Privacy Policy

脷ltima actualizaci贸n: November 28, 2025

1. Introduction

Equilia AI ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI-powered customer communication platform and related services (collectively, the "Services").

We are the data controller for the personal information we process. Our registered office is located in Barcelona, Spain. For privacy-related inquiries, please contact us at [email protected].

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, password (encrypted), phone number, company name, and billing information
  • Profile Information: Profile picture, job title, language preferences, and notification settings
  • Conversation Data: Messages, transcripts, call recordings, SMS content, WhatsApp messages, and video interactions
  • Contact Data: Information about leads and contacts including names, phone numbers, email addresses, and communication preferences
  • Document Uploads: Files, documents, and knowledge base content you upload to train your AI assistants
  • Support Communications: Correspondence with our support team

2.2 Information Collected Automatically

  • Technical Information: IP address, browser type, device information, operating system, and screen resolution
  • Usage Data: Pages viewed, features used, time spent, click patterns, and navigation paths
  • Session Data: Login times, session duration, and authentication tokens
  • Performance Data: Error logs, crash reports, and application performance metrics

2.3 Information from Third Parties

  • OAuth Providers: If you sign in with Google or GitHub, we receive your name, email, and profile picture
  • Payment Processors: Stripe provides payment confirmation and billing information (we do not store full credit card numbers)
  • Communication Providers: Call metadata, message delivery status, and usage statistics from Twilio, VAPI, and other telephony providers

3. How We Use Your Information

3.1 Providing and Improving Services (Legal Basis: Contract Performance)

  • Create and manage your account
  • Process and route conversations across channels (phone, SMS, WhatsApp, video, web)
  • Generate AI responses using language models (OpenAI, Anthropic, Google Gemini)
  • Synthesize voice using text-to-speech services (ElevenLabs)
  • Create personalized video content (Tavus, BeyondPresence, Bithuman)
  • Store and retrieve documents for AI assistant knowledge bases
  • Generate conversation summaries and analytics

3.2 Billing and Account Management (Legal Basis: Contract Performance)

  • Process payments and generate invoices
  • Calculate usage-based billing for conversations, messages, and minutes
  • Send transactional emails (receipts, account updates, password resets)
  • Manage subscriptions and billing disputes

3.3 Security and Fraud Prevention (Legal Basis: Legitimate Interest)

  • Authenticate users and prevent unauthorized access
  • Detect and prevent spam, abuse, and fraudulent activity
  • Implement reCAPTCHA verification to protect against bots
  • Monitor for security incidents and maintain audit logs
  • Comply with legal obligations and respond to lawful requests

3.4 Communication (Legal Basis: Contract Performance / Consent)

  • Send service-related notifications (system updates, maintenance, security alerts)
  • Respond to your inquiries and support requests
  • Send marketing communications only with your explicit consent (you can opt out anytime)

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our Services and fulfill our agreement with you
  • Legitimate Interests: Fraud prevention, security, improving our Services, and operational efficiency
  • Consent: Marketing communications, certain cookies, and optional features
  • Legal Obligation: Compliance with tax, accounting, and legal requirements

5. How We Share Your Information

5.1 Third-Party Service Providers (Subprocessors)

We share data with carefully selected third-party providers who assist in delivering our Services. View our complete list of subprocessors at Subprocessors List.

Key categories include:

  • AI Model Providers: OpenAI, Anthropic, Google (Gemini), Cohere
  • Communication Services: Twilio, VAPI, Synthflow
  • Voice & Video: ElevenLabs, Tavus, BeyondPresence, Bithuman
  • Infrastructure: DigitalOcean (EU/Frankfurt), Vercel, Qdrant
  • Payments: Stripe (PCI-DSS compliant)

5.2 When Required by Law

We may disclose information if required to:

  • Comply with legal obligations, court orders, or government requests
  • Enforce our Terms of Service or protect our rights
  • Investigate fraud, security incidents, or violations of our policies
  • Protect the safety of our users or the public

5.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share information for purposes not described in this policy with your explicit consent.

