Privacy Policy

Introduction

Welcome to our Privacy Policy. This policy outlines how we (the service provider operating in Romania, referred to as “we” or “our”) collect, use, share, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR). By registering on our website or using our services, you agree to the collection and use of your information as described in this Privacy Policy  . This Privacy Policy applies to all users in Europe (including Romania) and covers data collected through our website and related services. We are committed to safeguarding your privacy and ensuring that your personal information is handled safely and lawfully.

Personal Data: In this policy, “Personal Data” means any information that relates to an identified or identifiable individual (such as a name, telephone number, or email address). We act as the Data Controller for your Personal Data, which means we determine the purposes and means of processing your data  . We use reputable Data Processors (service providers) to help deliver our services, and they process data only on our behalf and under our instructions. Below we explain what data we collect, how we use it, the conditions for sharing it (including obtaining your consent), and your rights regarding this data.

 
Information We Collect

We collect several types of information from you (we do not knowingly collect any data from minors under 16 years old; see Children’s Privacy below):

  • Contact and Identity Information: When you register or contact us, we may ask for your name, email address, phone number, or other contact details. This information is necessary to create your account, identify you, and communicate with you. We do not allow registration by individuals under the age of 16, in compliance with GDPR’s age consent requirements  , and we will not knowingly collect Personal Data from children.
  • Account Credentials: You may provide login credentials such as a username and password (or use single-sign-on) for your account. These are used to secure access to your account. Please keep your password confidential and do not share it.
  • User Communications and Content: If you communicate with us (for example, via support email or contact forms), we will collect the content of your communications and any information you choose to provide. Additionally, if our service offers interactive features (such as a voice AI agent or chatbot), we will collect the content of your interactions. This may include voice data (audio recordings of your voice or calls) and text input that you provide when using our AI services. For instance, when you use our voice AI agent, your voice and any information you speak or input may be recorded or transcribed so that our system (and third-party AI platforms) can understand your requests and respond. Note: We do not use any of this content to train our own AI models, and our third-party AI providers have policies that restrict using such data for their own model training without permission.
  • Technical and Usage Data: When you use our website or services, we automatically collect certain technical information. This includes your Internet Protocol (IP) address, browser type and version, device identifiers, and operating system, as well as usage data like page views, clicks, and timestamps of visits . We collect this data through server logs and cookies (small text files stored on your device). This Usage Data helps us analyze how our service is used, troubleshoot issues, and improve performance and security.
  • Cookies and Tracking Technologies: We use cookies and similar technologies to provide and personalize our service, keep you logged in, and analyze usage  . For example, we use session cookies to remember your login session and preference cookies to save your settings  . You can set your browser to refuse cookies; however, some features of our site may not function properly without them. For more details, please see our Cookie Policy (if available) or contact us.

No Special Categories of Data: We do not actively collect any sensitive personal data (such as information about health, religious beliefs, political opinions, etc.) from you. We also do not intend to collect data from minors. If you believe a child under 16 has provided us personal data, please contact us immediately so we can delete it (see Children’s Privacy below).

How We Use Your Data

We only use your personal data for legitimate purposes and in accordance with the law. The main purposes for which we process your data include:

