Privacy Policy
Effective Date: 01 January 2025 · Last Revised: April 2025 · Version: 2.0
| Jurisdiction-specific addenda | This Policy sets out Dialogg's global data protection practices. Where local law imposes additional obligations on data subjects in a specific country, a jurisdiction-specific Data Processing Addendum (DPA) supplements this Policy. Current addenda: Vietnam (Decree 13/2023 — PDPD). In the event of conflict between this Policy and a local Addendum, the Addendum prevails for data subjects in that jurisdiction. |
|---|
1. Introduction
This Privacy Policy explains how Dialogg Europe SRL ("Dialogg", "we", "our", "us") collects, uses, shares, and protects personal data when you access or use dialogg.ai and any related services (collectively, the "Platform"), in compliance with:
- The General Data Protection Regulation (EU) 2016/679 ("GDPR")
- The Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data
- The ePrivacy Directive (2002/58/EC) as implemented in Belgian national law
- Applicable data protection laws in other jurisdictions where we operate, as supplemented by jurisdiction-specific addenda
2. Data Controller
The data controller for personal data collected via dialogg.ai is:
| Entity | Details |
|---|---|
| Legal name | Dialogg Europe SRL |
| Registered address | 54 Avenue Louise, 1050 Brussels, Belgium |
| Data protection contact | [email protected] |
| Website | https://dialogg.ai |
DPO Assessment: Dialogg processes voice and chat transcript data from regulated sectors. We are assessing whether a formal Data Protection Officer (DPO) designation is required under GDPR Article 37 and will update this Policy accordingly.
3. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, company name, user role, password (hashed) | Provided at registration |
| Usage & technical data | IP address, browser type, device identifiers, access timestamps, session logs | Automated collection |
| Conversation data | Chat transcripts, voicebot recordings and transcriptions, conversation metadata, intent classifications | Generated during Platform use |
| Billing data | Payment method type, last four digits, transaction history (full card numbers held by payment processor only) | Provided by you |
| Support data | Correspondence, support tickets, feedback | Provided by you |
| Cookie & tracking data | Cookie identifiers, analytics events — see Section 10 | Automated collection |
4. Purpose and Legal Basis
| Purpose | GDPR legal basis |
|---|---|
| Account creation and management | Contract performance — Art. 6(1)(b) |
| Provision of chatbot and voicebot services | Contract performance — Art. 6(1)(b) |
| Customer support and issue resolution | Legitimate interest — Art. 6(1)(f) |
| Service improvement and AI model quality (§5) | Legitimate interest — Art. 6(1)(f); or Consent — Art. 6(1)(a) where opted in |
| Security monitoring and fraud prevention | Legitimate interest — Art. 6(1)(f) |
| Legal and regulatory compliance | Legal obligation — Art. 6(1)(c) |
| Marketing communications (opt-in only) | Consent — Art. 6(1)(a) |
5. AI-Specific Data Processing Disclosures
| How your conversation data interacts with AI systems | This section explains how Dialogg processes voice and chat data through AI models, including third-party large language model (LLM) and speech recognition APIs. |
|---|
5.1 How AI models process conversation data
The Platform routes conversation data through third-party AI APIs — primarily OpenAI's API and/or Google Cloud AI services — to generate responses, extract intents, and perform speech-to-text transcription. This means:
- Conversation content is transmitted to sub-processors in real time during a session.
- Dialogg uses the API tier of these services. Under our agreements with OpenAI and Google, data submitted via API is not used to train their foundation models by default.
- Dialogg may use anonymised, aggregated interaction data to fine-tune or evaluate its own proprietary models.
- Explicit consent will be obtained before using any identifiable data for fine-tuning purposes.
5.2 Automated decision-making
The Platform classifies user intents and may route conversations automatically based on confidence scores.
- These automated classifications do not constitute solely automated decisions with legal or similarly significant effects under GDPR Article 22, as human agents can review and override outcomes.
- Enterprise clients deploying Dialogg where automated classification produces significant decisions for end-users must ensure an appropriate legal basis and provide GDPR Article 22 compliant notices to those end-users.
5.3 Voice data
- When voicebot functionality is enabled, voice recordings are transmitted to speech-to-text sub-processors, converted to text, and the text is processed by LLM services.
- Voice recordings are retained only for the period specified in Section 8 and are not used for biometric profiling.
