Current as of 1 Oct 2025
Privacy Policy
Your privacy is important to us. This policy explains how we collect, use, share and protect your personal data.
Controller: HELLOMATIK, S.L. (CIF B22803126)
Contact: contact@hellomatik.com
Effective date: 1 October 2025 — Last updated: 1 October 2025
1) Who we are and how this policy applies
This Policy explains how Hellomatik collects, uses, shares and protects personal data when we act as a controller (e.g., account, billing, support, security) and how we process data on behalf of customers as a processor (e.g., content handled by our Voice/Chat/Procedures modules). Where we act as a processor, our obligations and limits are set by a Data Processing Agreement (DPA) with the customer (the controller). See sections 9 (Disclosures) and 10 (International transfers).
2) Data we process
A) Data you provide
Account & billing: name, company, role, business email, phone, payment identifiers (tokenised by our payment provider), invoice details.
Customer content processed via the Services: texts, files, records, call audio, transcripts, chat messages, workflow payloads, and metadata generated by your users.
Support & communications: requests and correspondence (including attachments).
B) Data we collect automatically
Technical & usage data: IP address, device/browser type, pages or features used, timestamps, logs and error events, telemetry necessary to secure and operate the Services.
C) Data from third parties
Integrations you connect (e.g., CRM/ERP, messaging, telephony, authentication, analytics) may provide identifiers or content required to run the workflow you configured. Where personal data are not obtained directly from you, we indicate the source and categories and provide the Article 14 GDPR information within one month, or at the first communication/disclosure, whichever occurs first. Cookie-related identifiers are covered by our Cookie Policy, which also governs consent for non-essential cookies.
3) Purposes and legal bases
We process personal data only for the purposes and legal bases below:
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and maintain the Services | account creation, authentication, core features, customer support | Contract (Art. 6(1)(b) GDPR) |
| Security & abuse prevention | access control, logs, fraud prevention, incident response | Legitimate interests (Art. 6(1)(f)) |
| Service analytics & quality | measure feature adoption to improve reliability/UX (no third-party ad profiling) | Legitimate interests (Art. 6(1)(f)) |
| Billing & compliance | accounting/tax retention | Legal obligation (Art. 6(1)(c)) |
| Own marketing communications | product updates, events, offers | Consent, or Spain's LSSI prior-relationship exception for similar services (with easy opt-out) |
Right to object / withdraw consent. Where we rely on legitimate interests (Art. 6(1)(f)), you may object at any time on grounds relating to your situation; where we rely on consent, you may withdraw it at any time without affecting prior processing. Contact: contact@hellomatik.com. A short summary of our legitimate-interest assessment (LIA) is available on request.
4) Model training and product improvement
No default training on your content. We do not use customer content (including inputs/outputs, call audio, transcripts, chats, workflow payloads) to train AI models by default.
Opt-in only. Any optional data-sharing for training will be explicit, granular and revocable; without consent, no training use occurs.
Safety/abuse review. If content is flagged for security or misuse, we may review minimal necessary snippets to investigate and enforce policies.
These commitments implement purpose limitation and data minimisation.
5) Retention
We keep personal data only as long as necessary for the purposes above or as required by law. Current operational defaults:
Account & billing: for the subscription term and statutory accounting/tax periods.
Operational/diagnostic logs: defined rolling windows (e.g., 90–180 days for security telemetry; extended only for incident investigation) then deletion or irreversible anonymisation.
Customer content (processor role): retained and deleted per the customer's configuration and instructions.
Voice module (current defaults): call recordings: 14 days; transcripts: 6 months. Upon termination, we retain operational data 10 days for reconciliation, then delete or anonymise.
Is it mandatory to provide data? Some data are contractually necessary (e.g., account/billing). If not provided, we cannot create or maintain the subscription. When we request data not required by the contract, we will indicate this and the consequences of not providing it.
6) Your rights
You can exercise access, rectification, erasure, restriction, objection, portability, and the right not to be subject to decisions based solely on automated processing producing legal or similarly significant effects.
Objection: at any time for processing based on legitimate interests, including direct marketing.
Withdrawal of consent: at any time.
Response time: ≤ 1 month. Channel: contact@hellomatik.com. You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD): https://www.aepd.es.
7) Children
Our Services are not directed to children. In Spain, the digital age of consent is 14; below that age, consent must be given by a holder of parental responsibility (subject to any sector-specific laws imposing stricter requirements).
8) Automated decision-making
We do not take decisions with legal or similarly significant effects about you based solely on automated processing in the context of account users. If this changes, we will provide advance notice of the logic involved and your related rights.
9) Disclosures and recipients
We do not sell personal data. We disclose data only to:
Processors under Article 28 GDPR contracts: hosting, email, payments, telephony/TTS/STT for Voice, in-house service analytics, etc. We maintain a Sub-processors page listing providers, locations and transfer basis (DPF or SCC) and we give prior notice of material changes.
Corporate transactions (merger/acquisition), subject to this Policy's safeguards.
Legal/safety disclosures where necessary to comply with law, protect users or investigate abuse.
10) International data transfers
When data leaves the EEA/UK, we use valid Chapter V GDPR mechanisms, such as:
A European Commission adequacy decision (e.g., the EU–US Data Privacy Framework for certified US organisations); or
The Standard Contractual Clauses (SCCs) 2021/914, with supplementary measures where needed and a transfer impact assessment in line with EDPB guidance.
You can obtain a copy of the SCCs by contacting us. You may verify US providers in the official DPF public list.
11) Marketing communications
We comply with Spain's LSSI art. 21: no unsolicited electronic marketing without prior consent, except to existing customers for similar services, always with a clear, free opt-out in each message.
12) Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls and least-privilege, environment isolation, monitoring, and backup/restore capabilities. No system is perfectly secure; keep credentials confidential and enable available security controls.
13) Roles by product (operational summary)
Account/Billing/Support: Hellomatik acts as controller.
Voice: for call handling, recordings and transcripts tied to your workflows, Hellomatik typically acts as a processor to the customer (controller). We display a recording/transcription notice and honour your retention settings and local law.
Chat & Procedures / Enterprise: for end-user conversations, files and workflow payloads, Hellomatik acts as a processor; for service telemetry and security, Hellomatik may act as controller to maintain and protect the platform.
The exact allocation of responsibilities is defined in your DPA.
14) Third-party services and links
Our Services may link to or integrate with third-party sites and apps. Their privacy practices are governed by their own policies.
15) Changes to this Policy
If we make material changes (e.g., new purposes or recipient categories), we will provide appropriate advance notice and update the "Last updated" date. Where consent is required, we will seek it again.
16) Contact
Questions or requests about this Policy or your rights:
Email: contact@hellomatik.com
Supervisory authority (Spain): AEPD
Data Protection Officer (if applicable): [DPO email]. If a DPO is not required under Art. 37 GDPR, you can still reach our privacy team at contact@hellomatik.com.