Ayra AI
|Docs

GDPR Compliance

Last Updated: January 1, 2025

Introduction

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that governs how organizations collect, use, and protect personal data of individuals in the EU, EEA, and UK. Ayra AI is committed to GDPR compliance and protecting the privacy rights of all users.

This guide explains Ayra's GDPR compliance measures, your obligations as a Customer (Data Controller), and how we work together to ensure compliance.

1. Understanding GDPR Roles

1.1 Data Controller vs. Data Processor

Data Controller

The organization that determines the purposes and means of processing personal data. In most cases, you (the Customer) are the Data Controller for End User data collected through your voice agents.

As a Data Controller, you decide:

  • What data to collect from End Users
  • Why you're collecting it (purpose)
  • How long to retain it
  • Who has access to it

Data Processor

The organization that processes personal data on behalf of the Data Controller. Ayra acts as a Data Processor when we process End User data according to your instructions through the Service.

As a Data Processor, we:

  • Process data only as you direct
  • Implement appropriate security measures
  • Assist with your compliance obligations
  • Do not use your data for our own purposes

1.2 Your Ayra Account Data

For your Account data (your company information, Account settings, etc.), Ayra is the Data Controller. We process this data to provide the Service to you under our contract.

3. Data Protection Principles

3.1 Lawfulness, Fairness, and Transparency

Ayra's Commitment

  • We process data only for specified, legitimate purposes
  • We are transparent about our processing through this documentation
  • We provide clear privacy notices

Your Obligations

  • Provide clear privacy notices to End Users
  • Explain what data you collect and why
  • Be transparent about AI voice agent use
  • Obtain proper consent where required

3.2 Purpose Limitation

Ayra's Commitment

  • We use data only for purposes specified in our contract and Privacy Policy
  • We do not repurpose your data without authorization

Your Obligations

  • Collect End User data only for specified, explicit, legitimate purposes
  • Do not use data for purposes incompatible with original collection purpose
  • Update privacy notices if purposes change

3.3 Data Minimization

Ayra's Commitment

  • We collect only information necessary to provide the Service
  • We provide tools to help you minimize data collection

Your Obligations

  • Configure voice agents to collect only necessary data
  • Avoid collecting excessive or irrelevant information
  • Review and remove unnecessary data fields

Best Practice: Do not configure voice agents to collect sensitive information unless absolutely necessary and with explicit consent.

3.4 Accuracy

Ayra's Commitment

  • We provide tools to update and correct data
  • We implement quality controls

Your Obligations

  • Ensure End User data is accurate and current
  • Provide mechanisms for End Users to correct their data
  • Update or delete inaccurate information

3.5 Storage Limitation

Ayra's Commitment

  • We retain data only as long as necessary
  • We honor your configured retention periods
  • We provide tools for data deletion

Your Obligations

  • Configure appropriate retention periods
  • Delete data when no longer needed
  • Justify longer retention periods if required

Ayra Features:

  • Configurable retention: 1 day to indefinite
  • Automated deletion after retention period
  • Manual deletion at any time
  • Bulk deletion capabilities

3.6 Integrity and Confidentiality (Security)

Ayra's Commitment:

  • Industry-standard security measures (encryption, access controls, monitoring)
  • SOC 2 Type II compliance
  • Regular security audits
  • Incident response procedures

See Data Security section for comprehensive security measures.

Your Obligations:

  • Protect your Account credentials
  • Configure appropriate access controls
  • Use security features (2FA, IP restrictions)
  • Report security incidents promptly

3.7 Accountability

Ayra's Commitment

  • We document our compliance measures
  • We conduct Data Protection Impact Assessments (DPIAs)
  • We maintain compliance records
  • We cooperate with supervisory authorities

Your Obligations

  • Document your compliance efforts
  • Maintain records of processing activities
  • Conduct DPIAs for high-risk processing
  • Demonstrate compliance when required

4. Data Subject Rights

4.1 Overview of Rights

GDPR grants data subjects (End Users) the following rights:

