LegalLast updated: April 14, 2026Version 1.4Effective immediately

GDPR Compliance.

How AIVA complies with the EU General Data Protection Regulation — for our EU customers, and for EU residents whose data passes through our customers' AIVA assistants. Article-by-article.

Read the TL;DR Download as PDF Email EU rep

TL;DR · in plain English

Three things every EU buyer needs to know:

EU customer data stays in Frankfurt by default. Cross-border transfers are governed by signed Standard Contractual Clauses.
We never train AI models on your customer conversations. Zero-data-retention contracts with OpenAI and Anthropic.
We have a Data Protection Officer and an EU representative. Both reachable directly. We respond to requests within 30 days, usually faster.

Who this applies to.

The GDPR applies to AIVA in two distinct scenarios:

You're a customer in the EU/EEA — we act as a processor for the personal data you push through AIVA.
Your customers are in the EU/EEA, even if you're based elsewhere — we still process EU residents' data on your behalf and apply GDPR-grade controls.

In both cases, you remain the data controller. AIVA is the processor. The relationship is governed by our Data Processing Addendum.

If you're a UK customer, the same controls apply — we honor the UK GDPR and offer the UK International Data Transfer Addendum (IDTA) on request.

Our legal basis.

The GDPR requires a lawful basis for every processing activity. Here's how AIVA's processing maps:

Activity	Article 6 basis
Running your AIVA service	Contract performance · Art 6(1)(b)
Billing & account management	Contract performance · Art 6(1)(b)
Fraud prevention & security	Legitimate interest · Art 6(1)(f)
Compliance with legal orders	Legal obligation · Art 6(1)(c)
Optional product analytics	Explicit consent · Art 6(1)(a)

We never rely on legitimate interest for AI training. Customer conversation data is never used to train models without explicit, written opt-in.

Your rights as an EU resident.

Under GDPR Articles 15–22, every EU resident has the following rights. We honor them within 30 days:

Article 15 — Right of access: request a copy of all data we hold about you.
Article 16 — Right to rectification: ask us to correct inaccurate data.
Article 17 — Right to erasure: request that we delete your data (“right to be forgotten”).
Article 18 — Right to restrict processing: ask us to stop processing certain data while a dispute is resolved.
Article 20 — Right to portability: get your data in a machine-readable format (JSON or CSV).
Article 21 — Right to object: object to processing based on legitimate interest.
Article 22 — Rights re: automated decisions: not be subject to a decision based solely on automated processing — including AIVA's responses, where they have legal or similar effects.

To exercise any of these rights, email dpo@aivachat.io. If you're an end customer of one of our customers (e.g., you texted a Northwind support assistant powered by AIVA), please contact that company first — they're the data controller.

Need to exercise a right as an EU resident?

Email our DPO ›

Where your data lives.

EU customer data is processed and stored in Frankfurt, Germany (AWS eu-central-1) by default. Specifically:

All transcripts, assistant configurations, and metadata stay in eu-central-1.
Backups stay in eu-central-1 (cross-AZ replication, no cross-region).
AI inference for EU customers runs on EU-region OpenAI / Anthropic endpoints where available; otherwise falls back to US with SCCs in place.

Customer data does not leave the EU/EEA without one of:

An adequacy decision from the European Commission for the destination country.
Standard Contractual Clauses with the recipient (see Section 5).
Your explicit, informed consent.

Standard Contractual Clauses.

For any cross-border transfer of EU personal data, we use the Standard Contractual Clauses (SCCs) approved by the European Commission in 2021 (Module 2 — Controller to Processor).

The SCCs are automatically incorporated into your DPA when you become an enterprise customer. They cover:

Transfer between AIVA EU and our parent in India for support and operations.
Transfer between AIVA EU and our US-based AI sub-processors when EU endpoints are unavailable.
Any future transfer that may become necessary.

UK customers: we offer the UK International Data Transfer Addendum (IDTA) with identical terms. Email dpo@aivachat.io to receive it.

AI & training data.

This is the section EU regulators ask about most. We're explicit about it:

We never train AI models on your customer conversations. Our contracts with OpenAI and Anthropic include zero-data-retention provisions — your conversation data is processed in real time, then immediately discarded by the AI provider.

