1. Our Commitment to GDPR
Chatvox is designed to help customers meet their GDPR obligations when deploying AI chat agents. We provide product controls, security safeguards, and documentation intended to support transparent and responsible processing of personal data.
GDPR compliance is a shared responsibility. Chatvox provides the platform, while customers remain responsible for their own lawful basis, end-user notices, consent requirements, and use of Chatvox in accordance with applicable privacy laws.
2. Data Processing Roles
Under GDPR, responsibility for data protection is divided between Controllers and Processors.
- You are the Data Controller: When you deploy a Chatvox agent to interact with your end users, you determine the purpose and means of processing. You are responsible for obtaining necessary consents and ensuring you have a lawful basis for processing your users’ data.
- Chatvox is the Data Processor: For end-user conversation data, lead data, and knowledge base content processed through the Service, Chatvox processes that data on your behalf and according to your product configuration, Terms of Service, Data Processing Agreement, and any separately executed agreement.
3. Data Minimization and AI Training
Chatvox does not use customer conversation data or knowledge base documents to train Chatvox-owned foundation models.
To generate AI responses, Chatvox sends relevant prompts, conversation context, and retrieved knowledge snippets to AI providers such as OpenAI. Those providers process the data under their own business, API, privacy, and data processing terms. Customers with specific zero-retention or enterprise data handling requirements should confirm those requirements with Chatvox before relying on them.
4. International Data Transfers
To provide the Service, data may be processed outside the European Economic Area, the United Kingdom, or Switzerland. Where required, Chatvox relies on appropriate transfer mechanisms such as Standard Contractual Clauses, adequacy frameworks, and contractual obligations with relevant Sub-processors.
5. Security Measures
Chatvox maintains technical and organizational measures designed to protect personal data. Current measures include:
- Tenant-level logical isolation for customer workspaces and agents.
- Role-based access controls for team members.
- Authentication controls, email verification, hashed passwords, and two-factor authentication support.
- Encryption for sensitive integration credentials and custom action authentication secrets.
- Transport security for production service traffic and provider API calls.
- Rate limiting, abuse detection, moderation controls, and operational logging.
Additional infrastructure safeguards may be provided by Chatvox’s hosting, database, storage, and security providers. Chatvox does not currently claim third-party certifications such as SOC 2, ISO 27001, or HIPAA unless separately stated in a signed agreement.
6. Supporting Data Subject Requests
GDPR grants individuals rights over their personal data, including access, correction, deletion, restriction, objection, and portability. Chatvox provides product features that can help customers respond to those requests:
- Deletion: Customers can delete specific conversations, clear an agent’s conversations, delete leads, delete agents, delete teams, and delete knowledge sources where those features are available in the dashboard.
- Access and portability: Customers can export leads, export agent activity summaries, and export individual conversation transcripts. Broader bulk account export is on the product roadmap.
- Retention: Chatvox supports configurable scheduled anonymization for certain expired session metadata and lead data when enabled in the production environment. Expanded retention controls are on the product roadmap.
7. Important Legal Documents
For more detailed information regarding our data practices and your legal agreements with Chatvox, please refer to the following documents: