts, LLM responses, tool call results) | Legitimate interest (security) | Up to 30 days in Langfuse (EU-hosted), then automatically purged. Not used for AI training or quality improvement. |
| Rate limiting and abuse prevention | IP address, Zendesk subdomain, request timestamps | Legitimate interest (security) | Sliding window counters: 1 min / 1 h / 1 day / 30 days. |
| Account-level signals | Aggregated, non-personal account metrics | Legitimate interest (product analytics) | Duration of customer relationship. |
5. PII masking
Before any ticket content is sent to OpenAI, a server-side masking layer replaces:
- Email addresses →
⟦PII:email:1⟧ - Phone numbers →
⟦PII:phone:1⟧ - Credit/debit card numbers →
⟦PII:card:1⟧ - Street addresses →
⟦PII:address:1⟧
After the LLM response is received, placeholders are un-masked before being returned to the agent. The raw content never reaches OpenAI.
6. Data storage and retention
| What | Where | Retention |
|---|---|---|
| Conversation content (prompts, LLM responses, tool results) | Proxy RAM only | Duration of one HTTP request, then garbage collected. |
| Conversation content for security monitoring | Langfuse (EU-hosted, Frankfurt) | 30 days, then purged. Used only for prompt injection detection, abuse monitoring, and security incident investigation. Not used for AI model training or quality improvement. |
| Request metadata (correlation ID, IP, Zendesk subdomain, hashed agent email, timestamps) | Vercel runtime logs | 1 day (24 hours), then purged. Agent email is hashed (SHA-256) before logging. |
| Rate-limit counters | Upstash Redis | Automatic expiry after sliding window. |
| Ban entries | Upstash Redis | 24 hours (first offense) to permanent. |
| Security alert emails | Resend + Gorgias inbox | 12 months. |
7. Sub-processors
| Sub-processor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| OpenAI, Inc. | LLM inference | Masked conversation text | USA | EU-US DPF + ZDR contract |
| Vercel Inc. | Serverless compute and hosting | Request metadata | USA + global edge | SCCs (2021/914) + EU-US DPF |
| Upstash Inc. | Rate-limit counters | Counters keyed by IP (no message content) | AWS US + EU | SCCs (2021/914) |
| Langfuse GmbH | Security and abuse monitoring | Conversation content for security only | EU (Frankfurt) | Within EEA |
| Resend Inc. | Security alert emails | Alert email metadata | USA | SCCs (2021/914) |
8. How we use conversation content
We retain conversation content for up to 30 days solely for: detecting prompt injection attacks, identifying and preventing abuse, investigating security incidents.
We do not use it for: training AI models, quality improvement, marketing, sharing with third parties.
9. International transfers
Transfers rely on EU-US Data Privacy Framework, Standard Contractual Clauses (2021/914), or UK International Data Transfer Addendum. Swiss transfers rely on Swiss-US DPF.
10. Your rights
Under GDPR, CCPA, Quebec Law 25, and equivalent legislation, you have the right to: access, correct, delete, port, restrict, and object to processing of your personal data.
Because Gorgias is a processor, data-subject requests should be directed to the customer (merchant) whose helpdesk you interacted with. Gorgias will assist the merchant in responding. You may also contact us directly at legal@gorgias.com.
11. Do Not Sell / Do Not Share
Gorgias does not sell personal information. Under CCPA, Gorgias acts as a service provider and does not share personal information for cross-context behavioral advertising.
12. Data breach notification
Gorgias will notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, per GDPR Article 33(2). Affected individuals will be notified where required by applicable law.
13. Children's data
Gaia Public is a B2B tool intended for professional support agents. It is not directed at children. If you believe we may have inadvertently collected data from a minor, please contact legal@gorgias.com.
14. Data Processing Agreement
Processing of helpdesk data is governed by the DPA Addendum below, incorporated into the Terms of Service. A copy is also available by request at legal@gorgias.com.
15. Changes
We may update this policy as the Service evolves. Material changes will be notified through the extension. The "Last updated" date at the top reflects the most recent revision.
By installing or using the Gaia Public Chrome extension (the "Service"), the entity on whose behalf it is used ("Customer") agrees to these Terms of Service (the "Terms"). The individual installing the Service represents and warrants that they have authority to bind Customer to these Terms.
1. Service
Gaia Public is a free Chrome extension that connects to Customer's Zendesk account and provides AI-generated suggestions to optimize helpdesk AI agent configurations, instructions, procedures, and responses. The Service is provided as-is and may change or be discontinued at any time. The Service is not affiliated with, endorsed by, or sponsored by Zendesk, Inc.