Specifically:

Customer conversations are not retained by OpenAI or Anthropic beyond the call duration.
We don't fine-tune base models on your data without explicit, written opt-in, signed by your CIO or DPO.
We don't use customer data for benchmarking, A/B testing, or competitive analysis.

For full technical details, see our Security overview.

DPIA support.

If your AIVA deployment requires a Data Protection Impact Assessment (DPIA) under GDPR Article 35 — likely for healthcare, finance, or large-scale processing — we provide:

A pre-filled DPIA template covering AIVA's role as processor.
A technical questionnaire covering encryption, access controls, sub-processor risks.
Direct DPO consultation if needed.

Request the package at dpo@aivachat.io — usually returned within 5 business days.

Breach notification.

Under GDPR Article 33, we notify you of any personal data breach within 72 hours of discovery. Internally, our incident response team aims to confirm scope within 4 hours.

Notifications include the nature of the breach, categories and approximate count of affected data subjects, likely consequences, and the measures we're taking.

For your end customers: if a breach affects EU residents whose data you control, we help you draft Article 34 notifications. You're the controller — but we know the technical details.

Our DPO & EU representative.

We've appointed both a Data Protection Officer (Article 37) and an EU representative (Article 27):

Role	Contact
Data Protection Officer	Priya Sharma · dpo@aivachat.io
EU representative	Müller & Co. (Frankfurt) · eu-rep@aivachat.io
UK representative	Available on request for UK GDPR matters

Both respond directly. No tickets, no chatbots — just real humans who can answer your questions.

How to reach us.

For any GDPR question, email our DPO at dpo@aivachat.io — we reply within four hours during business hours, and within 30 days for formal data subject requests.

EU representative office:
Müller & Co. (acting as Article 27 representative)
Mainzer Landstraße 50
60325 Frankfurt am Main · Germany

You also have the right to lodge a complaint with your local supervisory authority (Datenschutzkommission, CNIL, ICO, etc.). We'd appreciate the chance to address it first, but we won't stand in your way.

Legal documents

GDPR Compliance.

How AIVA complies with the EU General Data Protection Regulation — for our EU customers, and for EU residents whose data passes through our customers' AIVA assistants. Article-by-article.

Read the TL;DR Download as PDF Email EU rep

TL;DR · in plain English

Three things every EU buyer needs to know:

EU customer data stays in Frankfurt by default. Cross-border transfers are governed by signed Standard Contractual Clauses.
We never train AI models on your customer conversations. Zero-data-retention contracts with OpenAI and Anthropic.
We have a Data Protection Officer and an EU representative. Both reachable directly. We respond to requests within 30 days, usually faster.

Who this applies to.

The GDPR applies to AIVA in two distinct scenarios:

You're a customer in the EU/EEA — we act as a processor for the personal data you push through AIVA.
Your customers are in the EU/EEA, even if you're based elsewhere — we still process EU residents' data on your behalf and apply GDPR-grade controls.

In both cases, you remain the data controller. AIVA is the processor. The relationship is governed by our Data Processing Addendum.

If you're a UK customer, the same controls apply — we honor the UK GDPR and offer the UK International Data Transfer Addendum (IDTA) on request.

Our legal basis.

The GDPR requires a lawful basis for every processing activity. Here's how AIVA's processing maps:

Activity	Article 6 basis
Running your AIVA service	Contract performance · Art 6(1)(b)
Billing & account management	Contract performance · Art 6(1)(b)
Fraud prevention & security	Legitimate interest · Art 6(1)(f)
Compliance with legal orders	Legal obligation · Art 6(1)(c)
Optional product analytics	Explicit consent · Art 6(1)(a)

We never rely on legitimate interest for AI training. Customer conversation data is never used to train models without explicit, written opt-in.

Your rights as an EU resident.

