Privacy Policy
Última actualización:
1. Introduction
Equilia AI("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI-powered customer communication platform and related services (collectively, the "Services").
Data Controller
Equilia AI, a trade name of L3R Street Furniture SL.
CIF: B67617142
Passatge Sistres 7, B. 2a.
08320 El Masnou, Barcelona, Spain
Privacy inquiries:
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, password (encrypted), phone number, company name, and billing information
- Profile Information: Profile picture, job title, language preferences, and notification settings
- Conversation Data: Messages, transcripts, call recordings, SMS content, WhatsApp messages, Telegram messages, Facebook Messenger messages, Instagram DMs, email content, and video interactions
- Contact Data: Information about leads and contacts including names, phone numbers, email addresses, and communication preferences
- Document Uploads: Files, documents, and knowledge base content you upload to train your AI assistants
- Support Communications: Correspondence with our support team
2.2 Information Collected Automatically
- Technical Information: IP address, browser type, device information, operating system, and screen resolution
- Usage Data: Pages viewed, features used, time spent, click patterns, and navigation paths
- Session Data: Login times, session duration, and authentication tokens
- Performance Data: Error logs, crash reports, and application performance metrics
2.3 Information from Third Parties
- OAuth Providers: If you sign in with Google, GitHub, or Microsoft, we receive your name, email, and profile picture
- Payment Processors: Stripe provides payment confirmation and billing information (we do not store full credit card numbers)
- Communication Providers: Call metadata, message delivery status, and usage statistics from Twilio, VAPI, and other telephony providers
- Google Calendar: Calendar event data if you connect your Google Calendar to an AI assistant integration
3. How We Use Your Information
3.1 Providing and Improving Services (Legal Basis: Contract Performance)
- Create and manage your account
- Process and route conversations across channels (phone, SMS, WhatsApp, Telegram, email, Facebook Messenger, Instagram, video, web)
- Generate AI responses using language models (Azure OpenAI)
- Synthesize voice using text-to-speech services (ElevenLabs)
- Create personalized video content (Tavus)
- Store and retrieve documents for AI assistant knowledge bases
- Search the internet on behalf of AI assistants (Serper / Google Search API)
- Browse public websites on behalf of AI assistants via cloud browser infrastructure (Browserbase)
- Resolve location queries and provide routing directions for AI assistants (Mapbox, Google Maps Geocoding)
- Retrieve weather data on behalf of AI assistants (WeatherAPI.com)
- Search for local restaurants, hotels, and attractions on behalf of AI assistants (TripAdvisor)
- Read and manage calendar events when users connect their Google Calendar to an AI assistant
- Generate conversation summaries and analytics
3.2 Billing and Account Management (Legal Basis: Contract Performance)
- Process payments and generate invoices
- Calculate usage-based billing for conversations, messages, minutes, and document uploads
- Send transactional emails (receipts, account updates, password resets)
- Manage subscriptions and billing disputes
3.3 Security and Fraud Prevention (Legal Basis: Legitimate Interest)
- Authenticate users and prevent unauthorized access
- Detect and prevent spam, abuse, and fraudulent activity
- Implement reCAPTCHA verification to protect against bots
- Monitor for security incidents and maintain audit logs
- Comply with legal obligations and respond to lawful requests
3.4 Analytics (Legal Basis: Consent)
- With your explicit consent (via our cookie consent banner), we use Apollo.io to analyse website visitor behaviour and improve our marketing and services
- You can withdraw consent at any time by clearing your cookie preferences
3.5 Communication (Legal Basis: Contract Performance / Consent)
- Send service-related notifications (system updates, maintenance, security alerts)
- Respond to your inquiries and support requests
- Send marketing communications only with your explicit consent (you can opt out anytime)
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
| Legal Basis | Purpose |
|---|---|
| Contract Performance | Providing our Services and fulfilling our agreement with you |
| Legitimate Interests | Fraud prevention, security, improving our Services, and operational efficiency |
| Consent | Marketing communications, analytics cookies (Apollo.io), and optional features |
| Legal Obligation | Compliance with tax, accounting, and legal requirements |
5. How We Share Your Information
5.1 Third-Party Service Providers (Subprocessors)
We share data with carefully selected third-party providers who assist in delivering our Services. View our complete list of subprocessors at Subprocessors List.
Key categories include:
- AI Model Providers: Azure OpenAI
- Communication Services: Twilio, VAPI, Telegram
- AI Tools & Integrations: Google (Maps Geocoding, Calendar), WeatherAPI.com, Mapbox, TripAdvisor
- Voice & Video: ElevenLabs, Tavus, Daily.co
- Infrastructure: DigitalOcean (EU/Frankfurt), Vercel, Qdrant
- Payments: Stripe (PCI-DSS compliant)
- Analytics: Apollo.io (consent-based website analytics)
- Web Browsing & Search: Browserbase (cloud browser infrastructure), Serper.dev (Google Search API)
5.2 When Required by Law
We may disclose information if required to:
- Comply with legal obligations, court orders, or government requests
- Enforce our Terms of Service or protect our rights
- Investigate fraud, security incidents, or violations of our policies
- Protect the safety of our users or the public
5.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5.4 With Your Consent
We may share information for purposes not described in this policy with your explicit consent.
6. International Data Transfers
Our infrastructure is primarily hosted in the European Union (DigitalOcean Frankfurt). However, some subprocessors may process data outside the EU/EEA:
- United States: Stripe, Twilio, VAPI, Telegram, ElevenLabs, Tavus, Daily.co, Browserbase, Serper.dev, Apollo.io, Microsoft, Google, WeatherAPI.com, Mapbox, TripAdvisor
- European Union: Azure OpenAI (Sweden)
- Safeguards: We use Standard Contractual Clauses (SCCs) approved by the European Commission and UK Addendum where applicable
- Data Residency Options: Enterprise customers can request EU-only processing for certain features
7. Data Retention
We retain your information for as long as necessary to provide our Services and fulfill legal obligations:
| Data Type | Retention Period |
|---|---|
| Account Data | Until you delete your account, plus 90 days for backup retention |
| Conversation Data | Until you delete conversations or your account, or as specified in your data retention settings |
| Billing Records | 7 years (legal requirement for accounting/tax purposes) |
| Security Logs | 12 months for incident investigation |
| Marketing Consent | Until you withdraw consent, then deleted within 30 days |
You can configure custom retention periods for conversations and leads in your account settings. After deletion, data is permanently removed from active systems within 30 days and from backups within 90 days.
8. Your Rights Under GDPR
If you are located in the EU/EEA or UK, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Correct inaccurate or incomplete personal data |
| Erasure | Request deletion of your personal data (subject to legal retention obligations) |
| Restrict Processing | Limit how we use your data while we investigate a complaint |
| Data Portability | Receive your data in a structured, machine-readable format (JSON/CSV export available) |
| Object | Object to processing based on legitimate interests or for direct marketing purposes |
| Withdraw Consent | Withdraw consent at any time where processing is based on consent |
| Lodge a Complaint | File a complaint with your local data protection authority |
How to Exercise Your Rights
To exercise any of these rights, please contact us at or use the self-service GDPR Data Request form. We will respond within 30 days.
9. Cookies and Similar Technologies
We use cookies and similar technologies to provide and improve our Services. For detailed information, see our Cookie Policy.
Strictly Necessary Cookies (always active)
- Session Cookies: Authentication and session management (Next-Auth)
- Security Cookies: reCAPTCHA verification to prevent spam and abuse
Optional Cookies (consent required)
- Analytics: Apollo.io website analytics — only activated when you accept analytics cookies via our consent banner
We do not use advertising, retargeting, social media tracking, or A/B testing cookies.
10. Data Security
We implement comprehensive security measures to protect your data:
Technical Measures
- Encryption: Data encrypted in transit and at rest using industry-standard methods
- Authentication: Multi-factor authentication (MFA) via supported OAuth providers (Google, GitHub, Microsoft), secure password hashing
- Access Controls: Role-based access control (RBAC), least privilege principle
- Network Security: Firewalls, DDoS protection, regular security audits
- Monitoring: 24/7 security monitoring, intrusion detection, incident response plan
Organizational Measures
- Security training for all employees
- Regular security assessments and penetration testing
- Incident response procedures and breach notification protocols
11. Children's Privacy
Our Services are not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at and we will delete it promptly.
12. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Request information about data collection and sharing practices
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell your data)
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, visit our CCPA Request page or email with "California Privacy Request" in the subject line.
13. AI and Automated Decision-Making
Our Services use artificial intelligence to generate responses, transcribe conversations, and provide recommendations. Important disclosures:
- No Fully Automated Decisions: We do not make decisions that significantly affect you based solely on automated processing without human oversight
- AI Training: We do not use your conversation data to train third-party AI models. All major providers (OpenAI, Azure OpenAI, Anthropic, Google) have contractual agreements prohibiting training on API data
- Review Required: AI-generated content should be reviewed by you before use in critical contexts
- Human Oversight: You can always request human review of AI-generated decisions affecting your account
- Agentic Actions: AI assistants may perform actions such as internet searches (Serper / Google Search API) and web browsing (Browserbase) to retrieve publicly available information on your behalf. Search queries and browsing tasks are screened by automated PII and safety filters before being sent to external services.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Email notification to your registered email address
- In-app notification when you log in
- Updating the "Last Updated" date at the top of this policy
Continued use of our Services after changes take effect constitutes acceptance of the updated policy. For significant changes, we may require explicit consent.
15. Contact Information
Data Controller
Equilia AI (trade name of L3R Street Furniture SL.)
CIF: B67617142
Passatge Sistres 7, B. 2a.
08320 El Masnou, Barcelona, Spain
Privacy
Legal
Support
Supervisory Authority
As Equilia AI is established in Spain, our lead supervisory authority is the Spanish Data Protection Authority. You also have the right to lodge a complaint with your local supervisory authority.