Right to Be Informed

Clear information about data processing

Right of Access

Obtain copies of their data

Right to Rectification

Correct inaccurate data

Right to Erasure

Delete their data ("Right to Be Forgotten")

Right to Restrict Processing

Limit how data is used

Right to Data Portability

Receive data in portable format

Right to Object

Object to certain processing

Rights Related to Automated Decision-Making

Contest automated decisions

4.2 Ayra's Support for Data Subject Rights

Access Requests:

  • Dashboard provides access to conversation recordings and transcripts
  • API endpoints for programmatic data retrieval
  • Export functionality (JSON, CSV formats)

Rectification:

  • Tools to update contact information
  • Ability to edit conversation metadata
  • Correction of inaccurate transcripts

Erasure:

  • Delete individual conversations
  • Delete End User data across all conversations
  • Bulk deletion capabilities
  • Account deletion (removes all data)

Portability:

  • Export data in machine-readable formats (JSON, CSV)
  • Comprehensive data exports including all conversation data
  • API access for automated exports

4.3 Your Responsibilities for Data Subject Requests

When End Users exercise their rights:

Step 1: Receive Request

End User contacts you (the Controller) to exercise rights.

Step 2: Verify Identity

Confirm the requestor's identity to prevent unauthorized disclosure.

Step 3: Process Request

Use Ayra's tools to fulfill the request:

  • Access: Export relevant data
  • Rectification: Update information
  • Erasure: Delete data
  • Portability: Provide in portable format

Step 4: Respond Timely

Respond within 30 days (GDPR requirement, may extend to 60 days with justification).

Step 5: Document

Maintain records of requests and your responses.

Ayra's Assistance: Contact support@ayra.ai if you need help fulfilling data subject requests. We provide tools and guidance but you (the Controller) are ultimately responsible for responding to End Users.

5. Data Processing Agreement (DPA)

5.1 Why a DPA is Required

GDPR requires a written contract between Data Controllers and Data Processors. This contract must include specific terms (Article 28).

5.2 Ayra's DPA

Ayra provides a standard Data Processing Agreement that includes:

Subject Matter and Duration:

Processing of End User data as described in your use of the Service. Duration: For the term of your subscription

Nature and Purpose:

Providing AI voice agent services, storing and analyzing conversation data, executing integrations and workflows

Type of Personal Data:

Contact information (names, phone numbers, emails), conversation recordings and transcripts, any other data you configure voice agents to collect

Categories of Data Subjects:

End Users who interact with your voice agents, your customers, patients, clients, etc.

Processor Obligations (Article 28(3)):

  • Process data only on documented instructions
  • Ensure confidentiality of personnel
  • Implement appropriate security measures
  • Assist with data subject rights requests
  • Assist with compliance obligations (DPIAs, breach notifications)
  • Delete or return data at contract end
  • Make available information for audits

Sub-Processors:

Ayra uses sub-processors (cloud hosting, voice platforms, etc.). List of sub-processors available at ayra.ai/subprocessors. We notify you of sub-processor changes. You may object to new sub-processors.

International Transfers:

Standard Contractual Clauses (SCCs) for EU transfers. Appropriate safeguards for all international transfers.

5.3 Accessing the DPA

The DPA is available:

  • In your Account dashboard under Settings > Legal
  • At ayra.ai/dpa
  • By emailing legal@ayra.ai

Enterprise customers may negotiate custom DPA terms.

6. International Data Transfers

6.1 Why Transfers Occur

Ayra is based in the United States. When EU/EEA data subjects' information is processed, it is transferred to the U.S. and potentially other countries where our sub-processors operate.

6.2 Transfer Mechanisms

Standard Contractual Clauses (SCCs):

Ayra uses the European Commission's Standard Contractual Clauses (2021 version) for transfers from the EU to the U.S. and other third countries.

Adequacy Decisions:

Where the EU has determined a country provides adequate protection, transfers to that country are unrestricted.