  • To Provide and Maintain Our Service: We use your information to create and manage your user account, authenticate you when you log in, and deliver the features of our service that you request. For example, we use your contact details to register your account and your voice or text input to enable our AI agent to respond to your queries. We process your personal data as necessary to perform the contract with you – i.e. to provide the services you have signed up for  .
  • To Communicate with You: We may use your email or phone number to send important notices about your account or the service (for instance, confirmation emails, password resets, service updates, or customer support responses). If you provide your phone number, we may use it to send verification codes or to facilitate automated calls or SMS (for example, using our telephony provider Twilio to deliver voice interactions or notifications). These communications are part of our service delivery or related to your account administration.
  • To Enable AI and Voice Features: A core aspect of our service is the AI-driven functionality (such as voice assistants or chat responses). When you use these features, we process your input data (such as the text you type or the audio of your voice) to generate responses. This may involve sending your data to our integrated third-party AI platforms — for example, to a large language model service (provided by companies like OpenAI or Google) to generate a conversational response, or to a voice synthesis service (like ElevenLabs) to produce a lifelike voice reply. We only send the necessary data to these providers to fulfill your request  , and we do not allow them to use your data for any purpose other than providing the requested service. According to the policies of our AI providers, data we submit via their APIs is not used to train their general models without our or your permission . This means your conversations or voice inputs are used only to generate the output for you, and not to improve their products by default.
  • To Improve and Analyze Our Service: We may analyze aggregated usage patterns (e.g. overall website traffic, feature usage) and feedback to improve our service’s functionality, user interface, and performance  . This may include using analytics tools to understand how users interact with our site and identify areas of improvement. We ensure any analytics data is anonymized or aggregated such that it does not identify you personally. Where possible, we run analytics in-house or use privacy-compliant analytics providers. Any analysis is done under strict confidentiality and security controls.
  • To Ensure Security and Prevent Fraud: We process certain data (like IP addresses, logs and usage patterns) to maintain the security of our platforms, prevent unauthorized access, and detect or investigate fraud or abuse. This includes using automated tools and manual reviews to safeguard against suspicious activity and to protect the integrity of our systems and users.
  • To Comply with Legal Obligations: In some cases, we may need to process or retain your data to comply with laws and regulations . For instance, we might keep transaction records for tax or accounting purposes, or disclose information if required by law enforcement or court order (only as far as such disclosure is lawful and necessary – see Disclosure for Legal Requirements below).
  • With Your Consent, for Additional Purposes: If we ever need to use your personal data for a purpose that is not necessary for the service or not covered by another legal basis, we will ask for your consent. For example, if you opt-in to receive our newsletter or marketing emails, we will use your email address to send you promotional content – but only if you have given explicit consent for that. You have the right to withdraw consent at any time. We will not send you marketing communications or share your data with third parties for marketing unless you opt-in at registration or in your account settings  (and you can opt out later as well).

Legal Bases for Processing: We process personal data only when we have a valid legal basis under GDPR Article 6. The primary bases are: (a) your consent – for example, when you sign up and explicitly agree to this Privacy Policy or when you opt into optional data uses  ; (b) contractual necessity – we need to process certain data to provide the service you requested and fulfill our contract with you  ; (c) legal obligation – to comply with laws that require processing or disclosure  ; and in some cases (d) legitimate interests – for purposes like securing our service or improving functionality, balanced against your privacy rights. Where we rely on legitimate interests, we ensure our interests are not overridden by your data protection rights. If you have any questions about the legal basis of specific processing, feel free to contact us.

No Sale of Personal Data: We will never sell your personal information to any third party . We only use and share your data as described in this policy, and always with respect for your privacy.

No Automated Decision-Making without Human Involvement: We will not use your personal data for any purely automated decision-making processes that produce legal or similarly significant effects on you (as defined in GDPR Article 22), unless you have given explicit consent or it is necessary for the service (which in our case, it is not). Any AI-driven responses or features are intended to assist you and do not make binding decisions about your rights or obligations. You always have the option to contact human support if you have concerns.

How We Share Your Data (Third-Party Service Providers)

We treat your personal data with care and confidentiality. We may share your data with selected third parties only for the purposes described above, and only to the extent necessary to deliver or improve our service. All third-party recipients are bound by contractual obligations to keep your data secure and use it solely for the purposes we specify. The types of third parties with whom we share data (and the data shared) include:

