Where your data lives, honestly.
OpenAlice Embed is built EU-first. Here’s exactly what runs where, who the sub-processors are, and what we don’t pretend yet: the same carve-out we put in the DPA.
Chat & your knowledge base: EU-hosted
Text conversations and retrieval over your pages/knowledge base run on European infrastructure with European models (Mistral). Your brand knowledge is tenant-isolated and never trains a shared model.
Voice: EU by default
Speech runs on European infrastructure by default (Mistral, EU). US-hosted voice providers exist strictly as a per-tenant opt-in behind an explicit consent gate. Nothing transits outside the EU unless you switch it on yourself.
Sub-processors
Mistral (EU) for language, embeddings and voice; EU hosting (Hetzner, Germany). The current list and the DPA are available on request and at /dpa.
Roles & GDPR rights
You are the data controller; OpenAlice is your processor under a signed DPA. Visitors can be exported or erased on request, and the widget shows an AI disclosure + consent before any voice capture.
Retention & memory
Conversation retention is configurable per widget: off, session, or persistent with a 7/30/90/365-day window (or forever). Visitor memory is opt-in and scoped to your tenant.
Visitor consent & transparency
Before voice, the widget asks for consent and discloses that Lily is an AI representing the brand, not a human. See our AI disclosure and Privacy policy.
Questions a reviewer needs answered? security@openalicelabs.eu · ← back to the overview