Additional Safeguards:

Beyond SCCs, we implement:

  • Technical measures (encryption, access controls)
  • Organizational measures (policies, training, audits)
  • Contractual protections with sub-processors

6.3 UK Transfers

For UK data, we use:

  • UK Standard Contractual Clauses
  • UK Adequacy decisions where applicable
  • UK International Data Transfer Agreement (IDTA)

6.4 Switzerland Transfers

For Swiss data, we comply with Swiss data protection laws and use appropriate transfer mechanisms.

7. Data Breach Notification

7.1 GDPR Requirements

Processor to Controller Notification:

If Ayra (Processor) discovers a personal data breach, we must notify you (Controller) without undue delay and within 72 hours where feasible.

Controller to Supervisory Authority:

You (Controller) must notify your supervisory authority of breaches within 72 hours of becoming aware, unless the breach is unlikely to result in risk to data subjects.

Controller to Data Subjects:

You must notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms.

7.2 Ayra's Breach Response

Detection:

  • 24/7 security monitoring
  • Automated threat detection
  • Regular security assessments

Assessment:

  • Determine nature and scope of breach
  • Identify affected data and data subjects
  • Assess risk level

Containment:

  • Immediately contain the breach
  • Prevent further unauthorized access
  • Secure affected systems

Notification:

  • Notify affected Customers within 72 hours
  • Provide details: nature of breach, data affected, likely consequences, mitigation measures
  • Cooperate with Customer's breach response

Remediation:

  • Fix security vulnerabilities
  • Implement additional safeguards
  • Document lessons learned

7.3 Your Breach Obligations

When you receive breach notification from Ayra:

  • Assess Risk: Determine if breach creates risk to data subjects.
  • Notify Supervisory Authority: If required, notify within 72 hours.
  • Notify Data Subjects: If high risk, notify affected individuals.
  • Document: Maintain records of breach and your response.
  • Cooperate: Work with Ayra and authorities as needed.

8. Data Protection Impact Assessments (DPIA)

8.1 When DPIAs are Required

Conduct a DPIA when processing is likely to result in high risk to data subjects, particularly for:

  • Large-scale processing of special categories of data (health, biometrics, etc.)
  • Systematic monitoring of publicly accessible areas on a large scale
  • Processing that involves new technologies
  • Processing that prevents data subjects from exercising rights
  • Matching or combining datasets

Voice Agent DPIA Scenarios:

  • Healthcare voice agents collecting health information (HIPAA + GDPR)
  • Voice agents processing children's data
  • Voice agents using biometric voice recognition
  • Large-scale sentiment analysis and behavioral profiling

8.2 Conducting a DPIA

Steps:

  1. Describe Processing: What data, why, how processed, how long retained.
  2. Assess Necessity and Proportionality: Is processing necessary? Are there less intrusive alternatives?
  3. Identify Risks: What could go wrong? What's the impact on data subjects?
  4. Identify Mitigation Measures: How will risks be reduced? What safeguards will be implemented?
  5. Document: Record the DPIA and your decisions.
  6. Consult Supervisory Authority (if needed): If residual high risk remains, consult your DPA before processing.

8.3 Ayra's DPIA Support

Ayra can assist with your DPIAs by providing:

  • Description of our processing activities
  • Security and privacy measures documentation
  • Sub-processor information
  • Technical specifications
  • Cooperation with DPIA process

Request DPIA assistance at privacy@ayra.ai.

9. Special Categories of Data

9.1 Definition

"Special categories" of personal data (Article 9) require extra protection:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (for identification purposes)
  • Health data
  • Sex life or sexual orientation

9.2 Processing Special Categories

Processing special categories is prohibited unless one of the specific conditions in Article 9(2) applies:

  • Explicit Consent: Data subject gives explicit consent
  • Employment/Social Security: Necessary for employment or social security obligations
  • Vital Interests: Protecting someone's life when they can't give consent
  • Legitimate Activities: Certain non-profit processing with appropriate safeguards
  • Made Public: Data manifestly made public by the data subject
  • Legal Claims: Establishing, exercising, or defending legal claims
  • Public Interest: Substantial public interest with appropriate safeguards
  • Health/Social Care: Provision of health or social care with professional secrecy obligations
  • Public Health: Public health purposes with appropriate safeguards
  • Research: Archiving, research, or statistics with safeguards