  • Cloud Hosting and Infrastructure Providers: We use reputable cloud infrastructure services (for example, data center or hosting providers) to store and process data on secure servers. These providers host our website, databases, and backend systems. Your Personal Data (such as account information and content you provide) is stored on servers located in the European Union whenever possible. Our cloud providers are required to implement strong security measures and to comply with EU data protection standards. They act as our data processors, meaning they cannot access or use your data except to the extent needed to maintain and run our service.
  • AI and Machine Learning Service Providers: As mentioned, we integrate Large Language Model (LLM) providers and other AI platforms to power features like conversational AI and content generation. This includes services such as OpenAI (which provides natural language processing) and Google Cloud AI. When you engage with AI features (e.g. asking a question to our AI assistant), the relevant portion of your data (e.g. the text of your query, or a transcript of your voice input) is sent to these providers’ systems so that they can process it and return an output (answer or action). We do not share more data than necessary – typically just the query content or necessary context. These providers are not allowed to use your data for any other purposes. In fact, both Google and OpenAI state in their terms that customer data submitted via their API will not be used to train or improve their models without permission . For example, OpenAI’s policy for its API (as of 2025) is: “We do not train our models on your business data by default.”  Similarly, Google’s Cloud AI terms state that they will not use customer data to train their AI models without the customer’s prior consent  . We have agreements in place with these providers to ensure your data is protected and handled in line with GDPR.
  • Voice and Telephony Service Providers: If our service interacts with phone calls, SMS, or voice synthesis, we use specialized third-party platforms. For instance, we use Twilio as a telecommunication service to handle phone calls or text messages with users, and ElevenLabs (a voice AI service) to synthesize speech audio for our voice agent. If you provide a phone number and consent to voice interactions, Twilio will process your number and call content to connect calls or send texts on our behalf. Likewise, if our AI agent speaks to you in a realistic voice, the textual response may be sent to ElevenLabs to generate an audio voice clip. These providers inevitably handle certain personal data (e.g. phone numbers, call audio or message content) in order to perform the service. We ensure that they only use this data to facilitate the communication or generate the audio and for no other purpose. Twilio, for example, acts as our processor for delivering communications and is contractually bound to confidentiality (note: in some cases Twilio may also act as a controller for limited processing like fraud prevention, as explained in their privacy documentation). All call recordings or real-time audio streams we process are treated as highly confidential. If we record calls (for service quality), we will inform you and obtain consent where required by law.
  • Other Service Providers: We may use additional third-party services to support our business operations, such as:
  • Email and Notification Services: to send account-related emails, verification codes, or notifications (for example, an email delivery service or SMS gateway which would use your email or phone number to send messages on our behalf).
  • Analytics and Monitoring Tools: to help us understand usage of our service (e.g. Google Analytics or similar, which might collect Usage Data like your IP address and browsing events) . We configure such tools to respect privacy norms (for instance, by anonymizing IP addresses where applicable). You can opt out of analytics tracking if you wish (for example, Google provides a browser add-on to opt-out ).
  • Payment Processors: If we offer paid services, we would use established payment processors (e.g. Stripe) to handle credit card transactions. In such cases, we do not store your full payment details ourselves; they are handled by the third-party processor in compliance with PCI-DSS security standards. (If applicable, the processor’s privacy policy will govern the use of your payment data, and we will provide you with that information during payment.)

In all cases, we choose third-party providers who either operate within the EU or, if they are based outside the EU, provide appropriate safeguards for international data transfers (see Data Transfers below). We have Data Processing Agreements (DPAs) in place with our service providers as required by GDPR, obligating them to protect your data, keep it confidential, and not use it for any purpose other than providing services to us  . They cannot disclose your data to others or use it for their own marketing. We regularly review our third-party partners to ensure they meet our security and privacy standards.

Data Transfers and International Storage

Our primary operations are based in Romania, and we endeavor to store and process personal data within the European Union (EU). However, some of our third-party service providers may be located in, or have servers in, countries outside the European Economic Area (EEA) (for example, the United States). Whenever your personal data is transferred outside of the EEA, we will ensure that adequate safeguards are in place to protect it, as required by GDPR  .

