GDPR Compliance
How OO7 AI protects the rights and data of EU users.
Last updated: January 15, 2026
Table of Contents
1. Our Commitment to GDPR
OO7 AI, Inc. is committed to full compliance with the General Data Protection Regulation (GDPR) for all users located in the European Union and European Economic Area. We believe that strong data protection is not just a legal requirement but a fundamental aspect of building trustworthy AI-powered services.
We have implemented comprehensive technical and organizational measures to ensure that all personal data processed through our platform is handled in accordance with GDPR principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
As a data processor acting on behalf of our business customers and as a data controller for account-related data, we maintain clear data processing agreements and provide our users with all the tools necessary to fulfill their own GDPR obligations.
2. Legal Basis for Processing
We process personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on include:
- Contractual Necessity (Article 6(1)(b)): Processing that is necessary to perform our contract with you, including providing the Services, managing your account, processing calls, and handling billing.
- Legitimate Interests (Article 6(1)(f)): Processing that is necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms. This includes service improvement, security monitoring, fraud prevention, and analytics.
- Consent (Article 6(1)(a)): Where we rely on your consent, such as for marketing communications, non-essential cookies, and certain analytics. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Legal Obligation (Article 6(1)(c)): Processing that is necessary to comply with a legal obligation, such as tax and accounting requirements, regulatory reporting, and responding to lawful requests from public authorities.
3. Data We Process
The following table provides an overview of the categories of personal data we process, their purposes, and retention periods:
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Identity Data | Name, job title, company name | Account management, service delivery | Duration of account + 30 days |
| Contact Data | Email address, phone number, address | Communication, support, billing | Duration of account + 30 days |
| Call Data | Recordings, transcripts, metadata | Service delivery, quality assurance | Recordings: 90 days; Transcripts: duration of account |
| Usage Data | Log data, feature usage, IP address | Analytics, service improvement, security | Aggregated indefinitely; raw data: 12 months |
| Payment Data | Last 4 digits, card brand, billing address | Payment processing, invoicing | 7 years (tax/accounting requirements) |
| Technical Data | Browser type, device info, cookies | Service optimization, security | 12 months |
4. Your GDPR Rights
Under the GDPR, you have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.
Right of Access
You have the right to obtain confirmation of whether your personal data is being processed and to request a copy of that data.
Right to Rectification
You have the right to request correction of inaccurate personal data and to have incomplete data completed.
Right to Erasure
You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
Right to Restriction
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
Right to Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object
You have the right to object to processing based on legitimate interests, including profiling. You can also object to processing for direct marketing at any time.
5. Data Processing Agreements
OO7 AI offers a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR. Our DPA is available for all customers and is required for enterprise customers processing EU personal data.
Our DPA covers:
- Subject matter, duration, nature, and purpose of the processing
- Types of personal data and categories of data subjects
- Obligations and rights of the data controller
- Technical and organizational security measures
- Sub-processor engagement and notification procedures
- Data subject rights assistance
- Data breach notification procedures
- Data deletion and return upon termination
To request a copy of our DPA or to execute a DPA for your organization, please contact us at dpo@oo7ai.com.
6. International Transfers
As OO7 AI is headquartered in the United States, personal data of EU users may be transferred to and processed in the United States. We ensure that all international data transfers are conducted in compliance with GDPR Chapter V requirements through the following mechanisms:
- EU-US Data Privacy Framework: OO7 AI adheres to the principles of the EU-US Data Privacy Framework as a valid transfer mechanism for personal data from the EU to the United States.
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we use the European Commission's Standard Contractual Clauses (2021 version) as an additional safeguard for international data transfers.
- Supplementary Measures: We implement additional technical and organizational measures, including encryption, access controls, and data minimization, to ensure an adequate level of protection for transferred data.
7. Data Protection Officer
OO7 AI has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance efforts. Our DPO is responsible for monitoring compliance, advising on data protection obligations, and serving as the point of contact for data subjects and supervisory authorities.
Data Protection Officer
- Email: dpo@oo7ai.com
- OO7 AI, Inc.
- San Francisco, CA, United States
8. Sub-Processors
We engage the following sub-processors to assist in providing our Services. Each sub-processor is bound by data processing agreements that require them to protect personal data in accordance with GDPR requirements.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, computing | US / EU (Frankfurt, Ireland) |
| Twilio | Telephony infrastructure, call routing, SMS | United States |
| ElevenLabs | AI voice synthesis, text-to-speech | United States |
| Stripe | Payment processing, subscription billing | United States |
| Vercel | Web application hosting, CDN | Global (edge network) |
We will notify customers of any changes to our sub-processor list at least 30 days in advance, giving you the opportunity to object if the change affects the processing of your data.
9. Data Breach Notification
In accordance with Articles 33 and 34 of the GDPR, OO7 AI maintains a comprehensive data breach response procedure:
- Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals.
- Data Subject Notification: When a breach is likely to result in a high risk to your rights and freedoms, we will notify affected data subjects without undue delay.
- Customer Notification: As a data processor, we will notify our customers (data controllers) of any personal data breach without undue delay, enabling them to fulfill their own notification obligations.
- Breach Documentation: We document all personal data breaches, including the facts, effects, and remedial actions taken, regardless of whether the breach requires notification.
11. Exercising Your Rights
To exercise any of your GDPR rights, you may submit a request through any of the following methods:
- Email our Data Protection Officer at dpo@oo7ai.com
- Use the data request form available in your account settings
- Write to us at: OO7 AI, Inc., San Francisco, CA, United States
When submitting a request, please include:
- Your full name and email address associated with your account
- A clear description of the right you wish to exercise
- Any additional information that may help us identify the relevant data
Response Timeline: We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt. If your request is particularly complex or involves a large volume of data, we may extend this period by up to 60 additional days with prior notice and explanation.