2. Acceptable use
Customer will not submit to the Service: protected health information governed by HIPAA; payment card data governed by PCI-DSS; government-issued identification numbers; information of children under 16; or special category data under GDPR Article 9. Customer will not use the Service to develop a competing product, train a machine learning model, circumvent rate limits or other technical or security measures, or in violation of applicable law. Customer is responsible for reviewing all Outputs before relying on them.
3. Customer Data
"Customer Data" means data accessed from Customer's helpdesk account or otherwise submitted to the Service. Customer retains all right, title, and interest in Customer Data. Customer grants Gorgias a non-exclusive, worldwide license to process Customer Data solely as necessary to provide the Service. Gorgias does not use Customer Data to train AI models.
4. AI Outputs
The Service uses large language models to generate suggestions ("Outputs"). Outputs are advisory and may be incorrect, incomplete, or inappropriate. Customer is solely responsible for reviewing Outputs before relying on them. Gorgias makes no warranty as to accuracy, fitness, or non-infringement of Outputs.
5. Zendesk API usage
The Service accesses Customer's Zendesk account through Zendesk's public REST API and, for certain features, through non-documented GraphQL endpoints. Customer acknowledges that: (a) use of non-documented endpoints is not endorsed by Zendesk; (b) Zendesk may restrict or revoke API access at any time; and (c) Gorgias is not responsible for any action Zendesk takes against Customer's account.
6. Fees
The Service is provided free of charge. Gorgias reserves the right to introduce usage limits or paid tiers in the future with reasonable notice.
7. Limitation of liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW, GORGIAS'S TOTAL LIABILITY IS LIMITED TO USD $100. GORGIAS IS NOT LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, OR LOST PROFITS OR DATA, EVEN IF FORESEEABLE.
8. Indemnification
Customer will indemnify and hold Gorgias harmless from claims arising out of Customer's use of the Service in violation of these Terms, Customer's violation of applicable law, or Customer's submission of data in breach of Section 2.
9. Governing law
These Terms are governed by the laws of the State of New York, without regard to conflict of laws. Disputes must be brought in courts in New York County, NY.
10. Termination
Either party may terminate by uninstalling the extension. Sections 3–9 survive termination.
11. Entire agreement
These Terms, the Privacy Policy, and the DPA Addendum constitute the entire agreement.
12. Contact
Questions about these Terms: legal@gorgias.com.
Data Processing Agreement Addendum
Effective: April 29, 2026
This Data Processing Agreement Addendum (the "DPA Addendum") forms part of the Gaia Public Terms of Service between Gorgias, Inc. ("Gorgias") and the Customer that has accepted those Terms ("Customer"). It applies where Gorgias processes personal data on Customer's behalf in connection with the Service.
1. Roles
Customer is the controller and Gorgias is the processor. For CCPA, Gorgias is a service provider.
2. Processing details
Gorgias processes categories of personal data described in the Privacy Policy for the duration of Customer's use, solely to provide the Service. Data subjects include Customer's agents and end consumers.
3. Sub-processors
Gorgias uses sub-processors listed in Section 7 of the Privacy Policy. Gorgias will provide 14 days' notice before adding new sub-processors. Customer may object by uninstalling the extension.
4. Data subject requests
Direct requests to legal@gorgias.com. Gorgias will assist within required timeframes.
5. Security measures
Gorgias maintains the following technical and organizational security measures:
- PII masking before LLM transmission
- TLS 1.2+ for data in transit
- Hashing of agent email addresses before logging
- Rate limiting on all endpoints
- Zero Data Retention contracts with AI sub-processors
6. Data breach notification
Gorgias will notify Customer within 72 hours of becoming aware of a personal data breach, including: the nature of the breach, categories and approximate number of data subjects affected, likely consequences of the breach, and measures taken or proposed to address the breach.
7. Audit
Customer may request an audit once per calendar year with 30 days' written notice, at Customer's expense, scoped to Gaia Public only.
8. Return and deletion
Upon termination, Gorgias will delete or return Customer Data within 30 days, except where retention is required by applicable law.
9. International transfers
International transfers are governed by Section 9 of the Privacy Policy.
10. Standard Contractual Clauses
Module 2 (controller to processor) of Commission Decision 2021/914 is incorporated by reference. Customer is the data exporter and Gorgias is the data importer.
11. Precedence
This DPA Addendum controls over the Terms of Service in the event of a conflict. The Standard Contractual Clauses control over this DPA Addendum in the event of a conflict.