1. Data Controller
Talqi — Conversational AI for businesses
- ●Controller: Pablo Fernández Torres
- ●Tax ID: [PENDING — required before publication]
- ●Address: Barcelona, Spain
- ●Email: pfernandez@talqi.io
2. What we do
Talqi develops and operates conversational AI agents integrated into the communication channels (currently WhatsApp Business) of our business clients. These agents respond to enquiries from the business's end customers in an automated manner.
Under the GDPR, Talqi acts as Data Processor. Our business clients are the Data Controllers of their own customers' data.
3. Data we collect
3.1 From our business clients
- ●Company name and representative contact details
- ●Professional email address and phone number
- ●Billing data (legal name, tax ID, address)
- ●WhatsApp Business API access credentials (encrypted at rest)
- ●Telegram group ID for agent administration
3.2 From end customers (on behalf of our business clients)
- ●WhatsApp phone number
- ●Contact name (if provided by the user or WhatsApp)
- ●Conversation content (text messages, images, documents, voice notes)
- ●Conversation metadata (timestamps, duration, resolution status)
4. Purpose of processing
- ●Service delivery: processing conversations to generate AI-powered automated responses
- ●Agent improvement: conversation analysis to optimise response quality
- ●Metrics and reporting: generating aggregated statistics (resolution rate, response time) for clients
- ●Technical support: diagnosing and resolving incidents in agent operation
- ●Billing: invoicing and payment management for business clients
We do not sell data to third parties. We do not use a client's conversation data to train general-purpose AI models. We do not profile end customers for advertising purposes.
5. Legal basis for processing
- ●Performance of a service contract (Art. 6.1.b GDPR) — for our business clients' data
- ●Legitimate interest of the business client (Art. 6.1.f GDPR) — for automated responses to their end customers
- ●Compliance with legal obligations (Art. 6.1.c GDPR) — for retention of fiscal data
6. Sub-processors
To deliver our service, we share data with the following providers:
| Sub-processor | Location | Service | Safeguard |
|---|---|---|---|
| Anthropic PBC | USA | Natural language processing (Claude API) | EU Standard Contractual Clauses |
| Amazon Web Services | EU (Ireland) | Infrastructure and database hosting | eu-west-1 region servers |
| MongoDB Inc. | EU | Conversation data storage | MongoDB Atlas EU |
| Meta Platforms | EU (Ireland) | WhatsApp Business API infrastructure | Meta's European entity |
| Telegram FZ-LLC | UAE | Admin interface and notifications | EU Standard Contractual Clauses |
7. Data retention
- ●Conversation messages: 90 days from the last message (automatic deletion via TTL index)
- ●Captured lead data: duration of the contract + 30 days after termination
- ●Business client data: duration of the contract + legal retention obligations (4 years for invoices)
- ●Aggregated and anonymised metrics: retained indefinitely
8. Security measures
- ●Encryption of API credentials at rest (AES-256)
- ●Data isolation per tenant — every database query is filtered by
tenant_id - ●Communications encrypted via TLS 1.3 (Cloudflare)
- ●Automated daily database backups
- ●Hosting on EU servers (AWS eu-west-1, Ireland)
- ●Cryptographic verification of incoming WhatsApp webhooks
- ●Automatic error alerts via the operator's Telegram channel
9. Data subject rights
Under the GDPR, any person has the right of access, rectification, erasure, restriction, portability, and objection to the processing of their data.
For end customers (people who interact with a business's agent): requests must be directed to the business concerned, which is the Data Controller.
To exercise any right, contact: pfernandez@talqi.io
You may also lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
10. Use of artificial intelligence
Our service uses AI models (currently Claude by Anthropic) to generate automated responses:
- ●Messages are sent to Anthropic's API for processing. Anthropic does not use this data to train its models.
- ●Responses are generated in real time and are not stored by Anthropic beyond the processing time.
- ●Each agent operates with business-specific instructions (system prompt) that define its behaviour.
- ●The agent is designed to escalate to a human when it cannot resolve an enquiry confidently.
11. Cookies and web tracking
The website uses Cloudflare Web Analytics for web analytics. This service collects performance and usage metrics in a privacy-respecting manner: it does not use cookies, localStorage, or user fingerprinting. Data is processed in aggregate and anonymous form. No prior consent is required.
The website may use strictly necessary technical cookies for its operation (language preferences, session). These do not require prior consent.
12. Modifications
Talqi reserves the right to update this privacy policy. Any material modification will be communicated to business clients by email and published on this page with the update date.
Privacy Policy v1.0 — Talqi · Conversational AI for businesses — April 2026