If we transfer data to a country that the European Commission has not deemed to have an adequate level of data protection, we rely on approved mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) , or other lawful transfer frameworks, to ensure your data remains protected. These are contractual commitments that bind the recipient to protect your data according to EU standards. In some cases, we may also rely on your explicit consent for certain cross-border transfers, but we will inform you and obtain consent if that is the case.

We will take all steps reasonably necessary to ensure that your data is treated securely during any transfer. This includes evaluating the security measures of our partners and ensuring encryption is used during transit. Your acceptance of this Privacy Policy, followed by your submission of information to us, represents your agreement to such data transfers where they are necessary to deliver the services you have requested  . If you have questions about international data transfers or want to see a copy of the relevant safeguards in place, you can contact us (see Contact Us section).

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this policy, and to comply with legal or business requirements  . In practice, this means:

  • Account Information: If you have an account with us, we keep your personal information for as long as your account is active. You may contact us to delete your account, in which case we will remove or anonymize personal data associated with your account (except for data we are required or permitted to retain as described below). If an account is inactive for an extended period, we may contact you to ask if you wish to keep it open, and absent a response, we may delete the account and associated data in line with our data retention policy.
  • Service Usage Data: We retain data collected during your use of the service (e.g. logs, interactions, voice recordings) for as long as necessary to provide the service and for a reasonable period thereafter. For example, voice interaction data might be kept temporarily to ensure your queries are processed and for troubleshooting, but we will not keep detailed voice transcripts longer than needed. Some usage data may be retained in aggregate form for analytics and service improvement after it’s no longer tied to your identity.
  • Communication Records: If you contacted support or we sent you service notices, we may retain those communications as long as needed to address your inquiry and maintain a record of our correspondence (usually 1-2 years, unless a longer period is required for legal reasons).
  • Legal and Regulatory Retention: We will keep data as required to comply with our legal obligations or to resolve disputes. For instance, records of transactions or consents may be kept for a certain number of years as required by financial or consumer laws. If we are under a legal obligation to retain certain data (e.g., for law enforcement, tax, or accounting purposes), we will retain that data strictly for the duration and purposes mandated by law  .

When personal data is no longer necessary for the purposes for which it was collected, and we have no legal obligation to retain it, we will delete, anonymize, or securely destroy the information. We periodically review our storage of personal data to ensure we are not keeping it longer than necessary. If deletion is not immediately possible (for example, because the data is stored in backups), we will ensure it remains securely protected until deletion is possible.

Your Rights Under GDPR

 As a user in the EU, you have robust rights regarding your personal data under the General Data Protection Regulation. We are committed to upholding these rights. Your rights include :

  • Right of Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it, whom we share it with, how long we store it, and why. We will provide this information free of charge in most cases, within the legally required time frame (typically within 30 days).
  • Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it  . You can also update some of your own information by logging into your account (for example, to change your contact details).
  • Right to Erasure: You have the right to request deletion of your personal data (“the right to be forgotten”)  . If you ask, we will erase your data, provided that it’s no longer necessary for us to keep it for the purposes it was collected or we have no overriding lawful reason to retain it. Please note that if you request deletion of data necessary to provide the service, we may need to close your account as a result (we will inform you if this is the case). Some data cannot be deleted if we are required to keep it by law, but we will inform you if so.
  • Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain circumstances  . For example, if you contest the accuracy of your data, you can request that we restrict processing until the accuracy is verified. When processing is restricted, we will still store your data but not use it until the restriction is lifted.
  • Right to Object: You have the right to object to our processing of your data in certain situations . This includes, for example, if we process your data based on legitimate interests, you can object if you believe your rights outweigh our interests. If you object, we will consider your request and will stop or adjust processing unless we have compelling legitimate grounds to continue or if it is needed for legal claims. If we process your data for direct marketing (which we only do with opt-in consent), you can always object or unsubscribe, and we will stop.
  • Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible  . This applies to data processed by us by automated means, based on your consent or on a contract. In plain terms, we will help you export the data you gave us, so that you can reuse it or port it to other services if you want.
  • Right Not to be Subject to Automated Decision-Making: As noted, we do not make any purely automated decisions that have legal or significant effects on you. If that changes, you would have the right not to be subject to such decisions unless certain conditions are met (e.g., with your explicit consent or if necessary for a contract, with safeguards)  . In any event, you’d have the right to human intervention and to contest the decision.

