Skip to main content
supVision.ai
Legal

Data Policy

This policy explains how supVision processes data on behalf of clients who deploy our AI support agent. SUPVISION.AI is registered at: Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Sõle tn 61a-5, 10313, Estonia. Contact: info@supvision.ai.

supVision acts as a data processor under GDPR. Your organisation is the data controller. This policy covers how we handle the customer data you submit to our platform and the safeguards we maintain to protect it.

What data supVision processes on your behalf

When you deploy supVision as your AI support agent, the system processes customer-submitted data to resolve support queries. This may include customer names, email addresses, account identifiers, transaction references, and the content of support messages.

supVision operates as a data processor under GDPR. Your organisation remains the data controller and is responsible for the lawful basis under which customer data is collected and submitted to supVision for processing.

Zero-retention architecture

supVision is built on a zero-retention model. Customer conversations and personally identifiable information (PII) are not stored beyond the active session unless retention is explicitly required by your configuration for audit or compliance purposes.

No supVision employee has read access to your customer conversations. PII fields are anonymised before they reach any AI model layer. Only metadata necessary for routing, escalation, and audit logging is retained.

AI processing and model training

Customer data processed through supVision is never used to train shared or public AI models. Each deployment operates in an isolated context. Any fine-tuning or model adaptation is performed only on anonymised or synthetic data, or on data you have explicitly authorised for that purpose in a separate written agreement.

supVision uses large language model APIs provided by third-party infrastructure providers. These providers are contractually bound not to use your data for model improvement without your consent. Applicable data processing agreements are in place with all sub-processors.

Sub-processors and data transfers

supVision uses a limited set of vetted sub-processors for infrastructure (hosting, database, and AI inference). All sub-processors are under contractual data processing agreements and are located in the EU/EEA or in countries with adequate data protection as recognised by the European Commission.

We maintain an up-to-date list of sub-processors. If you are an enterprise client and require a copy of the current sub-processor list or specific DPA terms, contact us at info@supvision.ai.

Audit logs and data access

Every decision made by the supVision agent is logged with a traceable audit trail. This log includes the query category, the confidence level of the response, the data sources consulted, and the outcome (resolved, escalated, or flagged). Logs are available to your compliance team on demand.

supVision does not expose raw customer PII in audit logs. Log entries reference anonymised customer identifiers that can be re-linked by your team using your internal systems.

Data subject rights

As data controller, you are responsible for handling data subject requests (access, erasure, portability, rectification) from your customers. supVision provides tooling to support right-to-erasure requests: upon instruction, all stored references to a given customer identifier can be purged from the system within the timeframe required by applicable law.

If a data subject contacts supVision directly with a request relating to data you control, we will forward the request to you within 72 hours.

Security standards

supVision aligns to SOC 2 Type II, ISO 27001, GDPR, and PCI DSS requirements relevant to our services. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to infrastructure is restricted by role and requires multi-factor authentication.

We conduct regular vulnerability assessments and penetration tests. Incident response procedures are in place with defined notification timelines in line with GDPR Article 33 obligations.

Changes to this policy

We may update this Data Policy when our processing practices change or when required by law. Enterprise clients will be notified of material changes by email at least 30 days in advance. The "Last updated" date below reflects the most recent revision.

Last updated: 4 June 2026

Questions about data processing?

We'll respond with the relevant DPA terms or sub-processor list within one business day.