Under GDPR Articles 15–22, every EU resident has the following rights. We honor them within 30 days:

Article 15 — Right of access: request a copy of all data we hold about you.
Article 16 — Right to rectification: ask us to correct inaccurate data.
Article 17 — Right to erasure: request that we delete your data (“right to be forgotten”).
Article 18 — Right to restrict processing: ask us to stop processing certain data while a dispute is resolved.
Article 20 — Right to portability: get your data in a machine-readable format (JSON or CSV).
Article 21 — Right to object: object to processing based on legitimate interest.
Article 22 — Rights re: automated decisions: not be subject to a decision based solely on automated processing — including AIVA's responses, where they have legal or similar effects.

Need to exercise a right as an EU resident?

Email our DPO ›

Where your data lives.

EU customer data is processed and stored in Frankfurt, Germany (AWS eu-central-1) by default. Specifically:

All transcripts, assistant configurations, and metadata stay in eu-central-1.
Backups stay in eu-central-1 (cross-AZ replication, no cross-region).
AI inference for EU customers runs on EU-region OpenAI / Anthropic endpoints where available; otherwise falls back to US with SCCs in place.

Customer data does not leave the EU/EEA without one of:

An adequacy decision from the European Commission for the destination country.
Standard Contractual Clauses with the recipient (see Section 5).
Your explicit, informed consent.

Standard Contractual Clauses.

For any cross-border transfer of EU personal data, we use the Standard Contractual Clauses (SCCs) approved by the European Commission in 2021 (Module 2 — Controller to Processor).

The SCCs are automatically incorporated into your DPA when you become an enterprise customer. They cover:

Transfer between AIVA EU and our parent in India for support and operations.
Transfer between AIVA EU and our US-based AI sub-processors when EU endpoints are unavailable.
Any future transfer that may become necessary.

UK customers: we offer the UK International Data Transfer Addendum (IDTA) with identical terms. Email dpo@aivachat.io to receive it.

AI & training data.

This is the section EU regulators ask about most. We're explicit about it:

Specifically:

Customer conversations are not retained by OpenAI or Anthropic beyond the call duration.
We don't fine-tune base models on your data without explicit, written opt-in, signed by your CIO or DPO.
We don't use customer data for benchmarking, A/B testing, or competitive analysis.

For full technical details, see our Security overview.

DPIA support.

If your AIVA deployment requires a Data Protection Impact Assessment (DPIA) under GDPR Article 35 — likely for healthcare, finance, or large-scale processing — we provide:

A pre-filled DPIA template covering AIVA's role as processor.
A technical questionnaire covering encryption, access controls, sub-processor risks.
Direct DPO consultation if needed.

Request the package at dpo@aivachat.io — usually returned within 5 business days.

Breach notification.

Under GDPR Article 33, we notify you of any personal data breach within 72 hours of discovery. Internally, our incident response team aims to confirm scope within 4 hours.

Notifications include the nature of the breach, categories and approximate count of affected data subjects, likely consequences, and the measures we're taking.

For your end customers: if a breach affects EU residents whose data you control, we help you draft Article 34 notifications. You're the controller — but we know the technical details.

Our DPO & EU representative.

We've appointed both a Data Protection Officer (Article 37) and an EU representative (Article 27):

Role	Contact
Data Protection Officer	Priya Sharma · dpo@aivachat.io
EU representative	Müller & Co. (Frankfurt) · eu-rep@aivachat.io
UK representative	Available on request for UK GDPR matters

Both respond directly. No tickets, no chatbots — just real humans who can answer your questions.

How to reach us.

For any GDPR question, email our DPO at dpo@aivachat.io — we reply within four hours during business hours, and within 30 days for formal data subject requests.

EU representative office:
Müller & Co. (acting as Article 27 representative)
Mainzer Landstraße 50
60325 Frankfurt am Main · Germany

Legal documents

GDPR Compliance.

Three things every EU buyer needs to know:

Who this applies to.

Our legal basis.

Your rights as an EU resident.

Where your data lives.

Standard Contractual Clauses.

AI & training data.

DPIA support.

Breach notification.

Our DPO & EU representative.

How to reach us.

Other things to read.

GDPR Compliance.

Three things every EU buyer needs to know:

Who this applies to.

Our legal basis.

Your rights as an EU resident.

Where your data lives.

Standard Contractual Clauses.

AI & training data.

DPIA support.

Breach notification.

Our DPO & EU representative.

How to reach us.

Other things to read.