Privacy Policy (GDPR-Compliant)
Effective date: 1 April 2025
Last updated: 1 April 2025
1 | Who We Are
Controller — Serova OÜ (registry no. 17252303) of Soo 2-3, 10414 Tallinn, Estonia.
Data-protection officer: info@serova.ai
2 | Scope
This Policy explains how we collect, use, share and secure personal data when you:
- visit serova.ai,
- create a Serova account or workspace,
- add the Serova assistant to WhatsApp groups, or
- interact with our web console or support.
3 | What Data We Collect & Why
| Category | Examples | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
| Account data | Name, email, company, billing info | Account creation, invoicing | Contract 6 (1)(b) |
| WhatsApp content | Group messages, media, sender phone numbers | Provide logging, moderation, responses | Legitimate interest 6 (1)(f) or Contract (if Serova signs a DPA and acts as processor) |
| Usage data | Log files, device/browser type, IP address | Security, analytics, fraud prevention | Legitimate interest 6 (1)(f) |
| Marketing | Email address, preferences | Send product updates (opt-out anytime) | Consent 6 (1)(a) |
We do not intentionally collect special-category data; please avoid submitting it.
4 | How Long We Keep Data
Default retention is 365 days after message ingestion unless you change workspace settings. Aggregated analytics (non-identifiable) may be kept longer.
5 | Sharing & International Transfers
- Sub-processors: EU-based cloud hosting, error monitoring and email services under GDPR-compliant contracts.
- WhatsApp: Message content necessarily transits Meta Platforms Ireland Ltd.
- Law enforcement or regulators if legally required.
We do not sell personal data. If we transfer data outside the EEA we rely on an EU adequacy decision or Standard Contractual Clauses.
6 | Security
We employ TLS encryption in transit, AES-256 at rest, access-control policies, regular penetration tests and staff training. No method is 100 % secure, but we strive for industry-standard safeguards.
7 | Your Rights
- Access, rectification, erasure
- Restriction or objection to processing
- Data portability
- Withdraw consent at any time (marketing)
- Lodge a complaint with the Estonian Data Protection Inspectorate (akir@aki.ee) or your local authority
8 | Automated Decision-Making
The assistant's AI moderation may automatically delete or flag messages. These decisions have no legal or similarly significant effect on individuals. You may request human review via support@serova.ai.
9 | Cookies
Our website uses only essential cookies (session authentication) and privacy-preserving analytics (e.g., Plausible). A banner provides opt-in for any non-essential cookies.
10 | Children
The Service targets organisations, not children under 16. If we learn we have collected children's data without parental consent, we will delete it.
11 | Changes to This Policy
Material updates will be announced via email or in-app notice 30 days in advance.
12 | Contact
Questions? Email support@serova.ai or write to the address above.
Next steps
- Legal review – Have Estonian counsel confirm paragraphs 11 (TOS) and international-transfer wording comply with local case law and DSA obligations.
- Data-Processing Addendum – Generate a short Art. 28 GDPR DPA template so B2B customers can countersign when Serova acts as processor.
- Website integration – Link these docs in your footer and inside the WhatsApp onboarding message to meet consumer-information duties (Directive 2011/83/EU).