HomeLogo
Fazer Login

Privacy Policy for Katrin AI

Privacy Policy for Katrin AI

Last Updated: February 6, 2026
Effective Date: February 6, 2026
Controller: Katrin AI
Data Protection Officer (DPO): dpo@katrinai.eu
Contact: privacy@katrinai.cloud

1. Introduction & Legal Framework

Katrin AI (“we,” “us,” or “our”) provides AI-powered voice agent services for inbound and outbound telephone communications. This Privacy Policy explains how we collect, use, store, and protect personal data when you interact with our voice AI services, in full compliance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)

  • Directive 2002/58/EC (ePrivacy Directive) on privacy in electronic communications

  • Regulation (EU) 2024/xxx (EU AI Act) transparency requirements

  • National data protection laws of our EU member state of establishment

This policy applies to all voice interactions processed through our platform, whether you are:

  • A caller interacting with our AI voice agent (data subject)

  • A business customer using our services to handle your communications (data controller/client)

  • An employee or representative of our business customers

2. Identity and Contact Details

Data Controller:
Katrin AI GmbH
VAT ID: [Pending]
Email: privacy@katrinai.cloud

Data Protection Officer (DPO):
Email: dpo@katrinai.cloud

We are established in the European Union and process all personal data within the EU/EEA unless otherwise specified in Section 9 (International Transfers).

3. Categories of Personal Data We Process

3.1 Voice and Audio Data

  • Voice recordings: Full audio of telephone conversations between you and our AI voice agent

  • Voiceprints/biometric templates: Acoustic features extracted for voice recognition or speaker verification (where applicable)

  • Transcripts: Text conversions of spoken content generated by our speech-to-text systems

  • Call metadata: Date, time, duration, telephone number, call direction (inbound/outbound), and technical identifiers

3.2 Communication Content

  • Information you voluntarily disclose during calls (e.g., name, address, account numbers, preferences, complaints)

  • Purpose of call and context of interaction

  • Sentiment analysis outputs (emotional tone detection)

3.3 Technical Data

  • Device identifiers and IP addresses (for web-based interfaces or VoIP connections)

  • Network information required for call routing

  • System logs for security and troubleshooting

3.4 Special Category Data (Article 9 GDPR)

We recognize that voice data may constitute biometric data when processed for unique identification purposes, which qualifies as a special category of personal data under Article 9 GDPR. [[31]] We also acknowledge that voice characteristics may reveal information about health conditions, ethnicity, or other sensitive attributes. Processing of such data occurs only under strict legal conditions outlined in Section 5.

4. Purposes of Processing & Legal Basis

PurposeLegal Basis (GDPR Article 6)Special Category Basis (GDPR Article 9, if applicable)Providing voice AI services (answering calls, routing inquiries, executing transactions on behalf of our business customers)Contractual necessity (Art. 6(1)(b)) – performance of agreement with our business customerNot applicable unless biometric identification is usedVoice recognition/authentication (verifying caller identity via voice characteristics)Legitimate interests (Art. 6(1)(f)) – fraud prevention and securityExplicit consent (Art. 9(2)(a)) OR substantial public interest (Art. 9(2)(g)) with safeguardsService improvement (training AI models, improving speech recognition accuracy, enhancing conversation quality)Legitimate interests (Art. 6(1)(f)) – provided anonymization/pseudonymization is applied where possibleOnly with explicit consent (Art. 9(2)(a)) when using identifiable voice dataQuality assurance & compliance (call monitoring, regulatory reporting, dispute resolution)Legal obligation (Art. 6(1)©) OR legitimate interests (Art. 6(1)(f))Not applicable unless health/other sensitive data is processedSecurity & fraud prevention (detecting suspicious patterns, protecting systems)Legitimate interests (Art. 6(1)(f)) – balancing test conductedNot applicableMarketing calls (outbound promotional communications)Explicit consent (Art. 6(1)(a)) – required under ePrivacy Directive for unsolicited communications [[21]]Not applicable

Important: For outbound marketing calls, we obtain prior explicit consent from recipients in accordance with the ePrivacy Directive’s requirements for unsolicited communications. [[21]]

5. Voice Data as Biometric/Special Category Data

When we process voice data for the purpose of uniquely identifying individuals (e.g., voice authentication systems), such processing constitutes processing of biometric data under Article 9(1) GDPR and is subject to heightened protections. [[33]]

We process biometric voice data only when:

  • You have provided explicit, informed, unambiguous consent (separate from general terms acceptance), OR

  • Processing is necessary for reasons of substantial public interest under EU/national law with appropriate safeguards, OR

  • Processing is necessary for establishment, exercise, or defense of legal claims

You may withdraw consent for biometric processing at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. Data Retention Periods

We retain personal data only for as long as necessary for the purposes described above:

Data TypeRetention PeriodJustificationFull voice recordings30 days (standard) or up to 90 days if required by sector-specific regulation (e.g., financial services)Operational necessity, quality assurance, and legal complianceTranscripts (non-sensitive)90 daysService improvement and analyticsTranscripts containing special category dataDeleted immediately after purpose fulfillment or 7 days maximumMinimization principle for sensitive dataCall metadata (non-identifying)24 monthsBilling, analytics, and securityAnonymized/pseudonymized training dataIndefinitelyNo longer qualifies as personal data under GDPRData required for legal claims/defenseDuration of limitation period + 1 yearLegal obligation

Upon expiration of retention periods, data is securely deleted or fully anonymized using irreversible techniques. Business customers may configure shorter retention periods through their account settings.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

7.1 Right of Access (Article 15)

Obtain confirmation whether we process your personal data and receive a copy of such data in a structured, commonly used format.

