Convayla
Back to Home
Language:

Privacy Policy

Schutz Ihrer personenbezogenen Daten gemäß DSGVO

Letzte Aktualisierung: Januar 2025

We are very pleased about your interest in our company.

The website www.voice-chat-agent.com is a web portal operated by:

Horst Christian Wagner

Birkenstr. 2

D-86836 Klosterlechfeld

Phone: +49 8232 1847507

E-mail: chris@convayla.com

Convayla is a label of Horst Christian Wagner.

Protecting your personal data is a particularly high priority for us. As a rule, the use of our website is possible without providing any personal data. However, if a data subject wishes to use special services of our company via our website, processing of personal data may become necessary. If the processing of personal data is required and there is no legal basis for such processing, we generally obtain the consent of the data subject.

The processing of personal data—such as the name, address, email address, or telephone number of a data subject—is always carried out in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection provisions applicable to us. By means of this privacy policy, our company wishes to inform the public about the type, scope, and purpose of the personal data we collect, use, and process. Furthermore, data subjects are informed of their rights.

As the controller responsible for processing, we have implemented numerous technical and organizational measures to ensure the most complete protection possible of personal data processed via this website. Nevertheless, internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.

Definitions

Our privacy policy is based on the terms used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as our customers and business partners. To ensure this, we explain the terms used in advance.

In this privacy policy, inter alia, we use the following terms:

Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

Processing

Processing is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Controller or controller responsible for processing

The controller or controller responsible for processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

A recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Name and address of the controller

Controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions related to data protection, as well as for data processing in the context of providing SaaS solutions, is:

Horst Christian Wagner

Birkenstr. 2

D-86836 Klosterlechfeld

Phone: +4982321847507

E-mail: chris@convayla.com

Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy set out below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section "Notice Regarding the Responsible Party" in this privacy policy.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically or after your consent when visiting the website by our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of the page request). The collection of this data occurs automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other business inquiries.

What rights do you have regarding your data?

You have the right at any time to obtain free information about the origin, recipients, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you may revoke this consent at any time for the future. Furthermore, you have the right, under certain circumstances, to request the restriction of the processing of your personal data.

You also have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time for this purpose, as well as for further questions on the subject of data protection.

When you visit this website, your browsing behavior may be statistically evaluated. This happens mainly with so-called analysis programs. Detailed information on these analysis programs can be found in the following privacy policy.

Hosting

We host the content of our website with the following provider:

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter referred to as "Hetzner").

Details can be found in Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy

The use is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable possible presentation of our website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's device (e.g., device fingerprinting) as defined by the TDDDG. Consent can be revoked at any time.

General Notes and Mandatory Information

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission over the internet (e.g., when communicating via e-mail) may have security gaps. Complete protection of the data against access by third parties is not possible.

Notice Regarding the Responsible Party

The responsible party for data processing on this website is:

Horst Christian Wagner

Birkenstr. 2

86836 Klosterlechfeld

Phone: +49 8232 1847507

E-mail: chris@convayla.com

The responsible party is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data (e.g., names, e-mail addresses, etc.).

Storage Period

Unless a more specific storage period has been stated in this privacy policy, your personal data will remain with us until the purpose for the data processing ceases to apply. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will take place after these reasons no longer apply.

General information on the legal bases for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR and, where special categories of data under Art. 9(1) GDPR are concerned, on Art. 9(2)(a) GDPR. In the case of your explicit consent to the transfer of personal data to third countries, processing also takes place pursuant to Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your device (e.g., via device fingerprinting), processing additionally takes place pursuant to Section 25(1) TDDDG. Consent can be withdrawn at any time.

Where your data is required to perform a contract or to carry out pre-contractual measures, we process it on the basis of Art. 6(1)(b) GDPR. Where processing is necessary for compliance with a legal obligation, the basis is Art. 6(1)(c) GDPR. Processing may also take place on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR. The specific legal basis applicable in each case is indicated in the respective sections of this privacy policy.

Notice on data transfers to countries without an adequate level of protection and to U.S. companies not certified under the EU-U.S. Data Privacy Framework (DPF)

We also use tools provided by companies located in countries without an adequate level of data protection as defined by the EU, as well as U.S. tools whose providers are not certified under the EU-U.S. Data Privacy Framework (DPF). When such tools are active, your personal data may be transferred to and processed in those countries. Please note that in such countries an EU-equivalent level of data protection cannot be guaranteed.

The U.S. is generally considered a “safe third country” where the recipient is DPF-certified. Data transfers to the U.S. are permissible if the recipient holds a valid DPF certification or if appropriate safeguards are in place (e.g., Standard Contractual Clauses). Details on third-country transfers, including recipients, can be found in this privacy policy.

Recipients of personal data

In the course of our business we work with various external parties. This may require the transfer of personal data to such recipients. We only disclose personal data where necessary for contract performance, where we are legally obliged to do so (e.g., to tax authorities), where we have a legitimate interest under Art. 6(1)(f) GDPR, or where another legal basis permits the transfer. Where processors are engaged, disclosure is based on a valid processing agreement pursuant to Art. 28 GDPR. In the case of joint processing, a joint-controller agreement is concluded.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You may withdraw consent at any time. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

Right to object to processing in particular cases and to direct marketing (Art. 21 GDPR)

Where processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data; this also applies to profiling based on those provisions. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims (objection under Art. 21(1) GDPR).

If your personal data is processed for direct marketing, you have the right to object at any time to such processing; this also applies to profiling to the extent related to direct marketing. If you object, your personal data will no longer be used for direct marketing purposes (objection under Art. 21(2) GDPR).

Right to lodge a complaint with a supervisory authority

In the event of GDPR infringements, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement. This right is without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to receive data that we process on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, or to have it transmitted to another controller where technically feasible.

Access, rectification and erasure

Within the scope of the applicable law, you have the right at any time to obtain free information about your stored personal data, its origin, recipients, and the purpose of processing and, where applicable, the right to rectification or erasure of this data. You can contact us at any time regarding this and other questions about personal data.

Right to restriction of processing

You have the right to request the restriction of processing of your personal data. This right applies in particular where:

  • you contest the accuracy of the personal data (for a period enabling us to verify the accuracy);
  • the processing is unlawful and you oppose the erasure of the data and request the restriction of its use instead;
  • we no longer need the data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims; or
  • you have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether our legitimate grounds override yours.

Where processing has been restricted, such data may—apart from storage—only be processed with your consent, for the establishment, exercise or defence of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State.

SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries you send to us as the site operator, this site uses SSL or TLS encryption.

You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to Advertising Emails

We hereby object to the use of contact data published within the scope of the legal notice obligation for the purpose of sending unsolicited advertising and informational material. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

Cookie settings

You can configure your browser to inform you about the placement of cookies, allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general, and enable automatic deletion of cookies when closing the browser. Disabling cookies may limit this website’s functionality. Details on the cookies and services we use are set out in this privacy policy.

Collection of general data and information

Each time our website is accessed by a data subject or an automated system, a series of general data and information is collected and stored in server log files. This may include: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our site (referrer), (4) sub-pages accessed on our website, (5) the date and time of access, (6) an Internet Protocol (IP) address, (7) the Internet service provider of the accessing system, and (8) other similar data and information required for hazard prevention in the event of attacks on our IT systems.

We do not draw any conclusions about the data subject from this general data and information. This information is required to (1) deliver the content of our website correctly, (2) optimise the content of our website and our advertising, (3) ensure the long-term functionality of our IT systems and website technology, and (4) provide law-enforcement authorities with the information necessary for prosecution in the event of a cyberattack. The anonymously collected server-log data is evaluated statistically and with the aim of increasing data protection and data security in our company. The anonymous server-log data is stored separately from any personal data provided by a data subject.

Server log files

The provider of these pages automatically collects and stores information in server log files that your browser transmits to us. These are in particular:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

These data will not be combined with other data sources. Processing is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of the website—server logs must be recorded for this purpose.

Contact options via the website

Our website contains information required by law that enables quick electronic contact with us and direct communication (including a general email address). If a data subject contacts us by email or via a contact form, the personal data transmitted by the data subject is automatically stored for the purpose of processing the enquiry or contacting the data subject. No disclosure of these personal data to third parties takes place.

Contact form

If you submit enquiries via the contact form, the information you provide (including contact details) will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We do not pass on this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your enquiry relates to performance of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), where obtained; consent can be withdrawn at any time.

The data you enter in the contact form will be retained until you request deletion, withdraw your consent to storage, or the purpose for data storage no longer applies (e.g., after completion of your enquiry). Mandatory statutory retention periods remain unaffected.

Enquiries by email, telephone or fax

If you contact us by email, telephone or fax, your enquiry—including all resulting personal data (e.g., name, request)—will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your enquiry relates to performance of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), where obtained; consent can be withdrawn at any time.

Data transmitted to us via enquiries will be retained until you request deletion, withdraw your consent, or the purpose for storage no longer applies. Mandatory statutory retention periods remain unaffected.

Routine erasure and blocking of personal data

We process and store personal data of data subjects only for the period necessary to achieve the purpose of storage or as provided for by European or national legislators in laws or regulations to which we are subject. If the storage purpose ceases to apply or a prescribed storage period expires, personal data is routinely blocked or erased in accordance with legal requirements.

Rights of the data subject

Right to confirmation

You have the right to obtain confirmation from us as to whether we are processing personal data concerning you.

Right of access

You have the right to obtain free information at any time about your stored personal data and a copy of this information. This includes, in particular:

  • the purposes of processing,
  • the categories of personal data processed,
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations,
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • the existence of a right to rectification or erasure of personal data or restriction of processing by us, or a right to object to such processing,
  • the right to lodge a complaint with a supervisory authority,
  • where the personal data is not collected from you: any available information as to its source,
  • the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and—at least in those cases—meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you.

You also have the right to know whether personal data has been transferred to a third country or to an international organisation and, where applicable, the appropriate safeguards relating to the transfer.

Right to rectification

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and—taking into account the purposes of the processing—the completion of incomplete personal data, including by means of a supplementary statement.

Right to erasure (“right to be forgotten”)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies and processing is not required:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw consent on which the processing is based and there is no other legal ground for the processing;
  • you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing for direct marketing pursuant to Art. 21(2) GDPR;
  • the personal data has been unlawfully processed;
  • the personal data must be erased to comply with a legal obligation under Union or Member State law to which we are subject;
  • the personal data has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

Where we have made personal data public and are obliged pursuant to Art. 17(1) GDPR to erase it, we will take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, that personal data, insofar as processing is not required.

Right to restriction of processing

You have the right to obtain restriction of processing where one of the following applies:

  • you contest the accuracy of the personal data (for a period enabling us to verify the accuracy);
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  • we no longer need the personal data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims; or
  • you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether our legitimate grounds override yours.

Where processing has been restricted, such data shall—apart from storage—only be processed with your consent, for the establishment, exercise or defence of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State.

Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance where the processing is based on consent or on a contract and is carried out by automated means. You also have the right to have the personal data transmitted directly from us to another controller, where technically feasible and where this does not adversely affect the rights and freedoms of others.

Right to object

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. We will then no longer process your personal data unless we demonstrate compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time to such processing; this also applies to profiling to the extent related to such direct marketing. If you object, your personal data will no longer be used for direct marketing purposes.

Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you, unless the decision (1) is necessary for entering into, or performance of, a contract between you and us, (2) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or (3) is based on your explicit consent. Where an automated decision is necessary for a contract or is based on consent, we implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express your point of view, and to contest the decision.

Right to withdraw consent

You have the right to withdraw consent to the processing of personal data at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Data Processing in the Context of Providing SaaS Solutions

In the context of providing the SaaS services, we process in particular:

User Data: Name, email address, telephone number, role/position within the company.

System-Related Data: Usage statistics, technical log data, configuration and system settings, timestamps, roles/permissions, support/ticket metadata. These technical data are used solely to ensure the security, stability, troubleshooting, and optimization of the SaaS services.

