New: Governed workflows with a human gate

GDPR Data Protection Policy

1. Commitment to Data Protection

BiVelio Inc ("Company"), operator of the BiVelio platform and owner of the BiVelio brand, is committed to protecting the personal data of all individuals whose data is processed through our Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and all applicable data protection legislation.

This GDPR Policy supplements our Privacy Policy and provides specific information about how we comply with the GDPR when processing personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Andorra.

2. Roles and Responsibilities

2.1 As Data Controller

When processing personal data of our users (account holders), we act as the Data Controller. This includes:

Account registration and authentication data

Billing and subscription information

Platform usage analytics

Support communications

2.2 As Data Processor

When processing data on behalf of our clients (their customers' data, leads, conversations, etc.), we act as the Data Processor. In this capacity:

We process data only on documented instructions from the Controller (our client).

We enter into Data Processing Agreements (DPAs) with all clients.

We ensure all personnel processing data are bound by confidentiality obligations.

We implement appropriate technical and organizational measures to ensure security.

We assist the Controller in responding to data subject requests.

We delete or return all personal data upon termination of the agreement.

2.3 Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted at:

Address: BiVelio Inc, Delaware (United States)

3. Lawful Basis for Processing

We process personal data under the following lawful bases as defined in Article 6 of the GDPR:

Processing Activity

Lawful Basis

GDPR Article

Account creation & authentication

Contract performance

Service delivery & features

Contract performance

Payment processing

Contract performance

Security monitoring & fraud prevention

Legitimate interest

Analytics & service improvement

Legitimate interest

Marketing communications

Consent

Tax & financial record keeping

Legal obligation

AI processing of user data

Contract performance

Third-party integration data sharing

Consent

4. Data Subject Rights

Under the GDPR, data subjects have the following rights. We are committed to facilitating the exercise of these rights within the statutory timeframes:

4.1 Right of Access (Article 15)

You may request a copy of all personal data we hold about you. We will provide this within 30 days in a commonly used electronic format.

4.2 Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. You can also update most data directly through your account settings.

4.3 Right to Erasure (Article 17)

You may request deletion of your personal data when:

The data is no longer necessary for the purposes for which it was collected.

You withdraw consent and there is no other legal basis for processing.

You object to processing and there are no overriding legitimate grounds.

The data has been unlawfully processed.

Note: We may retain certain data where required by law (e.g., tax records, audit logs).

4.4 Right to Restriction (Article 18)

You may request restriction of processing while we verify the accuracy of your data, resolve an objection, or when processing is unlawful but you prefer restriction over erasure.

4.5 Right to Data Portability (Article 20)

You may request your data in a structured, commonly used, machine-readable format (JSON, CSV). We provide data export functionality within the Service.

4.6 Right to Object (Article 21)

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

4.7 Rights Related to Automated Decision-Making (Article 22)

Where we use automated processing (including AI) that significantly affects you, you have the right to:

Obtain human intervention in the decision.

Express your point of view.

Contest the decision.

4.8 How to Exercise Your Rights

Submit requests to privacy@bivelio.com. We will:

Verify your identity before processing any request.

Respond within 30 days (extendable by 60 days for complex requests, with notification).

Fulfill requests free of charge, except for manifestly unfounded or excessive requests.

5. Data Processing Agreements

In compliance with Article 28 of the GDPR, we enter into Data Processing Agreements (DPAs) with:

Our ClientsWhere we act as Data Processor for their end-users' data.

Our Sub-ProcessorsAll third-party service providers who process data on our behalf.

DPAs include:

Subject matter and duration of processing

Nature and purpose of processing

Types of personal data and categories of data subjects

Obligations and rights of the Controller

Technical and organizational security measures

Sub-processor management and notification obligations

6. Sub-Processors

We use the following categories of sub-processors:

Category

Purpose

Location

Cloud Infrastructure

Hosting, database, and compute services

EU / US (with SCCs)

AI Model Providers

Natural language processing, classification

US (with SCCs)

Payment Processor

Billing and subscription management

US (with SCCs)

Email Service Provider

Transactional and notification emails

US (with SCCs)

Analytics Provider

Usage analytics and product improvement

EU

We will notify clients of any changes to our sub-processor list at least 30 days in advance, providing the opportunity to object.

