OpenAlice Embed← Home
Trust · GDPR

Privacy Policy

Version 2.0 · 2026-07-04 · prepared for legal review · Deutsch

1. Who we are

OpenAlice Laboratories ("OpenAlice", "we") operates the OpenAlice Embed service — an AI brand representative that answers visitors on our customers' websites — together with this website and the customer dashboards. Contact for all privacy matters: nao@openalice.eu. The registered operator details are listed in the Impressum.

2. The two roles we play

We process personal data in two distinct roles, and your rights run against the right party:

3. What we process, and why

We do not sell personal data. We do not run third-party advertising or tracking on this site.

4. Where your data lives

EU-sovereign by default. Our infrastructure runs on Hetzner Online GmbH servers in Germany. Conversation data, lead data, uploaded knowledge-base documents and voice recordings are stored there. AI inference defaults to EU providers (see § 5).

5. Sub-processors

We use a short, deliberate list of sub-processors:

The current list is always available on request and in the DPA annex. We notify customers of changes in advance.

6. International transfers

By default, no personal data leaves the EU. Where a customer enables a US-based AI provider (for example a premium voice), the widget asks the visitor for explicit consent before the first use, relying on Art. 49(1)(a) GDPR. Declining keeps the conversation fully EU-resident — the feature simply stays off.

7. Retention

Conversation retention is configured per widget by the customer: session-only (nothing persists after the tab closes), or 7 / 30 / 90 / 365 days. Account and billing data are kept for the life of the contract plus statutory retention periods (e.g. German commercial and tax law). Backups roll off automatically. When data is no longer needed, we delete or irreversibly anonymise it.

8. Security

TLS everywhere; transcripts and lead PII encrypted at rest (AES-256-GCM) with cluster-level key management; strict service-to-service authentication; role-based access; audit trails on conversation access; rate limiting and abuse controls at the edge. Details in the DPA (technical and organisational measures).

9. Your rights

You have the rights of access, rectification, erasure, restriction, portability and objection (Art. 15–21 GDPR), and the right to withdraw consent at any time with effect for the future. Write to nao@openalice.eu — we answer within one month. You may also lodge a complaint with a supervisory authority; competent for us is the authority of the German federal state named in the Impressum.

10. Automated decision-making

Lily is an AI assistant, and conversations are AI-generated (see the AI disclosure) — but we make no automated decisions with legal or similarly significant effect on you. Escalation to a human is always available where the customer has enabled it.

11. Cookies & local storage

Covered in the Cookie notice. Short version: functional cookies only, no ad trackers.

12. Changes

We will update this policy as the service evolves and never quietly reduce your protections. Material changes are announced to customers by email and dated here.