gdpr_compliance
How we protect your data, where it is processed, and what legal documentation we provide. Full transparency, no fine print.
Boty Leads is designed to comply with the GDPR: EU-hosted data, legal documentation ready for your compliance, and a sovereign processing mode on European servers available on higher-tier plans. GDPR compliance is a shared responsibility — this page explains exactly what we do and what tools we give you.
We provide a Data Processing Agreement (DPA) in Spanish, aligned with GDPR Art. 28, with a technical and organizational measures (TOMs) annex and the sub-processor list.
Document in legal preparation. The downloadable draft is an informational template; the final signed version is a legal deliverable that will be published before launch.
Download DPA draft (PDF)// how_we_comply
The assistant identifies itself as AI in the first message ("I am the virtual assistant of {business}") and includes a hand-off-to-human command. It is a purpose-built lead-qualification bot, not a general-purpose assistant.
We capture consent with proof (timestamp, source, and text shown) and record every opt-in in an immutable event ledger. We honor inbound keyword opt-out (BAJA/STOP): on receipt we withdraw marketing consent and suppress subsequent marketing sends to that contact. Outbound marketing requires prior express consent (LSSI Art. 21). A Lista Robinson check is an operational control before prospecting, not an automated integration with the registry.
At first contact a layered privacy notice is shown, identifying the SMB as the data controller and Boty Leads as the processor.
AI replies go through an approval queue by default: a person sees the rationale, can edit or override, and every override is logged. This human oversight is the legal mitigation against GDPR Art. 22.
On the Growth and Agency plans, lead qualification is processed on sovereign APIs hosted in the EU (Scaleway in Paris, OVHcloud in Gravelines), under zero-retention contracts with no training on your data. For customers with strict sovereignty requirements we offer, on request and configured by the operator, EU-restricted processing: if no sovereign capacity is available, the request queues or falls back to rule-based scoring instead of being routed outside the EU. Any processing outside the EU (other plans or tasks) is disclosed in the sub-processor list.
We enable Meta's Cloud API Local Storage (Germany) per number, which covers data at rest. WhatsApp message transport is not 100% EU-guaranteed by Meta; we reflect this honestly instead of claiming full residency.
We keep an immutable per-conversation log with model, prompt version, confidence, rationale, escalation reason, and named human approver. Audit trail and human oversight aligned with the AI Act transparency obligations (Art. 50). Lead qualification is limited-risk, not high-risk.
Retention is configurable per tenant. Erasure and data export are available on request through your operator or support; when executed, erasure cascades to sub-processors so the right to erasure and to portability is fulfilled end-to-end.
Complete relational export (leads, conversations, scores, and AI decision logs) in documented JSON/CSV, available on request through your operator or support, on every plan including the free one, with no date window or expiry. BSP offboarding SLA: 2FA disabled and confirmed within 24h.
Your WhatsApp conversations are never used to train, retrain, or improve any model. It is a technical and contractual ban, and also a Meta obligation on WhatsApp Business Solution Data.
The optional non-EU fallback constitutes an international transfer: it relies on adequacy frameworks (DPF) or standard contractual clauses (SCCs) with a transfer impact assessment (TIA), pseudonymizing before fallback. It appears in the sub-processor list and is off by default.
We have a breach notification process and a technical and organizational measures (TOMs) annex. We maintain a RoPA (record of processing activities) and a customer-facing DPIA template.
The database and application hosting are in the EU (Supabase). The WhatsApp webhook currently runs on edge (global POPs); pinning the webhook compute to an EU region is in progress as a documented roadmap item. We do not claim the webhook compute is already EU-pinned.
// who_processes
Who processes your data and for what. The list is kept up to date and is part of the DPA.
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner | AI servers (sovereign failover) | Germany / Finland (EU) |
| Supabase | Database and authentication | EU |
| Vercel | Web application hosting | EU (pinned compute) |
| 360dialog | WhatsApp Business API BSP | EU |
| Meta | WhatsApp Business Platform | Local Storage (Germany) |
| Scaleway | AI inference (primary) | France (EU) |
| OVHcloud | AI inference (failover) | France (EU) |
| US fallback Optional · off by default | Fallback inference (non-strict mode only) | USA (DPF / SCCs + TIA) |
// full_compliance
We talk to you and your DPO. We provide all the legal documentation you need.