7. International Transfers

As some of our providers and systems may be located outside your country of residence, personal data may be transferred internationally. We ensure compliance through:

EU Standard Contractual Clauses (SCCs)Transfers outside the EEA rely on EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

Standard Contractual Clauses (SCCs)For transfers to jurisdictions without adequacy decisions, we implement SCCs as adopted by the European Commission (Decision 2021/914).

Transfer Impact Assessments (TIAs)We conduct TIAs for all transfers to third countries to evaluate the legal framework in the recipient country.

Supplementary MeasuresAdditional technical measures including encryption, pseudonymization, and access controls.

8. Technical and Organizational Measures

In accordance with Article 32 of the GDPR, we implement the following measures:

8.1 Technical Measures

End-to-end TLS 1.3 encryption for data in transit

AES-256 encryption for data at rest

Database-level Row-Level Security (RLS) ensuring tenant isolation

Automated vulnerability scanning and dependency auditing

Web Application Firewall (WAF) and DDoS protection

Regular penetration testing by independent third parties

Automated backup with point-in-time recovery (PITR)

Secrets management with encrypted vault storage

8.2 Organizational Measures

Role-Based Access Control (RBAC) with principle of least privilege

Mandatory data protection training for all personnel

Background checks for employees with access to personal data

Documented information security policies and procedures

Regular internal audits and management reviews

Incident response plan with defined roles and escalation procedures

Data protection by design and by default in all development processes

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR for processing activities that are likely to result in high risk to data subjects, including:

Large-scale processing of personal data through AI agents

Systematic monitoring of customer interactions across multiple channels

Automated profiling or scoring (e.g., lead scoring)

Processing of sensitive categories of data

New features or integrations that significantly change data processing

10. Data Breach Notification

In the event of a personal data breach, we will:

Internal ResponseActivate our incident response team within 1 hour of breach detection.

Supervisory AuthorityNotify the competent supervisory authority within 72 hours of becoming aware of the breach (Article 33), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Data SubjectsNotify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34).

Data Controllers (when we act as Processor)Notify affected clients without undue delay after becoming aware of the breach.

DocumentationMaintain detailed records of all breaches, including facts, effects, and remedial actions taken.

11. Records of Processing Activities

In compliance with Article 30 of the GDPR, we maintain comprehensive records of all processing activities, including:

Name and contact details of the controller/processor and DPO

Purposes of processing

Categories of data subjects and personal data

Categories of recipients

International transfers and safeguards

Retention periods

Technical and organizational security measures

12. AI and Automated Processing

BiVelio uses AI for various processing activities. Our approach to AI complies with GDPR requirements:

TransparencyWe clearly disclose when AI is used in processing personal data.

Purpose LimitationAI processing is limited to the purposes specified in this policy and our Privacy Policy.

Data MinimizationOnly data necessary for the AI task is processed.

No Third-Party TrainingPersonal data processed through BiVelio's AI features is not used to train or improve third-party AI models.

Human ReviewUsers maintain the ability to request human review of AI-generated decisions.

EU AI Act ComplianceWe monitor and align with the EU AI Act (Regulation 2024/1689) requirements as they become applicable.

13. Children's Data

BiVelio is a B2B service not intended for individuals under 16 years of age. We do not knowingly collect or process personal data of children. If we discover that we have inadvertently collected data of a child under 16, we will immediately delete such data and notify the relevant supervisory authority if required.

14. Complaints and Supervisory Authority

If you believe your data protection rights have been violated, you may:

Contact our DPO at privacy@bivelio.com to resolve the matter directly.

Lodge a complaint with the competent supervisory authority:

EU Member StatesYour local Data Protection Authority (DPA)

15. Policy Updates

This GDPR Policy is reviewed and updated annually, or more frequently when required by changes in legislation, our processing activities, or organizational structure. All updates will be published on this page with a revised "Last updated" date.

16. Contact

For any questions regarding this GDPR Policy or to exercise your rights: