Effective from: 18 May 2026 Controller: Ovysion Technologies Ltd, registered in England & Wales under company number [COMPANY NUMBER], registered office [REGISTERED ADDRESS]. ICO registration: [ICO NUMBER]. Contact for privacy matters: privacy@ovysion.com
This policy is a serious draft that should be reviewed by counsel before publication. Items in square brackets need real values filled in. Items written in italic in the sub-processor table are subject to change as Ovysion adds or removes vendors — keep the live version of this policy updated.
1. About this policy
This policy explains how Ovysion Technologies Ltd ("Ovysion", "we", "us") processes personal data when you visit ovysion.com or delia.ovysion.com, when you interact with the Delia voice assistant on our or our customers' websites, and when you engage with us as a business customer or prospect.
If you are an end customer speaking with Delia on a business's website (for example, a hotel's site or an aesthetic clinic's site), then in most cases:
- The business whose website you are on is the data controller — they decide why and how your conversation is processed.
- Ovysion is the data processor, acting under the business's instructions.
In that situation, this policy still describes what we do with your data, but the primary controller you can address rights requests to is the business operating the site. Where Ovysion acts as a controller (e.g. when you visit our own websites or interact with us directly), this policy applies directly.
2. Who we are and how to reach us
Ovysion Technologies Ltd is a UK-registered AI company building voice and automation systems for customer-facing businesses worldwide. We are based in [REGISTERED ADDRESS] and registered with the Information Commissioner's Office under [ICO NUMBER].
For any privacy matter — questions, rights requests, complaints — write to privacy@ovysion.com or by post to the address above. We aim to respond within 14 days; we will respond within one month at the latest, as required by UK GDPR Article 12(3).
We have not designated a Data Protection Officer because our processing does not meet the thresholds in UK GDPR Article 37. We have appointed an internal privacy lead, reachable at the address above.
3. What data we collect, why, and on what basis
3.1 When you visit ovysion.com or delia.ovysion.com
| Data | Purpose | Lawful basis (UK GDPR Art. 6) | Retention |
|---|---|---|---|
| IP address, browser type, device, pages visited, referrer | Technical operation, security, abuse prevention | Legitimate interests (6(1)(f)) — running and securing our site | 90 days in server logs |
| Cookie consent record | Proof of consent and to honour your choice | Legal obligation (6(1)(c)) — ePrivacy/PECR requires us to keep this record | 12 months from last interaction |
| Analytics events (if you consent) | Understand how the site is used so we can improve it | Consent (6(1)(a)) | 26 months |
We do not use marketing cookies and we do not sell data to advertisers.
3.2 When you talk to Delia (the assistant in the corner of ovysion.com)
| Data | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Audio of your side of the conversation | To answer your question with a voice AI | Consent (6(1)(a)) — you consent via the AI disclosure modal before the call begins | 30 days for audio, then deleted |
| Transcript of the full conversation | Same purpose; we also use transcripts to identify gaps in the system | Consent and legitimate interests for quality | 12 months |
| Name, email, phone, business context (if you provide them) | To follow up with you about your enquiry | Consent (6(1)(a)) | Until you ask us to delete, or 24 months of inactivity |
Demo calls are capped at 90 seconds. The AI disclosure modal tells you, before the call begins, that your microphone will be active, that audio is recorded, that it is processed by AI services, and what the retention is. You can end the call at any time.
3.3 When you contact us as a business customer or prospect
| Data | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Your name, work email, employer, role | Respond to your enquiry; account management | Legitimate interests (6(1)(f)) for prospect comms; contract performance (6(1)(b)) once you are a customer | 36 months from last interaction (prospects); duration of contract + 7 years (customers, for tax/accounting) |
| Notes from sales conversations | Pipeline management, customer history | Legitimate interests | Same as above |
| Billing data (company name, billing address, VAT/partita IVA number, payment method last-4) | Issuing invoices, tax compliance | Contract performance (6(1)(b)) and legal obligation (6(1)(c)) for tax records | 7 years (UK/EU tax retention rules) |
3.4 When you use Delia on a customer's website
In this situation we act as a processor for the customer (the business whose site you are on). We process the conversation under the customer's instructions and our Data Processing Agreement with them. Categories and retention are typically the same as section 3.2, but the controller deciding those choices is the business, not Ovysion. Address rights requests to that business first; we will support them in responding to you.
We do not use customer end-user conversations to train our own AI models. Sub-processors (see section 5) have their own policies on AI training input — we contract with them to confirm that customer data is not used to train their foundation models where that option is available.
3.5 Special category data
We do not seek special category data (health, biometric data including voiceprints, religious beliefs, etc.). Some Delia deployments (e.g. on aesthetic clinic websites) may receive incidental health-related information from end users (e.g. mentions of conditions). In those deployments:
- The clinic, as controller, has its own legal basis under Article 9 (typically Article 9(2)(h) — provision of healthcare).
- We process this data only under the clinic's instructions and our DPA.
- We do not use any such content for any secondary purpose.
We do not create biometric voiceprints. Audio is treated as ordinary personal data, not biometric data, because we do not extract or store features for the purpose of uniquely identifying a natural person.
4. Cookies and similar technologies
Our websites use a small set of cookies and similar technologies, all of which fall into three categories: strictly necessary, functional, and analytics. The full list and the choices available to you are in our Cookie Policy. You can withdraw or change your consent at any time using the cookie controls accessible from the footer of every page.
We do not use advertising or tracking cookies, and we do not share data with ad networks.
5. Sub-processors and recipients
To run Delia and our infrastructure, we rely on the following sub-processors. They process personal data only under written instructions from us and may not use it for their own purposes (subject to each provider's own privacy notice for residual aggregate use):
| Sub-processor | Role | Region | Transfer mechanism |
|---|---|---|---|
| Vapi Inc. | Voice orchestration (real-time call infrastructure) | United States, with EU routing where available | UK IDTA + EU SCCs (controller-to-processor module) |
| OpenAI Ireland Ltd / OpenAI LLC | Large language model inference for conversation generation | EU and United States | UK IDTA + EU SCCs; OpenAI committed to zero-retention API usage |
| Anthropic PBC | Large language model inference (alternative provider) | United States | UK IDTA + EU SCCs |
| ElevenLabs Inc. | Text-to-speech voice synthesis | United States | UK IDTA + EU SCCs |
| Deepgram Inc. | Speech-to-text transcription | United States | UK IDTA + EU SCCs |
| Hostinger International Ltd | Application hosting and Postgres database | Lithuania (EU) | EU-based, no transfer mechanism required |
| Stripe Payments Europe Ltd | Subscription billing for our business customers | Ireland (EU) primary, with US for global infrastructure | EU-based primary; SCCs for US fallback |
| Google Workspace (Google Ireland Ltd) | Internal email and document collaboration | EU and US | EU-based primary; SCCs and UK IDTA for US infrastructure |
We review this list quarterly and update it here when sub-processors change. Business customers under a DPA can subscribe to be notified of sub-processor changes 30 days in advance — see the DPA Annex III for the operational process.
We do not sell personal data to anyone. We disclose personal data outside this list only:
- To professional advisers (lawyers, accountants) under their own professional confidentiality obligations.
- Where required by law (e.g. a valid court order or regulatory request).
- In the event of a corporate transaction (merger, acquisition, asset sale), to the acquiring entity under confidentiality.
6. International transfers
Because some of our sub-processors are located in the United States, some personal data is transferred outside the UK and EEA. We protect those transfers using:
- The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary mechanism for EU-origin transfers; and
- The UK International Data Transfer Addendum (IDTA) issued by the ICO, attached to the SCCs, for UK-origin transfers.
We have carried out transfer impact assessments for each US sub-processor and have implemented supplementary measures (encryption in transit and at rest, pseudonymisation where applicable, contractual restrictions on government data access requests, no-training commitments).
A copy of the SCCs is available on request from privacy@ovysion.com.
7. How long we keep data
Specific retention periods are listed in section 3. As a summary:
- Audio recordings: 30 days, then deletion. Demo calls on delia.ovysion.com follow the same retention.
- Transcripts: 12 months for our own demo conversations; for customer deployments, controlled by the customer (typically 12-24 months).
- Lead and CRM data: 36 months from last interaction.
- Billing records: 7 years (UK statutory tax retention).
- Server logs: 90 days.
- Cookie consent records: 12 months from your last interaction.
When the retention period ends, we delete or anonymise the data. Where data is held in encrypted backups, deletion happens within 30 days of the live-system deletion and is documented.
8. Your rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Access: to a copy of the personal data we hold about you.
- Rectification: to ask us to correct inaccurate data.
- Erasure: to ask us to delete your data (subject to certain exceptions, such as retention required for tax law).
- Restriction: to ask us to limit how we use your data while a question is resolved.
- Portability: to receive your data in a structured, machine-readable format and transmit it elsewhere.
- Objection: to object to processing based on our legitimate interests; we will reassess and either stop or explain why we believe our interest overrides.
- Withdrawal of consent: where we rely on consent (e.g. to record a voice conversation), you can withdraw it at any time. Withdrawal does not affect processing done before withdrawal.
- Lodging a complaint: with the Information Commissioner's Office (ICO) in the UK (ico.org.uk), or with your local supervisory authority in the EEA. For Italian residents, the Garante per la protezione dei dati personali at gpdp.it. We would, of course, prefer that you come to us first.
To exercise any of these rights, write to privacy@ovysion.com. We may need to confirm your identity before responding (for example, by asking you to reply from the email address we have on file).
9. Automated decision-making
Delia is an AI system. When you interact with her, the responses you receive are generated automatically by large language models. However, Delia does not make legally significant decisions about you on her own — she answers questions, provides information, and (where configured) books appointments. Any decision that legally affects you (e.g. approving a treatment, accepting a property offer) is taken by the human business operating the site.
If you want to challenge any specific output Delia gave you, write to the business whose website you used (they are the controller), or to us at privacy@ovysion.com.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest, access controls based on least privilege, multi-factor authentication for all administrative access, role-based separation of duties, regular review of access logs, vulnerability scanning, and an incident response procedure.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, notify affected individuals without undue delay.
11. Children
Our services are not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, contact privacy@ovysion.com and we will delete it.
12. Changes to this policy
We may update this policy as our services or the law change. The "Effective from" date at the top reflects the date of the most recent change. Material changes will be flagged on our website for 30 days before they take effect, and existing business customers will be notified by email.
A change log is maintained at /privacy/changelog.
13. Specific notes for Italian residents
In addition to the rights above:
- You may lodge a complaint with the Garante per la protezione dei dati personali at www.gpdp.it.
- Italian-language privacy enquiries can be sent to privacy@ovysion.com in Italian; we will reply in Italian.
- For B2B customers based in Italy, our invoicing complies with Italian fatturazione elettronica (electronic invoicing) requirements; billing data is transmitted to the Italian Revenue Agency's Sistema di Interscambio (SdI) as required by Italian law.