9.3 Healthcare Voice Agents

If your voice agents collect health information:

Requirements:

  • Explicit consent or other Article 9(2) condition
  • HIPAA Business Associate Agreement (if applicable)
  • Enhanced security measures
  • Staff training on handling health data
  • Data Protection Impact Assessment
  • Minimize health data collection (only what's necessary)

Ayra HIPAA Configuration:

  • Enable HIPAA-compliant mode
  • Restrict PHI collection in voice agents
  • Configure appropriate retention (longer for medical records)
  • Enhanced encryption and access controls
  • Signed BAA with Ayra

Best Practice: Configure voice agents to collect only general appointment information, not detailed health symptoms or conditions. Direct patients to discuss health details privately with providers during appointments.

10. Automated Decision-Making and Profiling

10.1 GDPR Rights (Article 22)

Data subjects have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

10.2 Ayra's Automated Processing

Sentiment Analysis

Analyzes conversation tone (positive, neutral, negative). Does not create legal or significant effects on its own. Used for quality monitoring and improvement.

Intent Classification

Categorizes conversation purpose. Informs routing and response selection. Does not create legal or significant effects.

Lead Scoring

Assigns qualification scores to leads. Influences sales prioritization. May be considered profiling, but typically not "significant effects".

Escalation Decisions

Determines when to transfer to humans. Protective measure, not harmful decision.

10.3 Ensuring Compliance

To comply with Article 22:

Human Review:

Implement human review for significant decisions. Example: Sales rep reviews AI lead qualification before deciding whether to pursue.

Transparency:

Inform data subjects about automated decision-making. Example: "This call may be analyzed by AI for quality purposes."

Contestation:

Allow data subjects to contest decisions. Example: "If you disagree with our lead qualification, contact us at..."

Explanation:

Provide meaningful information about the logic involved. Example: "Your call was classified as negative sentiment based on tone and keywords."

11. Records of Processing Activities (Article 30)

11.1 Controller Obligations

As a Data Controller, you must maintain records of processing activities including:

  • Name and contact details of controller (and DPO if applicable)
  • Purposes of processing
  • Description of categories of data subjects and personal data
  • Categories of recipients (who you share data with)
  • International transfers (including safeguards)
  • Retention periods
  • Security measures

11.2 Ayra's Records

As a Data Processor, Ayra maintains records of all processing activities carried out on behalf of Controllers, including:

  • Name and contact details of processor and controllers
  • Categories of processing carried out on behalf of each controller
  • International transfers
  • Security measures

11.3 Template for Your Records

Processing Activity: Voice Agent Customer Interactions
Controller: [Your Company Name, Address, Contact]
DPO Contact: [Your DPO email if applicable]
Purpose: Providing customer service, appointment scheduling, lead qualification through AI voice agents
Legal Basis: Legitimate interests (customer service), Consent (marketing), Contractual necessity (service provision)
Data Subjects: Customers, prospective customers, patients, clients
Data Categories: Contact information (name, phone, email), conversation recordings and transcripts, appointment details, inquiry details
Recipients: Ayra AI (processor), Voice platforms (sub-processors), CRM systems, Calendar systems
Transfers: U.S. (Ayra AI) - Standard Contractual Clauses
Retention: [X days] for recordings, [X days] for transcripts, [X years] for contact information
Security: Encryption, access controls, monitoring, staff training

12. Supervisory Authorities and Enforcement

12.1 Supervisory Authorities

Each EU Member State has a supervisory authority (DPA - Data Protection Authority) responsible for GDPR enforcement.

Your Lead Supervisory Authority:

Generally where your main establishment is located (where main processing decisions are made).

