GDPR

General Data Protection Regulation

Legal note: this section does not replace our Privacy Policy or the requirements in our Terms of Use; it is written in order to help our users understand how to use our services in a privacy friendly manner. In any case we recommend that you consult your attorney and privacy professional.

When designing Over.ai, we planned in advance for complying with applicable privacy laws and call recording laws. Our service is here to ensure your customers’ privacy and does not share the contents of their calls with any person. It only allows you to access information you already have, and that you have received consent to use.

This guide is meant to assist you in integrating Over.ai and using it in the most compliant manner with EU privacy laws.

We’ll go over some of the material principles of the GDPR, the General Data Protection Directive, and provide you the proper tools.

Please note that we are solely a platform; this means that we are indifferent to the data types stored on our service, and we are agnostic of whether data stored is considered as Personal Data under the GDPR or is plain data.

Consent

The first and foremost purpose of the GDPR is only to process data if you have obtained the data subject (the person whose data is stored) consent or is otherwise permitted under Article 6.

Article 6 provides a short list of places where data may be processed without consent, which includes : “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

Therefore, we require that you either obtain consent from the people whose calls you allow us processing, or be under one of the other items.

How Do We Recommend That You Obtain Consent?

Consent may be obtained by various opt-in specific methods. The easiest is to let users know that the calls are processed by Over.ai at the introduction message; something like “Thank you for calling Carl’s Groceries. All calls are processed via our telephony service, Over.ai, and according to their privacy policy. If you do not consent, please hang up”.

Another method to obtain consent is to enter a clause in the agreements you may have with your clients, who call you, that lets them know.

Another method is to send a text message with a notification and a link to the privacy policy when initiating the call.

You may avoid obtaining consent if you are obligated under law to record your calls. In such case, you may send a text message to your callers at the end of the call with a link to our privacy policy.

Please make sure that the consent that is provided is specific and not wide, and that it is not implied, but that it is specific, explicit and free.

Legal And Lawful Purpose

Using Over.ai’s services in meant for a lawful purpose and according to the data subject’s expectations.

You are required to notify the data subjects about the actual purpose of the use of their personal data. Meaning, that you should have your own privacy policy that notifies how you use the data collected from them, and other data you receive from us.

Please make sure that all data subjects are made aware of this and that they receive adequate notice, in a human readable privacy policy.

Purpose Limitations

The data should not be used for a purpose that is wider than originally intended. If you received data for the purpose of scheduling a doctor appointment, for example, you may not use it later on for marketing efforts. You should avoid using vague statements such as “we use your contact information to provide you with the service and to contact you with promotional offers”. Your purposes should be limited to the services you provide.

In that manner, for example, you cannot analyze your caller information for purposes that you did not receive consent, and you cannot ask for consent for a wider scope than needed.

Review and Amend

The GDPR requires that data subjects shall have the right to review all personal data that is stored. We provide this option by giving end-users a copy of their call recordings, transcripts or other data that might be stored. You can automate this process with our filters.

You may also contact us directly if you receive such a request from one of your data subjects and we will manually assist you.

Right To Be Forgotten

The right to be forgotten, or the right to be removed from databases when such information is no longer relevant, is a feature we allow our customers. If you wish to allow your data subjects to remove data, you need to make sure that you have no legal obligation to continue to keep such records.

This means that if the statute of limitations in your jurisdiction is five years, and a data subject made a call today complaining about bad cable service, you need to keep this record for the duration of the statute of limitation in case you receive a claim based on such complaint.

We allow removal based on both manual requests or automated calls you make via our API.

Breach Notification

We provide data breach notification both in severe cases, immediately, and in minor cases, where we believe it may affect people in any form. We require that all our customers maintain the same policy.

Data Protection Officers

We employ a local data protection officer that is meant to inspect, instruct and deal with all privacy issues. We have a team of experts who assist us in developing our product in a privacy-basing method.