Privacy Policy

This Privacy Policy explains how Build To Sell B.V. h/o Lobbi.ai ("Lobbi", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the Lobbi.ai platform and related services.

Lobbi.ai is an AI-powered contact center platform (SaaS) that enables businesses to manage customer interactions across voice, chat, SMS, WhatsApp, email, and other channels. We act as data controller for account and usage data, and as data processor for conversation data processed on behalf of our clients.

This policy applies to all users of the Lobbi.ai platform, including client administrators, agents, and end-users who interact with the platform through customer-facing channels.

• Service delivery — Operating and maintaining the Lobbi.ai platform, including AI-powered conversation handling, routing, and channel management.
• Account management — Managing client accounts, user access, billing, and support.
• Platform improvement — Analyzing aggregated, anonymized usage patterns to improve features, performance, and reliability. We do not use client conversation data for training AI models.
• Security — Detecting and preventing fraud, abuse, unauthorized access, and other security threats.
• Legal obligations — Complying with applicable laws, regulations, and legal processes.
• Communication — Sending service-related notifications, updates, and security alerts.

We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b)) — Processing necessary to deliver the services agreed upon in our client agreements.
• Legitimate interests (Art. 6(1)(f)) — Platform security, fraud prevention, service improvement through aggregated analytics, and direct marketing to existing clients.
• Legal obligations (Art. 6(1)(c)) — Processing required by law, such as tax and accounting obligations or responding to lawful government requests.
• Consent (Art. 6(1)(a)) — Where applicable, for optional data processing activities. Consent can be withdrawn at any time.

For conversation data processed on behalf of clients, our clients determine the legal basis as data controllers. We process this data solely according to their instructions under a Data Processing Agreement.

We share personal data only with trusted sub-processors necessary to deliver our services. All sub-processors are bound by data processing agreements and are required to maintain appropriate security measures.

We do not sell personal data. We will never sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes.

• Account data — Retained for the duration of the service agreement plus 12 months after termination, to allow for account reactivation and to resolve any outstanding matters.
• Conversation data — Retained as configured by the client. The default retention period is 12 months. Clients can adjust this period through the platform settings or their service agreement.
• Billing data — Retained for 7 years as required by Dutch tax and accounting law.
• Technical logs — Retained for up to 90 days for security and debugging purposes.

When data reaches the end of its retention period, it is securely deleted or anonymized.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data, subject to legal retention requirements.
• Right to restriction — Request that we limit how we process your data in certain circumstances.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Our primary infrastructure is hosted within the European Union (EU). Where data is transferred to sub-processors located outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission for the receiving country.
• Supplementary technical and organizational measures where required.

Details of specific transfer mechanisms for each sub-processor are available upon request.

We implement robust technical and organizational measures to protect personal data, including:

• Encryption — All data is encrypted at rest and in transit using industry-standard protocols (TLS 1.2+, AES-256).
• Access controls — Role-based access controls, multi-factor authentication, and principle of least privilege.
• Multi-tenant isolation — Strict data isolation between tenants at the application and database level. Client data is never commingled.
• Security audits — Regular security assessments, vulnerability scanning, and code reviews.
• Incident response — Documented incident response procedures with notification to affected parties within 72 hours as required by GDPR.

Lobbi.ai uses only essential cookies required for platform operation. These include:

• Session cookies — Required for authentication and maintaining your logged-in state.
• Security cookies — CSRF protection and other security-related tokens.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required as we only use strictly necessary cookies.

Lobbi.ai is a business-to-business platform and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify our clients via email or through the platform at least 30 days before the changes take effect.

The "Effective" date at the top of this policy indicates when it was last updated. We encourage you to review this policy periodically.

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, contact us at: