Privacy Policy — Talha Automation
Effective date: 14 September 2025
Who we are: Talha Automation (Kleingewerbetreibender), Elisabeth-Granier-Hof, 30161 Hannover, Germany (“Talha Automation”, “we”, “us”).
Contact: [email protected]
Scope
This Policy covers talha-automation.de and onboard.talha-automation.de and our B2B AI automation services (AI chatbots and AI voice agents for customer support and lead management). It also explains our role when we integrate or operate customer-selected platforms (e.g., GoHighLevel, Make.com, n8n).
Controller vs. Processor (GDPR)
Controller: We act as a controller for personal data collected on our sites/apps (e.g., contact forms, support, basic analytics, server logs).
Processor: For projects where we handle Customer Personal Data (e.g., re-activating leads from a customer database; connecting chatbots to a customer’s CRM or calendar via API keys), we act as a processor on the customer’s documented instructions. A Data Processing Addendum (DPA) is available on request for such projects.
You indicated that platform vendors process and handle data. We still provide this clarity because GDPR requires that your customer knows when you are controller vs processor and which subprocessors you rely on.
Information We Collect
From site visitors and customer users (B2B only; 18+)
Contact & account data: name, business email/phone (when provided by you).
Support communications: emails/chats and related metadata.
Technical & usage data: IP address, device/OS/browser, timestamps, referrer, error logs.
Cookies/consent: essential cookies for security/operations; analytics only with consent (privacy-friendly, IP-anonymized or cookieless where feasible).
Billing (if applicable): handled by a payment processor; we do not store full card data on our servers.
AI-specific data for our services (when you use our bots/voice agents)
Prompts, messages, and uploaded files supplied by the customer or its users.
Audio recordings & transcripts (for voice agents), where the project requires it.
Model outputs & metadata (e.g., timestamps, routing, confidence scores).
Training: No use of your data to train/fine-tune models unless you give opt-in written consent (default = never).
Children
B2B service, no minors; we do not knowingly collect data from children.
How We Use Your Data (Purposes & Legal Bases)
Provide and operate services (contract).
Account administration and support (contract/legitimate interests).
Security, fraud, abuse prevention, and service integrity (legitimate interests/legal obligation).
Analytics and service improvement (legitimate interests; consent where cookies/identifiers are used).
Marketing communications to business contacts (consent or soft opt-in where lawful; you may unsubscribe anytime).
Compliance and legal requests (legal obligation).
We do not perform automated decision-making that produces legal or similarly significant effects about individuals without human review.
Sharing and Disclosures
We share data with:
Hosting & infrastructure: EU-based hosting (e.g., Hetzner or equivalent) and our own servers/services needed to run the platform.
Automation/integration platforms (customer-selected): GoHighLevel, Make.com, n8n (self-hosted or customer-hosted).
AI/voice/LLM providers as selected in your project (e.g., voice/STT/TTS and LLM APIs). We will list the specific providers used for your project in the Statement of Work (SOW) or DPA.
Email/support tools (e.g., business email; ticketing if used).
Payment processor (if online payments are enabled).
Professional advisors and authorities where legally required.
We do not sell or share personal data for cross-context behavioral advertising.
International Data Transfers
Where data is transferred outside the EEA/UK, we use appropriate safeguards (e.g., Standard Contractual Clauses (SCCs), UK IDTA, and—where applicable—participation in recognized frameworks). We aim to keep hosting in the EUwherever feasible.
Security
We implement appropriate technical and organizational measures, including: TLS encryption in transit, access controls/least privilege, network isolation/firewalls, audit logging/monitoring, regular backups and restore testing, and incident response procedures. (Certifications not claimed.)
Retention
Account/billing records: retained for statutory periods (generally 10 years under German law).
Server/app logs: 90 days (unless needed for security or investigations).
Analytics: up to 14 months (or shorter if configured).
Support emails/tickets: 24 months after closure (unless required longer).
AI prompts/outputs/metadata: 30 days by default (project-specific variations documented in SOW/DPA).
Audio recordings & transcripts: 90 days by default (project-specific variations documented in SOW/DPA).
Backups: rolling 30–60 days.
We may retain data longer where necessary to establish, exercise, or defend legal claims or comply with law.
Your Rights
EU/UK: access, rectification, erasure, restriction, portability, and objection; withdraw consent at any time (where processing is based on consent).
US state privacy (where applicable): access, correction, deletion, and opt-out of sale/share/targeted advertising (we do not sell/share).
Global Privacy Control/Do-Not-Track: honored where technically feasible.
To exercise rights, email [email protected]. We may verify your identity and coordinate with customers where we act as a processor.
Cookies
We use essential cookies and may use analytics cookies only with your consent. You can adjust preferences via our banner or your browser settings. Details may vary by project and will be described in implementation materials if applicable.
Changes
We may update this Policy from time to time. The “Effective date” shows the latest version. Material changes will be notified on the site and/or by email to customers.
Contact & Complaints
Controller: Talha Automation (Kleingewerbetreibender)
Address: Elisabeth-Granier-Hof, 30161 Hannover, Germany
Email: [email protected]
EU Supervisory Authority (example): Die Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen). You may also contact your local authority.