Privacy Policy

1. General Information

This privacy policy provides information about the processing of personal data in connection with the use of EViRAL's services.

The processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection provisions.

Our services include, among other things, solutions in the areas of reputation management, creation and provision of websites, and AI-supported communication solutions, for example telephone assistant systems.

2. Categories of Personal Data

Depending on the type of use, we process in particular the following categories of personal data.

Customer Data (B2B)

This includes business information provided during registration or use of our services, for example:

  • name
  • company
  • position
  • business address
  • business phone number
  • business email address
  • access data (login / username)
  • contract data
  • tariff information
  • contract terms
  • invoice data
  • internal notes regarding the business relationship

Payment Data

For payment processing, payment-related information may be processed, for example:

  • payment status
  • invoices
  • transaction identifiers

Payment processing may be carried out via payment service providers such as Stripe.

We do not receive full credit card data.

Further information:

https://stripe.com/privacy

Platform Usage Data

This may include:

  • logins
  • configurations
  • used workflows
  • created review requests
  • activities on landing pages
  • browser type
  • IP address
  • device information
  • timestamps
  • technical log data

This data is used for analysis, system stability, and system security.

End-Customer Data of Our Customers

As part of using our services, our customers may process data of their own customers.

This may include:

  • name
  • email address
  • phone number
  • reviews
  • feedback
  • video testimonials
  • reactions of the business owner
  • technical metadata

In these cases, our customers act as controllers within the meaning of the GDPR, while EViRAL acts as a processor.

Data from Phone Calls (AI Phone Assistant)

As part of our AI-based phone assistance, incoming calls may be processed automatically.

Among other things, the following data may be processed:

  • caller phone numbers
  • call content or call summaries
  • appointment requests or concerns
  • date/time and duration of calls
  • technical connection data

This data is processed exclusively to provide the respective phone service.

If our customers use the phone assistant to communicate with their own end customers, our customers act as controllers and EViRAL acts as a processor.

Data of Website Visitors

As part of the creation or provision of websites, data of website visitors may be processed.

This includes in particular:

  • IP addresses
  • server log files
  • browser information
  • device information
  • data from contact forms
  • usage data of the respective website

The respective website operator is responsible for the content of its website and for processing data of its visitors.

3. Purposes of Processing

Personal data is processed in particular for:

  • provision and operation of our services
  • operation of the reputation management platform
  • execution of automated review requests
  • analysis and display of reviews
  • AI-based response suggestions
  • integration of widgets on websites
  • management of customer accounts
  • billing and payment processing
  • IT security and abuse prevention
  • customer service and support

In addition, data may be processed for:

  • provision and operation of company websites
  • technical provision of hosting services
  • automated processing of incoming phone calls
  • forwarding customer inquiries
  • appointment management

For certain functions, AI services of external providers may be used.

4. Legal Bases for Processing

Art. 6(1)(b) GDPR - performance of a contract

Provision of our services, payment processing, and support.

Art. 6(1)(f) GDPR - legitimate interest

Optimization of our systems, IT security, and abuse detection.

Art. 6(1)(c) GDPR - legal obligation

e.g. statutory retention obligations under tax law.

For end-customer data of our customers, the legal basis exists in the relationship between the customer and its own end customers.

5. Recipients of Personal Data

Recipients of personal data may include:

  • hosting providers
  • cloud infrastructure providers
  • platform providers
  • payment service providers (e.g. Stripe)
  • communication providers (e.g. WhatsApp API or telephony providers)
  • AI service providers
  • tax advisors or authorities within the framework of legal obligations

Data processing agreements pursuant to Art. 28 GDPR are in place with all service providers.

6. Data Transfers to Third Countries

Some service providers may also process data in third countries such as the USA.

An adequate level of data protection is ensured through suitable safeguards, for example:

  • standard contractual clauses under Art. 46 GDPR
  • technical and organizational protective measures

When using WhatsApp, data may be processed via Meta Platforms.

Further information:

https://www.whatsapp.com/legal/privacy-policy/

7. Storage Period

Personal data is stored only as long as required for the respective purpose or as long as statutory retention obligations exist.

Typical retention periods:

  • contract and payment data: 10 years
  • technical log data: 90 days to 1 year
  • end-customer data: until deletion by the customer or until end of contract

After expiry, deletion or anonymization is carried out.

8. Rights of Data Subjects

Data subjects have the following rights:

  • access
  • rectification
  • erasure
  • restriction of processing
  • data portability
  • objection
  • withdrawal of granted consents

Requests may be sent to the contact details listed below.

9. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a data protection supervisory authority.

Competent supervisory authority:

State Commissioner for Data Protection NRW

Kavalleriestrasse 2-4

40213 Duesseldorf

10. Obligation to Provide Data

Certain personal data may be required for concluding a contract and for using our services.

Without providing this data, use of the services may not be possible.

11. Data Security

We implement technical and organizational measures to protect personal data, for example:

  • TLS encryption
  • access and authorization concepts
  • secure server locations
  • regular backups
  • security logging
  • system monitoring

12. Cookies and Tracking

We use cookies to provide technical functions of our website and to improve use of our services.

Settings can be adjusted via the cookie banner.

13. Changes to This Privacy Policy

We reserve the right to update this privacy policy when necessary.

The current version is available at any time via our website.

Provider / Controller

EViRAL

Owner: Mert Oezcan

Friedrich-Ebert-Strasse 322

47139 Duisburg

Email: eviralgermany@gmail.com