6. International Data Transfers

Our infrastructure is primarily hosted in the European Union (DigitalOcean Frankfurt). However, some subprocessors may process data outside the EU/EEA:

  • United States: OpenAI, Anthropic, Stripe, Twilio, VAPI, ElevenLabs, Tavus
  • Safeguards: We use Standard Contractual Clauses (SCCs) approved by the European Commission and UK Addendum where applicable
  • Data Residency Options: Enterprise customers can request EU-only processing for certain features

7. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill legal obligations:

  • Account Data: Until you delete your account, plus 90 days for backup retention
  • Conversation Data: Until you delete conversations or your account, or as specified in your data retention settings
  • Billing Records: 7 years (legal requirement for accounting/tax purposes)
  • Security Logs: 12 months for incident investigation
  • Marketing Consent: Until you withdraw consent, then deleted within 30 days

You can configure custom retention periods for conversations and leads in your account settings. After deletion, data is permanently removed from active systems within 30 days and from backups within 90 days.

8. Your Rights Under GDPR

If you are located in the EU/EEA or UK, you have the following rights:

8.1 Right to Access

Request a copy of all personal data we hold about you

8.2 Right to Rectification

Correct inaccurate or incomplete personal data

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention obligations)

8.4 Right to Restrict Processing

Limit how we use your data while we investigate a complaint

8.5 Right to Data Portability

Receive your data in a structured, machine-readable format (JSON/CSV export available)

8.6 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes

8.7 Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority (supervisory authority)

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] or use the data management tools in your account settings. We will respond within 30 days.

For self-service data access and deletion, visit your Account Settings.

9. Cookies and Similar Technologies

We use cookies and similar technologies to provide and improve our Services. For detailed information, see our Cookie Policy.

Essential cookies we use:

  • Session Cookies: Authentication and session management (Next-Auth) - Required
  • Security Cookies: reCAPTCHA verification to prevent spam and abuse - Required

We do not use tracking, analytics, or advertising cookies. All cookies we use are strictly necessary for the functionality and security of our Services.

10. Data Security

We implement comprehensive security measures to protect your data:

Technical Measures

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Authentication: Multi-factor authentication (MFA) available, bcrypt password hashing
  • Access Controls: Role-based access control (RBAC), least privilege principle
  • Network Security: Firewalls, DDoS protection, regular security audits
  • Monitoring: 24/7 security monitoring, intrusion detection, incident response plan

Organizational Measures

  • Security training for all employees
  • Regular security assessments and penetration testing
  • Data Processing Agreements (DPAs) with all subprocessors
  • Incident response procedures and breach notification protocols

11. Children's Privacy

Our Services are not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected] and we will delete it promptly.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about data collection and sharing practices
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell your data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, email [email protected] with "California Privacy Request" in the subject line.

13. AI and Automated Decision-Making

Our Services use artificial intelligence to generate responses, transcribe conversations, and provide recommendations. Important disclosures:

  • No Fully Automated Decisions: We do not make decisions that significantly affect you based solely on automated processing without human oversight
  • AI Training: We do not use your conversation data to train third-party AI models. All major providers (OpenAI, Anthropic, Google) have contractual agreements prohibiting training on API data
  • Review Required: AI-generated content should be reviewed by you before use in critical contexts
  • Human Oversight: You can always request human review of AI-generated decisions affecting your account

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Email notification to your registered email address
  • In-app notification when you log in
  • Updating the "Last Updated" date at the top of this policy

Continued use of our Services after changes take effect constitutes acceptance of the updated policy. For significant changes, we may require explicit consent.

15. Contact Information

Data Controller: Equilia AI

Registered Office: Barcelona, Spain

Privacy Contact: [email protected]

General Support: [email protected]

Legal Inquiries: [email protected]

EU Representative (if applicable)

If required under GDPR Article 27, we will appoint an EU representative and provide contact details here.

Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) or your local supervisory authority:

Agencia Espa帽ola de Protecci贸n de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es

16. Additional Resources

Valoramos tu privacidad

Utilizamos cookies para mejorar tu experiencia de navegaci贸n, analizar el tr谩fico del sitio y proporcionar contenido personalizado. Al hacer clic en "Aceptar todo", aceptas el uso de cookies.