  • Right to Withdraw Consent: If we rely on your consent for any processing (for example, optional marketing), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal. If you withdraw consent for a service feature that requires it, we will inform you if we can no longer provide that feature.
  • Right to Complain: If you believe we have infringed your data protection rights or GDPR, you have the right to lodge a complaint with a Supervisory Authority in the EU  . You may do so in the member state of your habitual residence, your place of work, or where an alleged infringement occurred. For example, in Romania the supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP). We would appreciate the chance to address your concerns before you approach a regulator, so please consider reaching out to us first, and we will do our best to resolve the issue.

You can exercise your rights at any time by contacting us (see Contact Us below). We will respond to your requests as soon as possible, and at least within one month as required by GDPR (this timeframe can be extended by two further months for complex requests, but we will inform you if an extension is needed). We may need to verify your identity before executing certain requests, to ensure we do not disclose data to the wrong person  .

Children’s Privacy

 Our service is not intended for children under the age of 16. We do not knowingly collect personal information from anyone under 16 years old. If you are under 16, please do not use the service or provide any personal data to us. In line with GDPR, children under 16 cannot legally consent to the processing of their data without parental authorization, and we have chosen to refrain from offering our services to minors altogether.

If we learn that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete that information from our records. If you are a parent or guardian and discover that your child under 16 has registered for our service or provided us personal data without your consent, please contact us immediately so that we can remove the child’s information. We may ask for proof of guardianship before honoring such a request. Protecting children’s privacy is extremely important to us, and we comply with all applicable laws aimed at safeguarding children online.

Data Security

We take the security of your personal data very seriously. We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction  . These security measures include, for example:

  • Encryption: Your account data and any sensitive personal data is encrypted in transit (using TLS/ SSL encryption when data is sent between your device and our servers or between us and our service providers) and at rest on our databases . This means that even if data were intercepted or accessed without authorization, it would be difficult to read.

  • Access Controls: We limit access to personal data to only those employees, contractors, and processors who need it to operate or improve our service. They are subject to strict confidentiality obligations. Our staff are trained on data protection practices.
  • Firewalls and Network Security: We use firewalls and monitoring to protect our network and servers from malicious activity. Regular security scans and updates are applied to our systems to guard against vulnerabilities.
  • Testing and Audits: We periodically test our security measures and may undergo third-party audits or assessments to ensure our safeguards are effective. If applicable, we comply with industry standards (for example, if processing payments, we use PCI-DSS compliant providers).

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of your information  . In the unlikely event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by law. We also remind you that you play a role in keeping your data secure: please use a strong password, do not share your login credentials, and contact us immediately if you suspect any unauthorized access to your account.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will revise the “Effective Date” at the top of this policy. If the changes are significant, we will provide a more prominent notice (for example, by email notification or a notice on our website). We encourage you to review this Privacy Policy periodically for any updates. Your continued use of the service after any modifications to the policy will constitute your acknowledgment of the changes and agreement to abide by the updated policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help and address any issues. You can reach our data protection responsible person at:

Email: [team@heydevon.ai] (Please include “Privacy Inquiry” in the subject line)

Postal Mail: AISADEV SRL, Padurii str., nr.1, Corbeanca, Ilfov County, Romania, 077067

We will respond to inquiries and resolve any complaints about our privacy practices as soon as possible. If you contact us to exercise your GDPR rights, please provide enough information to verify your identity (for example, emailing from the address associated with your account) so we can safeguard your request.

Thank you for reading our Privacy Policy. We value your trust and are committed to protecting your personal data as you use our service.