Data Protection

GDPR
Compliance

Our commitment to protecting your personal data, in accordance with the General Data Protection Regulation (EU 2016/679).

1. Our Commitment

AllAI is committed to fully complying with the provisions of the General Data Protection Regulation (GDPR) and Romanian data protection legislation (Law no. 190/2018). As a SaaS chatbot and AI voicebot platform serving clients in the European Union, data protection is a central pillar of our business.

This page describes the concrete measures we implement to ensure GDPR compliance and to protect the rights of data subjects.

2. Our Roles in Data Processing

Depending on the context, AllAI acts in two distinct capacities:

Data Controller

When we collect and process data of our direct users (clients who create an account on the platform): account information, billing data, communications with the support team.

Data Processor

When we process end-user data on behalf of our clients: conversations with chatbots and voicebots, contact information captured by AI agents, voice recordings.

This distinction is important because our legal obligations differ depending on the role we have. As a Processor, we act exclusively according to the instructions of our clients (the Data Controllers).

3. GDPR Principles We Follow

  • 1.
    Lawfulness, fairness and transparency — We process data lawfully, fairly and transparently with respect to data subjects
  • 2.
    Purpose limitation — We collect data only for specified, explicit and legitimate purposes
  • 3.
    Data minimization — We collect only the data strictly necessary for the stated purposes
  • 4.
    Accuracy — We take measures to ensure personal data is accurate and up to date
  • 5.
    Storage limitation — We keep data only as long as necessary for the processing purpose
  • 6.
    Integrity and confidentiality — We ensure data security through appropriate technical and organizational measures
  • 7.
    Accountability — We can demonstrate compliance with all the above principles

4. Data Subject Rights

GDPR grants you the following rights, which AllAI respects and facilitates:

Right of Access Art. 15 GDPR — You may request a copy of all personal data we hold about you
Right to Rectification Art. 16 GDPR — You may correct inaccurate or incomplete personal data
Right to Erasure Art. 17 GDPR — You may request the deletion of your personal data (“right to be forgotten”)
Right to Restriction Art. 18 GDPR — You may request the limitation of data processing in certain cases
Right to Portability Art. 20 GDPR — You may receive your data in a structured, commonly used format
Right to Object Art. 21 GDPR — You may object to the processing of data based on legitimate interest

We respond to all requests within 30 days. To exercise your rights, contact us at contact@allai.ro.

5. Technical and Organizational Measures

In accordance with Art. 32 GDPR, we implement the following security measures:

Technical Measures

  • AES-256 encryption for stored data
  • TLS 1.3 protocol for data in transit
  • Two-factor authentication (2FA) for accounts
  • Role-based access control (RBAC)
  • Encrypted and redundant backups in EU data centers
  • DDoS protection and web application firewall (WAF)
  • Continuous 24/7 security monitoring

Organizational Measures

  • Internal data protection policies
  • Regular GDPR training for employees
  • Confidentiality agreements with all employees
  • Regular data protection impact assessments (DPIA)
  • Security incident response procedures
  • External security audits (quarterly)

6. Data Processing Agreement (DPA)

In accordance with Art. 28 GDPR, we offer a Data Processing Agreement (DPA) to all our clients. Our DPA includes:

  • Subject and duration of data processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Obligations and rights of the controller
  • List of authorized sub-processors
  • Technical and organizational security measures
  • Security incident notification procedure

The DPA is available upon request. Contact us at contact@allai.ro to request a copy.

7. International Data Transfers

Data is stored in data centers within the European Union (Germany and the Netherlands). In the event of data transfers outside the EEA, we apply the following safeguards (Art. 44-49 GDPR):

  • Adequacy decisions: transfers to countries recognized by the European Commission as providing an adequate level of protection
  • Standard Contractual Clauses (SCC): approved by the European Commission, included in contracts with sub-processors
  • Transfer Impact Assessments (TIA): conducted for each transfer to third countries

8. Security Incident Notification

In accordance with Art. 33 and 34 GDPR, we have clear procedures for managing security incidents:

  • Supervisory authority notification: within 72 hours of discovering an incident that poses risks to the rights of data subjects
  • Client (Controller) notification: without undue delay, with details about the incident and measures taken
  • Data subject notification: when the incident poses a high risk to the rights and freedoms of individuals

9. GDPR and Artificial Intelligence

As an AI platform, we pay special attention to compliance in the context of automated processing:

  • AI Transparency: we inform users that they are interacting with an AI agent, not a real person
  • No profiling with legal effects: we do not make automated decisions with significant legal effects without human intervention
  • Data isolation: each client's data is logically isolated and not accessible to other clients
  • Training control: we do not use client conversation data to train general AI models
  • DPIA assessments: we conduct impact assessments for AI features involving large-scale processing
  • AI Act compliance: we monitor and prepare for compliance with the European AI Regulation

10. Sub-processors

We use the following categories of sub-processors, all GDPR compliant:

Category Purpose Data Location
Cloud Infrastructure Server and database hosting EU (Germany, Netherlands)
AI Models / LLM Natural language processing EU / SCC in place
Payment Processing Transaction management EU (PCI-DSS compliant)
Transactional Email Notifications and communications EU
Analytics and Monitoring Platform performance EU

The complete list of sub-processors is available in the DPA. Clients are notified 30 days before adding a new sub-processor.

11. Supervisory Authority

The competent supervisory authority for AllAI is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, postal code 010336
  • Website: www.dataprotection.ro
  • Email: anspdcp@dataprotection.ro

You have the right to file a complaint with ANSPDCP if you believe your data protection rights have been violated.

12. Contact

For any questions or requests related to GDPR compliance, personal data protection, or exercising your rights, you can contact us:

We will confirm receipt of the request within 48 hours and respond fully within 30 calendar days.