hellomatik
AboutClinicsPricingNews
Sign inSee how it works
  • About
  • Clinics
  • Pricing
  • News
  • Sign in
  • See how it works
hellomatik
GitHubLinkedInX (Twitter)MediumSubstack

Product

  • Clinics

Company

  • About
  • News
  • See how we can help your business

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy

© 2026 Hellomatik. All rights reserved.

Hellomatik S.L. · Barcelona, Spain · hello@hellomatik.com

Language:EnglishEspañolDeutschFrançaisSvenska
  • Terms of Service
  • Privacy Policy
  • Cookie Policy

Last updated: 17 Mar 2026

Privacy Policy

Your privacy is important to us. This policy explains how we collect, use, share and protect your personal data.

Contents

  1. Who we are and how this policy applies
  2. Data we process
  3. Purposes and legal bases
  4. Model training and product improvement
  5. Retention
  6. Your rights
  7. Children
  8. Automated decision-making
  9. Disclosures and recipients
  10. International data transfers
  11. Marketing communications
  12. Security
  13. Roles by product (operational summary)
  14. Third-party services and links
  15. Changes to this Policy
  16. Contact

Controller: HELLOMATIK, S.L., with registered office at Calle Lago de Sanabria 60, 28981 Parla, Madrid, Spain, registered in the Mercantile Registry of Madrid (CIF B22803126)
Contact: contact@hellomatik.com

Effective date: 1 October 2025. Last updated: 17 March 2026

1) Who we are and how this policy applies

This Policy explains how Hellomatik collects, uses, shares and protects personal data. Sometimes we control the data (for account, billing, support, security). Other times we process data on behalf of customers (for content in our Voice/Chat/Procedures modules). When we process data for customers, a Data Processing Agreement (DPA) sets our duties and limits. See sections 9 (Disclosures) and 10 (International transfers) for more details.

2) Data we process

A) Data you provide

  • Account & billing: name, company, role, business email, phone, payment identifiers (tokenised by our payment provider), invoice details.
  • Customer content: texts, files, records, call audio, transcripts, chat messages, workflow payloads, and metadata from your users.
  • Support & communications: requests and messages (including attachments).

B) Data we collect automatically

  • Technical & usage data: IP address, device/browser type, pages or features used, timestamps, logs and error events, telemetry needed to secure and run the Services.

C) Data from third parties

Integrations you connect (like CRM/ERP, messaging, telephony, authentication, analytics) may provide identifiers or content needed for your workflow. When we get personal data not directly from you, we tell you the source and categories. We provide the Article 14 GDPR information within one month or at the first contact or disclosure, whichever comes first. Our Cookie Policy covers cookie-related identifiers and consent for non-essential cookies.

3) Purposes and legal bases

We process personal data only for these purposes and legal bases:

PurposeExamplesLegal basis
Provide and maintain the Servicesaccount creation, authentication, core features, customer supportContract (Art. 6(1)(b) GDPR)
Security & abuse preventionaccess control, logs, fraud prevention, incident responseLegitimate interests (Art. 6(1)(f))
Service analytics & qualitymeasure feature use to improve reliability and user experience (no third-party ad profiling)Legitimate interests (Art. 6(1)(f))
Billing & complianceaccounting/tax retentionLegal obligation (Art. 6(1)(c))
Own marketing communicationsproduct updates, events, offersConsent, or Spain's LSSI art. 21 prior-relationship exception for similar services (with easy opt-out)

Right to object or withdraw consent. When we rely on legitimate interests (Art. 6(1)(f)), you can object at any time based on your situation. When we rely on consent, you can withdraw it at any time. This does not affect past processing. Contact: contact@hellomatik.com. We can provide a short summary of our legitimate-interest assessment (LIA) on request.

4) Model training and product improvement

  • No default training on your content. We do not use customer content (inputs, outputs, call audio, transcripts, chats, workflow payloads) to train AI models by default.
  • Opt-in only. Any optional data-sharing for training will be clear, specific and revocable. Without your consent, we do not use your content for training.
  • Safety and abuse review. If content is flagged for security or misuse, we may review minimal snippets needed to investigate and enforce policies.

