GDPR Compliance

At ZendoWhisper, a product of Intellixio, we are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR). This page outlines how we adhere to GDPR principles and safeguard the personal data of our users and their customers. By using our services, you acknowledge that you have read and understand this GDPR Compliance statement.

1. Our Role Under GDPR

When you use ZendoWhisper:

• You (our client) are the "Data Controller" for your customer data processed through our platform. As the Data Controller, you determine the purposes and means of processing personal data and are responsible for establishing the legal basis for processing.
• ZendoWhisper/Intellixio serves as the "Data Processor" that processes this data on your behalf according to your documented instructions.

This distinction is important as it determines our respective responsibilities under GDPR. As a data processor, we process personal data only as instructed by you, the data controller, and we have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

2. Legal Basis for Processing

As a data processor, we rely on you, the data controller, to establish a lawful basis for processing personal data through ZendoWhisper. Common legal bases include:

• Contractual Necessity: Processing is necessary to fulfill your contractual obligations to your customers, or to take steps at their request before entering into a contract.
• Legitimate Interest: Processing serves a legitimate business interest that is not overridden by individual rights and freedoms, after conducting and documenting a legitimate interest assessment.
• Consent: Your customers have given clear, specific, informed, unambiguous and freely-given consent for you to process their data for specific purposes. This consent must be as easy to withdraw as it is to give.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which you are subject.

We recommend consulting with your legal advisors to determine the appropriate legal basis for your specific use case. We can provide guidance on implementing appropriate consent mechanisms or legitimate interest assessments if needed.

3. Types of Data We Process

Through our AI-powered WhatsApp assistant, we may process the following types of personal data:

3.1 Customer Communication Data

• WhatsApp user information (as provided by the WhatsApp Business API), which may include phone numbers, display names, and profile pictures
• Message content and conversation history
• Timestamps and frequency of interactions
• Any personal data shared by customers during conversations

3.2 Business Account Data

• Account credentials and user information
• Business knowledge base content you provide for AI training
• Usage data and analytics
• Payment information (processed through our secure third-party payment processors)

3.3 Automated Decision-Making and Profiling

Our AI system makes automated decisions based on the content of messages to provide appropriate responses to customer inquiries. However, our system is designed to:

• Not make decisions with significant effects on individuals without human review
• Provide human intervention when necessary
• Not engage in profiling that produces legal or similarly significant effects
• Focus only on business-related inquiries rather than personal characteristics

4. Data Subject Rights

We support you in fulfilling data subject rights requests from your customers. Under GDPR, individuals have the following rights:

• Right to Access: We provide tools and APIs to help you access personal data upon request within 30 days of receipt.
• Right to Rectification: We enable correction of inaccurate personal data through our admin interfaces and APIs.
• Right to Erasure (Right to be Forgotten): We support deletion of personal data when requested with full purging from active systems and backups in accordance with our retention schedules.
• Right to Restriction: We can help limit processing of certain data through our administrative controls and data flagging mechanisms.
• Right to Data Portability: We provide data in machine-readable formats (JSON, CSV) to facilitate transfer to other service providers.
• Right to Object: We respect objections to certain processing activities and provide tools to implement processing restrictions.
• Rights Related to Automated Decision Making: We provide mechanisms to ensure human intervention for decisions made by automated systems when requested.

Our specific process for handling data subject requests includes:

1. Verification of the request's legitimacy
2. Acknowledgment of receipt within 3 business days
3. Processing of the request with appropriate technical measures
4. Documentation of actions taken
5. Communication of outcomes to you as the Data Controller

If you receive a data subject request from one of your customers, please contact us promptly at privacy@zendowhisper.com so we can assist you in fulfilling the request within the required timeframe of 30 days (or 60 days for complex requests, with appropriate notification).