Content Data: Content integrated by the customer into the knowledge base or processed via the SaaS services (e.g., documents, requests, AI-generated content).

Purpose of processing (SaaS context)

We process personal data for the following purposes:

  • Provision, operation and administration of the SaaS solutions,
  • Analysis and optimisation of service usage,
  • Ensuring availability, stability and security (including incident/error analysis),
  • Communication with customers regarding support and maintenance requests.

Roles & responsibilities

Depending on the data category, the parties act as follows:

  • Content data in a customer-operated environment: the customer is the controller; we act as a processor (Art. 28 GDPR).
  • User data, system/security logs, billing/contract data: we generally act as the controller (e.g., for account management, security and contract performance).

Legal bases (SaaS context)

  • Art. 6(1)(b) GDPR (contract/performance, including pre-contractual steps),
  • Art. 6(1)(f) GDPR (legitimate interests in a secure, functional and optimised operation; abuse/fault prevention),
  • Art. 6(1)(c) GDPR (where legal obligations apply, e.g., commercial/tax retention).

Data disclosure

We disclose data to third parties only (i) for contract performance (e.g., hosting, infrastructure, support providers) or (ii) where required by law or otherwise permitted. Processors are bound by data processing agreements under Art. 28 GDPR. Transfers to third countries occur only where unavoidable and then with appropriate safeguards (in particular EU Standard Contractual Clauses under Art. 46 GDPR) and, where necessary, additional protective measures.

Technical and organisational measures (TOMs)

We implement, among other things, access controls/role models, encryption in transit and at rest (where applicable), logging, and regular security/patch management processes.

Retention

We retain personal data only as long as necessary for the purposes stated or as required by law. After contract end, customer-provided content is deleted within the agreed timeframes unless statutory retention obligations prevent deletion. Restoration of content-related data or technical session information after the end of use is not possible unless legal retention applies.

Data subject rights (summary)

Data subjects have rights under Art. 15–21 GDPR (access, rectification, erasure, restriction, data portability, objection). Requests can be addressed to the contact details provided in the imprint/at the top of this privacy policy. (This section supplements—does not replace—the detailed rights sections above.)

Services & providers – processing outside the EU

We use certain services on our website that are provided by vendors outside the European Union (EU) or the European Economic Area (EEA). This means personal data may be processed in countries that may not offer an EU-equivalent level of protection—particularly providers based in, or processing data in, the United States.

Despite due care, complete transparency over third-party processing cannot always be ensured. While we strive to work only with providers that adhere to strict privacy standards, we cannot guarantee that processing by such providers always meets European requirements, especially regarding the scope and nature of processing and potential onward disclosures in those countries.

For transfers to countries outside the EU—especially to the U.S.—we generally rely on EU Standard Contractual Clauses approved by the European Commission to help ensure GDPR-compliant processing outside the EU. Nevertheless, the level of protection in those countries may not always match that within the EU (e.g., public authorities may access data without us or you being informed or able to seek effective remedies).

If you have concerns about transfers to countries outside the EU, you may refrain from using such services or contact us for more information. For details on processing by each third-party provider, please consult the respective provider’s privacy policy as linked in our privacy notice.

Use of AI Chatbots / AI Agents

When using our Voice Chat Agent, both text inputs and voice inputs are processed. The content is used exclusively to generate responses and is stored on our servers at Hetzner.

Retention Period: Chat and voice content is stored for a maximum of 30 days in order to enable technical error analysis and service optimization. After this period, the data is automatically deleted unless statutory retention obligations apply.

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in stability and operational security).

Note: Please do not enter any special categories of personal data (e.g., health data) into the voice or chat agent.

Use & voluntariness (AI chatbots/AI agents)

On our website (and project-specific), we use AI-powered chatbots/AI agents based on GPT (OpenAI) to answer enquiries efficiently. Use is voluntary; content you enter is used solely to handle the respective enquiry. Please do not enter special categories of personal data (Art. 9 GDPR, e.g., health data) in the chat.

Data categories

  • Entered content: text messages, questions, comments.
  • Technical data: IP address, timestamps, where applicable browser/device information, and minimal usage statistics, only insofar as strictly necessary for operation/security.