7.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure/“Right to Be Forgotten” (Article 17)

Request deletion of your personal data when:

  • Data is no longer necessary for the original purpose

  • You withdraw consent (where processing was consent-based)

  • You object to processing based on legitimate interests (and no overriding legitimate grounds exist)

  • Data was unlawfully processed

Limitations: We may retain data where required by law (e.g., financial record-keeping) or for establishment/defense of legal claims.

7.4 Right to Restriction of Processing (Article 18)

Request temporary suspension of processing in specific circumstances (e.g., while accuracy is verified).

7.5 Right to Data Portability (Article 20)

Receive your personal data in a machine-readable format and transmit it to another controller (applies to data processed by automated means based on consent or contract).

7.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds overriding your interests.

7.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. Our AI voice agents do not make solely automated decisions with legal/significant effects without human review. Where such decisions occur, you may request human intervention, express your point of view, and contest the decision.

7.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time via the methods in Section 13. Withdrawal does not affect lawfulness of processing before withdrawal.

7.9 How to Exercise Your Rights

Submit requests to: dpo@katrinai.eu or via our online portal at https://katrinai.eu/privacy-rights

We will respond within one month (extendable by two additional months for complex requests). Requests are free of charge unless manifestly unfounded or excessive.

Identity Verification: To protect your privacy, we may request reasonable verification of your identity before fulfilling requests (e.g., callback to verified number, government ID for sensitive requests).

8. Data Security Measures

We implement state-of-the-art technical and organizational measures to protect personal data:

  • Encryption: All voice data encrypted in transit (TLS 1.3+) and at rest (AES-256)

  • Access Controls: Strict role-based access controls; principle of least privilege; multi-factor authentication for all system access

  • Network Security: Voice traffic processed exclusively within EU/EEA data centers; no routing through non-EU jurisdictions without safeguards [[16]]

  • Anonymization: Training data pseudonymized/anonymized where possible; production models trained on aggregated, non-identifiable datasets

  • Security Testing: Regular penetration testing, vulnerability assessments, and third-party security audits

  • Incident Response: 72-hour breach notification procedure compliant with GDPR Article 33

  • Employee Training: Mandatory annual data protection training for all staff with data access

  • Certifications: ISO/IEC 27001 certification for information security management (target: Q3 2026)

9. International Data Transfers

All voice processing occurs within EU/EEA-based data centers. We do not transfer personal data outside the EU/EEA except under the following conditions:

  • Transfers to processors in countries with an EU adequacy decision (e.g., UK, Switzerland)

  • Transfers protected by EU Standard Contractual Clauses (SCCs) with supplementary measures

  • Transfers necessary for occasional, non-repetitive purposes with explicit consent

10. Third-Party Disclosures & Processors

We disclose personal data only in the following circumstances:

RecipientPurposeLegal BasisOur business customers (e.g., your bank, utility provider)To fulfill the purpose of your call (e.g., account inquiry, service request)Contractual necessity (on behalf of customer as processor)Cloud infrastructure providers (e.g., AWS EU regions, Google Cloud EU)Hosting voice processing infrastructureData Processing Agreement (GDPR Article 28)Telecommunications carriersCall routing and connectivityContractual necessityAnalytics/anonymization partnersService improvement using anonymized data onlyLegitimate interests (no personal data transferred)Legal authoritiesCompliance with legal obligations/subpoenasLegal obligation (GDPR Article 6(1)©)

We maintain a registry of all subprocessors and conduct due diligence to ensure GDPR compliance. Business customers may object to new subprocessors with 14 days’ notice.

11. EU AI Act Transparency Obligations

In compliance with the EU AI Act transparency requirements:

  • Clear disclosure: At the beginning of every call, our AI voice agent identifies itself as an artificial intelligence system and states the identity of the deploying organization (our business customer) [[44]]

  • No deception: We do not design our AI to mimic human characteristics in a manner intended to deceive individuals about its artificial nature

  • Human handoff: Callers may request transfer to a human agent at any time; such requests are honored immediately

  • Documentation: We maintain technical documentation of our AI system capabilities, limitations, and intended use cases per EU AI Act Article 11

12. Use of Cookies and Tracking Technologies

If you access our web portal (e.g., for account management or privacy rights requests), we use:

  • Strictly necessary cookies: For session management and security (no consent required under ePrivacy Directive)

  • Analytics cookies: With your prior consent, to improve our website (Google Analytics with IP anonymization)

  • No third-party advertising cookies are used on our domains

13. How to Contact Us & Lodge Complaints

For privacy inquiries or to exercise your rights:

To lodge a complaint with a supervisory authority:
You have the right to file a complaint with your local EU data protection authority or with our lead supervisory authority:

14. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be:

  • Posted on our website with a revised “Last Updated” date

  • Notified to business customers 30 days in advance

  • Made available in all EU official languages upon request

Continued use of our services after changes constitutes acceptance of the revised policy.

15. Data Protection Impact Assessment (DPIA)

We have conducted a DPIA for our voice AI processing activities as required under GDPR Article 35 due to:

  • Systematic monitoring of data subjects at scale

  • Processing of special category data (voice biometrics)

  • Automated decision-making with potential significant effects

The DPIA concluded that risks are mitigated through:

  • Purpose limitation and data minimization

  • Short retention periods for identifiable voice data

  • Human-in-the-loop for significant decisions

  • Strong encryption and access controls

  • Transparency and user control mechanisms

A summary of the DPIA is available upon request from the DPO.

Respeitamos sua privacidade.

TLDR: Usamos cookies para seleção de idioma, tema e análises. Saiba mais.