6. Sub-processors and Data Transfers
All sub-processors are contractually bound to process data only on Dialogg's documented instructions and to implement appropriate technical and organisational measures.
| Entity | Service | Location(s) | Purpose |
|---|---|---|---|
| Google LLC (GCP) | Google Cloud Platform | EU (Belgium, Frankfurt); US; Singapore | Primary cloud infrastructure; compute, storage, databases |
| Amazon Web Services | AWS | EU (Ireland); US; Asia Pacific | Secondary cloud infrastructure; redundancy, CDN |
| Microsoft Corporation | Azure (selective) | EU; US; multiple regions | Optional integrations; Teams connectivity |
| OpenAI, OpCo LLC | OpenAI API | United States | LLM inference — natural language processing |
| Google LLC | Gemini / Vertex AI | EU; US | LLM inference; speech-to-text (optional) |
| Stripe Inc. | Stripe Payments | United States; EU | Payment processing (Dialogg does not store card numbers) |
6.1 International data transfers
Where personal data is transferred outside the European Economic Area (EEA), Dialogg relies on Standard Contractual Clauses (SCCs) under EU Commission Implementing Decision 2021/914, or adequacy decisions where applicable.
7. Data Retention
| Data category | Default retention | Deletion trigger |
|---|---|---|
| Account data | Duration of account + 12 months | Account deletion request |
| Chat transcripts | 6 months (configurable per client) | Customer configuration or contract end |
| Voice recordings (audio) | 30 days | Automatic purge |
| Usage / technical logs | 90 days | Automatic rolling deletion |
| Billing records | 7 years | Legal obligation (Belgian tax law) |
| Support correspondence | 3 years | Closure of ticket + period |
| Cookie / analytics data | 13 months | Automatic expiry; cookie withdrawal |
8. Your Rights
Under GDPR, you have the following rights. To exercise any right, contact [email protected]. We will respond within 30 days. We may request identity verification before processing a request.
| Right | Description |
|---|---|
| Access | Request a copy of personal data we hold about you |
| Rectification | Correct inaccurate or incomplete personal data |
| Erasure | Request deletion of your personal data |
| Restriction | Restrict processing in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw any previously given consent at any time |
| Supervisory complaint | Lodge a complaint with the Belgian Data Protection Authority (APD/GBA) at www.autoriteprotectiondonnees.be, or with your local supervisory authority |
9. Cookies and Tracking Technologies
The Dialogg website and Platform use cookies and similar tracking technologies. Strictly necessary cookies are used without consent. All other cookies require your explicit consent, provided or withdrawn via our cookie consent banner.
| Type | Examples | Consent required | Purpose |
|---|---|---|---|
| Strictly necessary | Session tokens, CSRF protection | No — essential | Authentication, security |
| Functional | Language preference, UI state | Yes | Remember preferences |
| Analytics | Usage statistics | Yes | Understand Platform usage |
| Marketing | Ad pixels, remarketing tags | Yes | Targeted advertising (if used) |
10. Security
Dialogg implements technical and organisational measures proportionate to the risk of processing, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and least-privilege principles
- Regular penetration testing and vulnerability assessments
- Sub-processor security obligations and contractual controls
- Employee data protection training
- Incident response and business continuity procedures
11. Data Breach Notification
In the event of a personal data breach, Dialogg will:
- Notify the Belgian Data Protection Authority (APD/GBA) within 72 hours of becoming aware of a breach likely to risk individuals' rights and freedoms, per GDPR Article 33.
- Notify affected data subjects without undue delay where a breach is likely to result in high risk to their rights and freedoms, per GDPR Article 34.
- Notify enterprise clients within 48 hours of becoming aware of a breach affecting their data, to allow clients to meet their own notification obligations.
- Maintain a record of all breaches, including those not requiring notification, per GDPR Article 33(5).
12. Policy Updates
Dialogg may update this Privacy Policy periodically. We will notify registered account holders of material changes by email and will post the updated Policy at dialogg.ai/privacy-policy with a revised 'Last Revised' date. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
13. Contact Us
| Contact | Details |
|---|---|
| Data protection queries | [email protected] |
| General contact | Dialogg Europe SRL, 54 Avenue Louise, 1050 Brussels, Belgium |
| Supervisory authority | APD/GBA — www.autoriteprotectiondonnees.be |
Dialogg Europe SRL · Version 2.0 · April 2025 · dialogg.ai/privacy-policy
Your data security is our priority.
Focus on your customers while we handle the operational excellence and compliance.