Purposes

  • Generation and delivery of responses,
  • Ensuring stability, abuse/SPAM prevention and error analysis,
  • Improving functionality (no profiling for marketing purposes).

Legal bases

  • Art. 6(1)(a) GDPR (consent) for processing of the content you enter,
  • Art. 6(1)(f) GDPR (legitimate interests) for security/operations-relevant logs and abuse prevention.

Alternative contact channels (email/phone) are available at any time.

Note: Responses from the AI chatbot/AI agent are generated automatically and serve general information/support only. They do not constitute binding statements or individual advice. Users must review content on their own responsibility before using it.

Recipients / disclosure to OpenAI

For answering your request, the entered content is transmitted to OpenAI. Processing currently takes place on servers in the United States. As soon as EU data centres for the API are productively available and technically stable, we will enable EU data processing.

Third-country transfer & safeguards

Transfers to the U.S. are based on the EU Standard Contractual Clauses (SCCs) under Art. 46 GDPR; we complement this with privacy-friendly defaults (data minimisation, no sensitive content, session/short-term storage only).

No training on API data

Content processed via the OpenAI API is not used to train models; it is used solely to answer the specific request.

Storage period & deletion

  • No permanent storage of chat content by us,
  • Short-term buffering only for the active session/response generation,
  • Optional conversation history only with explicit consent,
  • Longer retention only where legally required or with explicit consent.

Data subjects may request access/erasure of chat content; please contact chris@convayla.com.

To maintain context within an active chat session, entered content is stored briefly for technical reasons. This buffering is necessary to enable coherent answers and is automatically deleted after the session ends. Restoration of chat content after the end of a session is not possible.

Data subject rights & automated decisions

Rights under Art. 15–21 GDPR (access, rectification, erasure, restriction, data portability, objection) apply at all times. There is no solely automated decision-making producing legal effects within the meaning of Art. 22 GDPR.

Future adjustments

As soon as OpenAI provides EU data centres for API use in productive operation, or the legal situation changes, we will update this section to ensure a consistently high level of data protection.

Use of Calendly for Appointment Scheduling

We offer the option to book appointments via the service "Calendly" on our website. If you schedule an appointment via Calendly, the data you provide (name, email address, requested appointment time) will be transmitted to Calendly.

The processing of your data is based on your consent pursuant to Art. 6(1)(a) GDPR.

Privacy policy of Calendly: https://calendly.com/privacy

Legal basis for processing

Art. 6(1)(a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party—for example, processing operations required for delivering goods or providing another service or consideration—processing is based on Art. 6(1)(b) GDPR. The same applies to processing operations necessary for carrying out pre-contractual measures, for instance in cases of enquiries about our products or services.

Where our company is subject to a legal obligation that requires the processing of personal data—such as compliance with tax obligations—processing is based on Art. 6(1)(c) GDPR. In rare cases, processing may be necessary to protect the vital interests of the data subject or another natural person; for example, if a visitor were injured on our premises and their name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third parties. In that case, processing would be based on Art. 6(1)(d) GDPR.

Ultimately, processing operations could be based on Art. 6(1)(f) GDPR. This legal basis covers processing operations not encompassed by the foregoing legal bases, where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing is particularly permitted because the European legislator explicitly mentioned it; Recital 47 (sentence 2) GDPR states that a legitimate interest may be assumed where the data subject is a customer of the controller.

Legitimate interests pursued by us or by a third party

Where processing is based on Art. 6(1)(f) GDPR, our legitimate interest is the conduct of our business activities for the benefit of the wellbeing of all our employees and our stakeholders.

Duration for which the personal data is stored

The criterion for the storage duration of personal data is the respective statutory retention period. After the period has expired, the corresponding data is routinely deleted, provided it is no longer necessary for the performance of a contract or for the initiation of a contract.

Statutory or contractual requirement to provide personal data; necessity for contract conclusion; obligation of the data subject; possible consequences of non-provision

We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or can also result from contractual provisions (e.g., details of the contracting party). In some cases, it may be necessary for the conclusion of a contract that a data subject provides us with personal data which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company enters into a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.