These commitments follow purpose limitation and data minimisation rules.

5) Retention

We keep personal data only as long as needed for these purposes or as required by law. Current defaults:

  • Account & billing: kept for the subscription term and required accounting/tax periods.
  • Operational and diagnostic logs: kept for defined periods (like 90-180 days for security telemetry, extended only for incident investigation). Then deleted or made anonymous.
  • Customer content (processor role): kept and deleted based on the customer's settings and instructions.
  • Voice module (current defaults): call recordings kept 14 days, transcripts kept 6 months. When you end service, we keep operational data 10 days for reconciliation, then delete or make it anonymous.

Is it required to provide data? Some data are needed for the contract (like account and billing). Without it, we cannot create or maintain your subscription. When we ask for data not needed for the contract, we will tell you and explain what happens if you don't provide it.

6) Your rights

You can exercise these rights: access, correction, deletion, restriction, objection, portability. You also have the right not to be subject to decisions based only on automated processing that produce legal or similar effects.

  • Objection: you can object at any time for processing based on legitimate interests, including direct marketing.
  • Withdrawal of consent: you can withdraw at any time.

Response time: 1 month or less. Contact: contact@hellomatik.com. You have the right to file a complaint with the Spanish Data Protection Authority (AEPD): https://www.aepd.es.

7) Children

Our Services are not for children. In the UK, the digital age of consent is 13. Below that age, a parent or guardian must give consent (subject to any stricter sector-specific laws).

8) Automated decision-making

We do not make decisions with legal or similar effects about you based only on automated processing. If this changes, we will give advance notice of the logic involved and your related rights.

9) Disclosures and recipients

We do not sell personal data. We share data only with:

  • Processors under Article 28 GDPR contracts: hosting, email, payments, telephony/TTS/STT for Voice, in-house service analytics, etc. We maintain a Sub-processors page listing providers, locations and transfer basis (DPF or SCC). We give prior notice of material changes.
  • Corporate transactions (merger or acquisition), subject to this Policy's safeguards.
  • Legal or safety disclosures when needed to comply with law, protect users or investigate abuse.

10) International data transfers

When data leaves the EEA/UK, we use valid Chapter V GDPR mechanisms, such as:

  • A European Commission adequacy decision (like the EU-US Data Privacy Framework for certified US organisations); or
  • The Standard Contractual Clauses (SCCs) 2021/914, with extra measures where needed and a transfer impact assessment following EDPB guidance.

You can get a copy of the SCCs by contacting us. You can check US providers in the official DPF public list.

11) Marketing communications

We comply with Spain's LSSI art. 21: no unsolicited electronic marketing without prior consent, except to existing customers for similar services, always with a clear and free opt-out in every message.

12) Security

We use appropriate technical and organisational measures to protect personal data. This includes encryption in transit, access controls and least-privilege, environment isolation, monitoring, and backup and restore capabilities. No system is perfectly secure. Keep your credentials confidential and enable available security controls.

13) Roles by product (operational summary)

  • Account/Billing/Support: Hellomatik acts as controller.
  • Voice: for call handling, recordings and transcripts tied to your workflows, Hellomatik typically acts as a processor. The customer is the controller. We show a recording and transcription notice. We follow your retention settings and local law.
  • Chat & Procedures / Enterprise: for end-user conversations, files and workflow payloads, Hellomatik acts as a processor. For service telemetry and security, Hellomatik may act as controller to maintain and protect the platform.

Your DPA defines the exact allocation of responsibilities.

14) Third-party services and links

Our Services may link to or integrate with third-party sites and apps. Their privacy practices are governed by their own policies.

15) Changes to this Policy

If we make material changes (like new purposes or recipient categories), we will give appropriate advance notice and update the "Last updated" date. Where consent is required, we will ask for it again.

16) Contact

Questions or requests about this Policy or your rights:

  • Email: contact@hellomatik.com
  • Supervisory authority (Spain): AEPD (https://www.aepd.es)
  • We are not required to appoint a Data Protection Officer under Art. 37 GDPR. For any privacy inquiry, please contact our team at contact@hellomatik.com.