Find Your DPA:

European Data Protection Board maintains a list: edpb.europa.eu/about-edpb/about-edpb/members

Common DPAs:

  • Ireland: Data Protection Commission (many tech companies)
  • Germany: Various Länder authorities
  • France: CNIL
  • UK: Information Commissioner's Office (ICO)
  • Netherlands: Autoriteit Persoonsgegevens

12.2 Enforcement and Penalties

Administrative Fines:

Tier 1 Violations: Up to €10 million or 2% of global annual turnover (whichever is higher)

Examples: Processor obligations, certification, monitoring body violations

Tier 2 Violations: Up to €20 million or 4% of global annual turnover (whichever is higher)

Examples: Data protection principles, data subject rights, international transfers

Other Enforcement:

  • Warnings and reprimands
  • Orders to cease processing
  • Orders to rectify or erase data
  • Suspension of data flows
  • Certification withdrawal

Private Actions: Data subjects may sue for damages resulting from GDPR violations.

12.3 Cooperation with Authorities

Ayra cooperates fully with supervisory authorities:

  • Responding to information requests
  • Providing documentation
  • Participating in investigations
  • Implementing corrective measures

As a Controller, you must also cooperate with your supervisory authority and may need to respond to audits or investigations.

13. GDPR Compliance Checklist

13.1 Initial Setup

Understand Your Role

Confirm you are the Data Controller for End User data. Ayra is your Data Processor. Document roles and responsibilities.

Execute DPA

Sign Ayra's Data Processing Agreement. Ensure DPA includes Article 28 requirements. Store DPA with legal documents.

Privacy Notice

Create clear privacy notice for End Users. Explain data collection, use, retention, rights. Make easily accessible (website, call disclosures). Review and update annually.

Legal Basis

Identify legal basis for each processing purpose. Document legal basis. Obtain consent where required. Ensure consent is freely given, specific, informed, unambiguous.

Data Minimization

Configure voice agents to collect only necessary data. Remove unnecessary questions. Avoid collecting special categories unless essential.

Retention

Configure appropriate retention periods. Document retention justification. Implement automated deletion.

Security

Enable two-factor authentication. Configure access controls. Review security settings regularly.

13.2 Ongoing Compliance

Records of Processing

Maintain Article 30 records. Update when processing changes. Review annually.

Data Subject Requests

Establish process for handling requests. Train staff on procedures. Respond within 30 days. Document all requests and responses.

Breach Response

Develop incident response plan. Train staff on breach procedures. Test response procedures. Maintain breach records.

Vendor Management

Review sub-processor changes from Ayra. Assess sub-processor compliance. Maintain sub-processor list.

Training

Train staff on GDPR requirements. Train staff on data handling procedures. Annual refresher training. Document training completion.

Audits and Reviews

Conduct annual privacy audit. Review and update policies. Test security controls. Document compliance measures.

DPIA (if applicable)

Identify high-risk processing. Conduct DPIAs before new processing. Review DPIAs periodically. Consult DPA if necessary.

14. Getting Help with GDPR Compliance

14.1 Ayra Resources

Documentation

  • Privacy Policy: ayra.ai/privacy
  • DPA: ayra.ai/dpa
  • Sub-processors: ayra.ai/subprocessors
  • Security: ayra.ai/security

Support

14.2 External Resources

Official Sources:

  • GDPR Text: gdpr-info.eu
  • European Data Protection Board: edpb.europa.eu
  • Your National DPA: Check EDPB members list

Guidance:

  • EDPB Guidelines on various GDPR topics
  • ICO (UK) guidance (English-language resource)
  • National DPA guidance in your language

14.3 Professional Advice

GDPR compliance is complex. Consider consulting:

  • Privacy lawyers specializing in GDPR
  • Data Protection Officers (DPOs)
  • Privacy consultants
  • Industry associations

Note: Ayra provides tools and information but cannot provide legal advice. Consult qualified legal professionals for compliance guidance specific to your situation.

Last Updated: January 1, 2025

GDPR compliance is an ongoing commitment. Stay informed about regulatory developments, review your practices regularly, and continuously improve your data protection measures. Ayra is here to support your compliance journey with robust tools, comprehensive documentation, and responsive support.

Ready to transform your agency?

Start building with Ayra today. No credit card required.