1. Data Controller
In compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD):
- Owner: Codelabs Studio S.L.
- Tax ID (CIF): B-88708797
- Phone: +34 910 781 801
- Privacy email: privacidad@agenteuno.ai
- General email: legal@agenteuno.ai
- Trade name: AgenteUno
2. Personal Data We Collect
2.1 Data provided directly
- Registration data: Full name, email, phone, company name
- Billing data: Payment information processed by Stripe (we do not store bank card data)
- Contact data: Name, email, company, phone, subject and message sent through forms
2.2 Data generated through service use
- Configuration data: AI agent settings, conversation flows, knowledge bases
- Conversation histories: Chat messages, WhatsApp, SMS, email and social media interactions
- Voice data: Recordings and transcriptions of phone calls handled by AI agents
- Voice profiles: Audio samples used for agent voice cloning (provided by account holder, not end user)
2.3 Technical data collected automatically
- Browsing data: IP address, browser type, operating system, pages visited
- Cookies: Strictly necessary, plus product analytics (PostHog) only with your consent (see Cookie Policy)
- Error data: Anonymous error reports through Sentry (no personally identifiable data)
3. Purposes of Processing
| Purpose | Legal basis (GDPR) | Data processed |
|---|---|---|
| Provision of contracted service | Art. 6(1)(b) Contract performance | Registration, configuration, conversations, voice |
| Billing and payment management | Art. 6(1)(b) Contract performance | Billing |
| Customer support | Art. 6(1)(b) Contract performance | Contact, registration |
| Service communications | Art. 6(1)(b) Contract performance | |
| Marketing communications | Art. 6(1)(a) Consent | |
| Error monitoring and stability | Art. 6(1)(f) Legitimate interest | Technical data (anonymous) |
| Legal compliance | Art. 6(1)(c) Legal obligation | Billing, consent records |
| Service improvement (aggregated) | Art. 6(1)(f) Legitimate interest | Anonymized usage data |
4. Voice Data and Artificial Intelligence Processing
4.1 How we process voice
When an end user interacts with an AgenteUno voice agent:
- The call is handled by an artificial intelligence system (not a person)
- Voice is transcribed to text using speech recognition services
- Text is processed by a language model (LLM) to generate a response
- The response is synthesized into voice using TTS (text-to-speech) technology
4.2 AI Transparency
In accordance with Regulation (EU) 2024/1689 (EU AI Act):
- All voice agents clearly identify that the user is speaking with an artificial intelligence assistant
- End users have the right to request transfer to a human operator
- We do not use voice to biometrically identify individuals. We do analyse the emotional tone of the conversation (via Hume EVI) for service-quality purposes; this analysis is not used for automated decisions with legal effects nor to infer special category data
4.3 Voice data and automated decision-making
In accordance with Art. 22 GDPR:
- AI agent responses are generated automatically based on the knowledge base configured by the account holder
- These automated decisions do not produce legal effects and do not significantly affect the end user
- If an interaction could have significant effects, the user may request human intervention
5. Data Processors (Sub-processors)
We share data with the following providers, all under Data Processing Agreements (DPA) pursuant to Art. 28 GDPR:
| Provider | Purpose | Data location | Basis |
|---|---|---|---|
| Hetzner Online GmbH | Server infrastructure, application hosting and deployment | Germany (EU) | DPA |
| Stripe Inc. | Payment processing | EU (configured region) | DPA + SCCs |
| Telnyx LLC | Telephony and voice calls | EU (dedicated infrastructure) | DPA + SCCs |
| Twilio Inc. | Telephony and voice calls | USA/EU (depending on region) | DPA + SCCs |
| Sentry (Functional Software Inc.) | Error monitoring | EU (configured region) | DPA + SCCs |
| PostHog Inc. | Web analytics (consent only) | EU (eu.posthog.com) | DPA |
| Groq Inc. | Natural language processing (LLM) and voice transcription (Whisper) | USA (Zero Data Retention enabled) | DPA + SCCs |
| Hume AI Inc. | Real-time conversational voice engine — understanding the caller's speech and voice synthesis (Hume EVI) | EU (dedicated servers) | DPA |
Note: Most providers process data on servers located in the EU. Groq (LLM) processes in the USA with Zero Data Retention enabled, and Twilio may process in the USA depending on the configured region; both transfers are made under Standard Contractual Clauses (Art. 46 GDPR). For more information, see the international transfers section.
6. International Data Transfers
Most of our providers process data exclusively on servers located in the European Union. For natural language processing (LLM), we use Groq Inc. (USA) with Zero Data Retention enabled, meaning request content is not stored on their servers. This transfer is made under Standard Contractual Clauses (SCCs) approved by the European Commission, pursuant to Art. 46 GDPR.
The safeguards applied for transfers outside the EEA are:
- Standard Contractual Clauses (Art. 46(2)(c) GDPR) — Implementing Decision (EU) 2021/914
- Zero Data Retention — The provider does not retain communication content
- Transfer Impact Assessment (TIA) — We verify that safeguards are adequate
7. Data Retention
| Data type | Retention period | Legal basis |
|---|---|---|
| Account data | While account is active + 5 years | Legal obligation (Commercial Code) |
| Conversation histories | Per plan: 90 days (Free/Starter), 365 days (Growth/Business), 730 days (Enterprise) | Contract performance |
| Voice recordings | Same window as the associated conversation (90/365/730 days per plan) | Contract performance |
| Billing data | 6 years | General Tax Law (Art. 66) |
| Consent records | Duration of processing + 3 years | Legitimate interest (proof of consent) |
| Technical logs | 90 days | Legitimate interest |
| Anonymized/aggregated data | No limit | Not personal data |
After the indicated periods, data is securely and irreversibly deleted.
8. User Rights
Under Arts. 15-22 of the GDPR and Title III of the LOPDGDD, you may exercise:
- Right of access (Art. 15) — Obtain confirmation and a copy of your data
- Right to rectification (Art. 16) — Correct inaccurate or incomplete data
- Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) — Restrict the processing of your data
- Right to portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right not to be subject to automated decisions (Art. 22) — Request human intervention
How to exercise your rights
- Email: privacidad@agenteuno.ai
- Response time: Maximum 30 days (extendable to 60 days in complex cases, with prior notification)
- Identification: We may request proof of identity to protect your data
Right to lodge a complaint
If you believe your rights have not been adequately addressed, you may file a complaint with:
Spanish Data Protection Agency (AEPD)
- Web: www.aepd.es
- Address: C/ Jorge Juan, 6 — 28001 Madrid
- Phone: 900 293 183
9. Cookies
We use strictly necessary cookies for platform functionality and, only with your consent, product analytics cookies (PostHog, hosted in the EU). We do not use advertising cookies. See our Cookie Policy for detailed information.
10. Security
We apply technical and organizational measures in accordance with Art. 32 GDPR:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access control based on principle of least privilege
- Multi-factor authentication for system access
- Daily encrypted backups with 30-day retention
- Continuous security and error monitoring
- Regular security audits
11. Minors
In accordance with Art. 7 of the LOPDGDD, the processing of data of minors under 14 years of age requires parental or guardian consent. AgenteUno is not directed at minors under 14.
12. Changes to This Policy
We reserve the right to update this policy. We will notify you by email of any material changes at least 30 days in advance. The last update date is indicated at the beginning of this document.