Privacy Policy

1. Data controller

The controller within the meaning of GDPR Art. 4(7) is the operator of prezio.app — registered address and contact details are listed in the Imprint. For questions about this policy, reach out to privacy@prezio.app.

2. What we collect

Account data (email, name, encrypted password hash). Agent configuration (prompts, branding, channel integrations). Conversation data (messages, contacts, leads — both sides of the conversation). Usage and cost telemetry (token counts, segment counts). Technical logs (IP address, user agent, timestamps) for the duration of a request lifecycle.

3. Why we process it

To provide and operate the service you signed up for. To generate AI responses (requires sending message content to OpenAI / Vapi as detailed in our Subprocessors page). To deliver outbound messages via Twilio / SES. To compute usage-based billing. To detect and prevent abuse, fraud, and security incidents. To fulfil legal obligations (tax retention, court orders).

4. Legal basis (GDPR Art. 6)

Art. 6(1)(b) — performance of the contract you entered into when signing up. Art. 6(1)(c) — legal obligations (tax, AML, requests from authorities). Art. 6(1)(f) — our legitimate interest in operating, securing, and improving the platform; balanced against your interests. We do not use 6(1)(a) consent-based processing for the core service; consent applies only to optional cookies (none currently).

5. Who else processes your data

See our Subprocessors page for the complete list. Notable: AWS (hosting + email), Hetzner (compute), Twilio (SMS/voice/WhatsApp delivery), OpenAI (LLM inference), Vapi (voice synthesis), Sentry (error tracking). Each is bound by a Data Processing Agreement and Standard Contractual Clauses where transfers outside the EU/EEA apply.

6. How long we keep it

Account data: for the duration of the contract plus 30-day deletion grace, then hard-deleted (see GDPR Art. 17 implementation in your Account page). Conversation messages: for the duration of the contract. Usage records: 13 months for billing audit + customer support. Email suppression list: indefinitely, on legitimate-interest grounds (preventing reputational damage from sending to known-bouncing addresses). Audit logs: 12 months.

7. Your rights

Under GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and to lodge a complaint with a supervisory authority (Art. 77). Operators: exercise rights 15, 17, 20 directly via your Account page. Anyone else (end-users of operators' agents): contact privacy@prezio.app — we will route the request to the relevant operator and assist with technical execution.

8. Cookies and tracking

We use one strictly necessary cookie: `ua_token`, a JWT-bearing session cookie that keeps you logged in to the dashboard. No advertising cookies, no third-party analytics on the public site. The Sentry SDK on the dashboard sends error reports without setting any identifier cookies.

9. Data protection officer

At Prezio's current size we are not legally required to designate a DPO. For all data protection matters, contact privacy@prezio.app. A formal DPO will be appointed if and when team size, processing scale, or data category requires it under GDPR Art. 37.