GDPR Compliance

Article 1: Our Commitment to Data Protection

Intellixio, the parent company of ZendoWhisper, is fully committed to upholding the principles of the General Data Protection Regulation ((EU) 2016/679) and applicable data protection laws in the UK and Switzerland. This document outlines our compliance framework, our processing activities, and the rights of individuals whose data we may process in the provision of our Service. This statement supplements our main ZendoWhisper Privacy Policy and ZendoWhisper Terms of Service.

Article 2: Our Role - Data Controller and Data Processor

Understanding our role is fundamental to GDPR compliance. For the ZendoWhisper Service, our roles are distinctly defined:

• 2.1 Intellixio as a Data Controller: We act as a Data Controller for Customer Account Data (e.g., your name, email, company name, billing information) and our own Marketing Data (e.g., from our website cookies). For this data, we determine the purpose and means of processing.
• 2.2 Intellixio as a Data Processor: For all data processed within the core ZendoWhisper Service, we act as a Data Processor on behalf of our customers. This data ("Service Data") includes:
  • Your Knowledge Base
  • Conversation Data (messages between your end-users and the Service)
  • End-User Data (e.g., WhatsApp phone numbers and names as provided by the platform)
  • Meta Integration Data (e.g., WhatsApp Business Account ID)

In this capacity, you, our Customer, are the Data Controller. You determine the purpose of the processing (to provide customer service) and are solely responsible for ensuring its lawfulness.

Article 3: Lawful Basis for Processing

We process data on a specific, lawful basis under Article 6 of the GDPR.

• For Customer Account Data: Our basis is Performance of a Contract.
• For Service Data: We process this data based on your instructions as your Processor. The lawful basis you, as the Controller, must establish for processing your end-users' data may include Consent, Performance of a Contract(with your end-user), or Legitimate Interest. You are responsible for determining the appropriate lawful basis for your use case.

Article 4: Data Protection by Design and Security Measures

We have built ZendoWhisper on a foundation of privacy by design and default (Article 25).

• Data Minimization: We only process data necessary to provide the Service as instructed.
• Purpose Limitation: All Service Data is processed for the sole purpose of providing customer communication services as instructed by you.
• Security Measures: We implement robust technical and organizational measures, including end-to-end encryption for data in transit (TLS 1.2+), AES-256 encryption for data at rest, strict access controls, and regular security assessments.
• Isolated AI Models: Your Knowledge Base only trains the AI model specific to your account, with strict logical and technical separation from other customers.

Article 5: AI and Automated Decision-Making (Article 22)

ZendoWhisper's AI performs automated decision-making to respond to customer inquiries.

• Logic Involved: The AI analyzes conversation content to understand intent and provide a relevant response based on your Knowledge Base.
• Significance and Envisaged Consequences: This process has a low-impact outcome. It is a customer service routing and response mechanism, not a decision that produces legal or similarly significant effects on an individual. The system is designed to facilitate communication and to hand over to a human agent when necessary.

Article 6: Data Subject Rights

As the Data Controller for your end-users' data, you are responsible for handling their data subject rights requests. As your Processor, we are committed to providing you with the tools and support needed to comply. We will promptly assist you in fulfilling requests for access, rectification, erasure, and restriction of processing for the data we handle on your behalf.

Article 7: International Data Transfers & Sub-processors

• 7.1 International Transfers: As a global company, data may be transferred outside of the EEA. We ensure this data is protected by using the European Commission's approved Standard Contractual Clauses (SCCs), which are incorporated into our Data Processing Addendum.
• 7.2 Sub-processors: We may engage trusted third-party sub-processors (e.g., cloud hosting providers) to assist in providing our services. All sub-processors are vetted and contractually bound to process data only according to our instructions and to implement GDPR-compliant security measures. A list of our sub-processors is available within our DPA.

Article 8: Data Processing Addendum (DPA)

In accordance with Article 28 of the GDPR, we offer all our customers a comprehensive Data Processing Addendum (DPA). This legal agreement outlines our duties as your Data Processor, details our security measures, and includes the Standard Contractual Clauses (SCCs). Please contact [email protected] to obtain and execute our DPA.

Article 9: Data Retention and Breach Notification

• 9.1 Data Retention: Service Data processed on your behalf is retained for the duration specified in our agreement with you and is securely deleted from our active systems within 90 days of account termination, unless otherwise required by law.
• 9.2 Data Breach Notification: In the unlikely event of a data breach affecting the data we process on your behalf, we will notify you without undue delay, typically within 48 hours of discovery, to help you fulfill your notification obligations as a Data Controller.

Article 10: Data Protection Officer

We have appointed a dedicated Data Protection Team to oversee our compliance efforts. For all inquiries related to GDPR and our data protection practices, please contact them: