2. Data We Collect
We collect and process the following categories of personal data:
2.1 Personal Data
- Full name
- Email address
- Phone number
- Account credentials (hashed)
2.2 Communication Data
- Call recordings
- Call transcripts
- Chat logs and messages
- WhatsApp, Telegram, and SMS message content
2.3 Technical Data
- IP addresses
- Browser type and version
- Device identifiers
- Operating system information
- Referring URLs
2.4 Usage Data
- Feature usage patterns
- Session duration and frequency
- Dashboard interaction data
- API usage metrics
2.5 Payment Data
- Payment card details (processed exclusively by our third-party payment processor; we do not store full card numbers)
- Billing address
- Transaction history
- Subscription plan information
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data on the following legal bases:
| Legal Basis | GDPR Reference | Description |
|---|---|---|
| Contract Performance | Art. 6(1)(b) | Processing necessary to provide the Vorden services you have subscribed to, including voice calls, chat, transcription, and analytics. |
| Legitimate Interest | Art. 6(1)(f) | Processing necessary for our legitimate interests, such as improving our services, ensuring platform security, preventing fraud, and conducting analytics. |
| Consent | Art. 6(1)(a) | Where you have given explicit consent, such as for optional communications, marketing, or specific AI-processing features. You may withdraw consent at any time. |
| Legal Obligation | Art. 6(1)(c) | Processing necessary to comply with legal obligations, such as tax regulations, law enforcement requests, or regulatory requirements. |
4. How We Use Your Data
We use the personal data we collect for the following purposes:
- Service Delivery: Providing and maintaining Vorden, including voice calls, chat messaging, WhatsApp integration, Telegram integration, SMS delivery, and omnichannel communication features.
- AI Processing: Processing voice recordings and text through AI models for transcription, sentiment analysis, intent detection, response generation, and quality analytics.
- Analytics: Analyzing usage patterns to improve service quality, optimize performance, and develop new features.
- Security: Detecting and preventing fraud, unauthorized access, and other malicious activity; maintaining audit logs.
- Billing: Processing payments, managing subscriptions, generating invoices, and handling billing disputes through our third-party payment processor.
- Communication: Sending transactional emails (e.g., account verification, password resets, service notifications) and, with your consent, promotional communications.
5. Third-Party Service Providers
To deliver the Vorden platform, we engage third-party service providers that process Personal Data on our behalf in the following categories:
- Cloud infrastructure and managed services (processing primarily within the European Union)
- AI and language-model processing (including speech-to-text, text-to-speech, and large language models)
- Telephony and messaging (voice calls, SMS, WhatsApp, and Telegram delivery)
- Payment processing (card processing and subscription billing)
- Operational monitoring (application error and performance monitoring)
Each provider is bound by written contractual obligations no less protective than those set out in our Data Processing Agreement. The current list of sub-processors — including their names, processing locations, and purposes — is published and kept up to date on our Sub-Processors page. Controllers may subscribe there to receive advance notice of any intended addition or replacement.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.
For all international transfers, we implement appropriate safeguards in compliance with GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with all sub-processors located outside the EEA.
- Supplementary Measures: In addition to SCCs, we implement supplementary technical and organizational measures, including:
- Industry-standard encryption of Personal Data in transit and at rest
- Strict access controls and role-based access management
- Data minimization practices
- Regular transfer impact assessments
You may request a copy of the applicable Standard Contractual Clauses by contacting our Data Protection Officer.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Call recordings and transcripts | 90 days from creation (default; configurable per tenant) |
| Account and profile data | Duration of active subscription, plus 30 days after termination |
| Payment and billing data | As required by applicable tax and financial regulations (typically 7 years) |
| Technical and usage logs | 12 months, then purged |
| Communication data (chat, SMS, WhatsApp, Telegram) | Retained until tenant or project deletion, or until a Data Subject exercises their right to erasure (configurable per tenant) |
| Error tracking and monitoring logs | 12 months, then purged |
Upon request or account termination, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
8. Your Rights Under GDPR (Articles 15-22)
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten"), subject to applicable legal exceptions.
- Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your personal data under certain circumstances.
- Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
- Right to Object (Art. 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, please contact our Data Protection Officer at dpo@vorden.ai. We will respond to your request within 30 days.
9. Automated Decision-Making
Vorden uses AI-assisted processing for the following purposes:
- Automatic transcription of voice calls
- Sentiment analysis and intent detection
- Automated response generation in chat and voice interactions
- Call quality scoring and analytics
These processes involve automated analysis of communication data. However:
- No solely automated decisions with legal or similarly significant effects are made without human oversight.
- You have the right to request human review of any automated decision by contacting us at dpo@vorden.ai.
- You may object to automated processing at any time under GDPR Article 22.
10. Security Measures
We implement comprehensive technical and organizational measures to protect your Personal Data, including:
- Encryption: Industry-standard encryption of Personal Data in transit and at rest
- Authentication: Secure session-based authentication with short-lived access tokens and rotation
- Tenant Isolation: Logical separation of customer data at the application and database level
- Access Controls: Role-based access control with the principle of least privilege and periodic access reviews
- Multi-Factor Authentication: Available and enforced for administrative access
- Monitoring: Continuous application monitoring with Personal Data scrubbing enabled on error reports
- Audit Logging: Comprehensive logging of access to and modifications of Personal Data
- Regular Security Reviews: Periodic security assessments and vulnerability testing
11. Children's Privacy
Vorden is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that we have inadvertently collected personal data from a child under 16, please contact us immediately at dpo@vorden.ai, and we will take steps to delete such data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or sub-processor arrangements. When we make material changes, we will notify you by:
- Posting a prominent notice on the Vorden dashboard
- Sending a notification to the email address associated with your account
We encourage you to review this Privacy Policy periodically. The "Effective Date" at the top of this document indicates when it was last updated.
13. Contact
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:
Data Protection Officer (DPO) Email: dpo@vorden.ai
LucyHQ, Inc. 131 Continental Dr, Suite 305 Newark, DE 19713, USA Email: legal@vorden.ai Website: https://vorden.ai