Before providing personal data, the data subject may contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of personal data is legally or contractually required or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and the consequences of not providing the personal data.

Existence of Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling.

Processing of Billing and Plan Data (Plans, Lifetime Plans)

Purposes & data types. To bill, administer, and provide transparency for your selected plans (including lifetime plans), we process in particular:

  • Plan information: selected plan (e.g., Free/Plus/Pro/Premium), lifetime plan status, purchase timestamp, plan upgrade/downgrade history
  • Usage data for billing: minutes consumed, session timestamps, audio in/out duration, AI models used, token counts
  • Billing/contract data: cost balances, billing history, price guarantees and reference third-party costs at purchase (lifetime), documentation of any price adjustments per T&C Clause 12, notification history
  • Usage analytics (fair-use): aggregated usage metrics, agent configuration and usage patterns; IP addresses only in hashed form for abuse prevention

Legal bases. Art. 6(1)(b) GDPR (contract/billing); Art. 6(1)(f) GDPR (legitimate interests) for cost control, fraud/misuse prevention, and transparency for lifetime plans; our interest is a secure and economically viable operation.

Recipients / processors. We use processors for infrastructure, AI, and billing services (e.g., hosting, ASR/TTS/LLM, payment). Where possible, we transmit aggregated/anonymised usage statistics; re-identification from purely statistical data is excluded. For third-country transfers we ensure appropriate safeguards (e.g., EU Standard Contractual Clauses). Note: The content processing of user inputs for AI features is covered by the general section on “processors/AI processing”.

Retention periods (supplement).

  • Billing/accounting data: 10 years
  • Lifetime contract/evidence data: entire contract term
  • Usage analytics (fair-use): 24 months
  • Session logs (technical error analysis): 30 days
  • Plan history: 3 years after contract end

Transparency for price adjustments (lifetime). To ensure traceability, cost evidence from relevant third-party providers may be referenced. Upon request we provide a comprehensible overview of the underlying cost parameters (without disclosing trade secrets).

Your rights (supplement).

  • Access to stored purchase terms and price guarantees,
  • Insight into the calculation basis of price adjustments (in an appropriate form),
  • Deletion after contract end subject to statutory retention obligations.

Fair-Use Monitoring (Supplement)

Purpose and approach. To ensure service quality and compliance with the usage policy (T&C Clause 14), we analyse usage patterns (e.g., exceptional load spikes, unusual request patterns). When defined thresholds are reached, automatic safeguards may be triggered (e.g., temporary rate limits, notifications, temporary restrictions).

  • No profiling with legal effects: There is no solely automated decision-making producing legal effects or similarly significant impact (Art. 22 GDPR).
  • You may contact us at any time; human review of automated measures is available.

Usage-based optimisation. We use aggregated, anonymised usage data to improve system performance, evolve features, and evaluate pricing models (without personal reference).

Additional Cookies/Local Storage for Billing Features

For pricing/usage dashboard features we use technically necessary storage technologies (cookies/local storage):

  • plan_selection – stores the current plan choice (session)
  • usage_dashboard – preferences for usage display (30 days)
  • billing_prefs – billing/display settings (1 year)

Legal basis: Section 25(2) No. 2 TDDDG (technically necessary) in conjunction with Art. 6(1)(b)/(f) GDPR.

Non-essential tracking/marketing technologies are not used.

Status and Version

Status: 20 August 2025 (Version 1.1)

Horst Christian Wagner, Birkenstr. 2, D-86836 Klosterlechfeld

Datenschutz-Präferenz
Wir benötigen Ihre Einwilligung, bevor Sie unsere Website weiter besuchen können.
Wir verwenden Cookies und andere Technologien auf unserer Website. Einige von ihnen sind essenziell, während andere uns helfen, diese Website und Ihre Erfahrung zu verbessern.

Weitere Informationen über die Verwendung Ihrer Daten finden Sie in unsererDatenschutzerklärung.

Sie können Ihre Auswahl jederzeit widerrufen oder anpassen.