5. Data Protection Measures

We implement robust technical and organizational measures to protect personal data, including:

• Encryption: End-to-end encryption for data in transit (TLS 1.2+) and AES-256 encryption for data at rest
• Access Controls: Strict role-based access controls, multi-factor authentication, and principle of least privilege
• Regular Audits: Ongoing security assessments, vulnerability scanning, and annual penetration testing
• Data Minimization: Only processing data necessary for specified purposes with automated data minimization protocols
• Training: Regular data protection and security training for our team with documented completion
• Isolated AI Models: Your business knowledge only trains AI models specific to your account with strict logical and technical separation
• Physical Security: All data hosted in Tier III or higher data centers with appropriate physical security controls
• Incident Response: Documented incident response procedures with regular drills and updates

6. Data Retention

We retain personal data only for as long as necessary to provide our services or to comply with legal obligations. Our default retention periods are:

• Customer conversation data: Retained for 12 months by default, after which it is pseudonymized or anonymized for statistical purposes only
• Account data: Retained for the duration of your contract plus 60 days, after which it is securely deleted
• Training data: Retained as needed to maintain AI model quality, with periodic reviews to minimize unnecessary retention
• Log data: Retained for 90 days for security and performance monitoring

Custom retention periods can be established based on your specific requirements and documented in a Data Processing Agreement. Please contact our Data Protection Team to discuss your needs.

7. International Data Transfers

ZendoWhisper is operated by Intellixio, based in Bangladesh. When transferring data internationally, we implement appropriate safeguards to ensure GDPR compliance, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Ensuring adequate levels of data protection at all processing locations through technical and organizational measures
• Implementing additional technical safeguards as required, including encryption, access controls, and data minimization
• Risk assessments for all international transfers to ensure appropriate safeguards

We maintain documentation of our data transfer impact assessments and can provide this information upon request. We continuously monitor changes in regulations regarding international data transfers and update our practices as necessary.

8. Sub-processors

We may engage sub-processors to assist in providing our services. All sub-processors are contractually bound to:

• Process data only in accordance with our instructions
• Implement appropriate security measures
• Return or delete personal data when their processing is complete
• Assist with data subject rights requests
• Allow for audits and inspections as needed

We maintain an up-to-date list of sub-processors on our secure portal and notify customers of any changes to our sub-processors. If you wish to object to a new sub-processor, please contact our Data Protection Team immediately.

9. Data Processing Agreements

In accordance with GDPR Article 28, we offer a Data Processing Agreement (DPA) to all our clients. This agreement details our data processing obligations and ensures appropriate safeguards are in place for personal data. Our DPA includes:

• The subject matter and duration of processing
• The nature and purpose of processing
• The types of personal data and categories of data subjects
• The obligations and rights of the data controller
• Specific security measures implemented
• Audit rights and compliance documentation
• Sub-processor management procedures

If you require a DPA, please contact us at privacy@zendowhisper.com or through your account representative.

10. Data Breach Notification

In the unlikely event of a data breach affecting your data, we will notify you without undue delay, typically within 48 hours of becoming aware of the breach. Our notification will include:

• The nature of the personal data breach
• The categories and approximate number of data subjects affected
• The categories and approximate number of personal data records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact information for our Data Protection Team

We maintain a comprehensive incident response plan that is regularly tested and updated to ensure efficient handling of potential data breaches. Our notification procedures are designed to help you fulfill your obligations as a data controller.

11. Data Protection Officer

While not required to designate a formal Data Protection Officer under GDPR criteria, we have appointed a dedicated Data Protection Team to oversee our compliance efforts. This team is responsible for:

• Monitoring compliance with the GDPR and other data protection laws
• Conducting privacy impact assessments
• Cooperating with supervisory authorities
• Acting as a point of contact for data protection authorities
• Handling data subject rights requests
• Training staff on data privacy matters

You can contact our Data Protection Team at:

12. GDPR Compliance Documentation

We maintain comprehensive documentation of our data processing activities as required by GDPR Article 30, including:

• Records of processing activities
• Data protection impact assessments
• Documentation of security measures
• Records of data breaches and notifications
• Data transfer impact assessments
• Staff training records

Relevant documentation can be made available to supervisory authorities upon request. We perform regular reviews and updates of our documentation to ensure ongoing compliance.

13. Contact Us

If you have any questions about our GDPR compliance, need assistance with data protection matters, or wish to exercise your rights, please contact us using the information above.

For more information about how we handle personal data, please review our Privacy Policy.