Privacy Policy

Last Updated: December 11, 2025

1. Who We Are

Solfaia ("We") takes data privacy seriously. This policy explains how David Paulos Da Fonseca (trading as Solfaia, Entreprise Individuelle) processes data.
VAT / TVA Number: LU31854716
Contact: [email protected]

2. Our Data Architecture — Ephemeral by Default, Configurable by Agreement

Solfaia is designed with a privacy-first philosophy. Our default architecture minimises data retention, but clients may enable persistent storage features (such as call summaries, transcripts, or CRM logging) where there is a legitimate business need and a lawful basis under GDPR to do so.

• Audio Data: Raw audio from calls is processed in real-time and is not permanently stored on our servers unless the client has explicitly enabled recording for quality assurance or compliance purposes.
• Transcripts & Summaries: By default, text logs are retained only as long as necessary to extract business insights (e.g. booking confirmations, call summaries), after which they are minimised or deleted. Clients who require longer retention — for example to review call logs or feed data into a CRM — may enable this under a configurable retention policy, subject to their own legal obligations as data controllers.
• Client Responsibility: Where a client enables persistent data features, they act as a data controller for their end-users’ data and are responsible for ensuring their own compliance with applicable data protection law, including obtaining any necessary consents from their customers.
• Isolation: Each client’s data is processed in isolated environments to prevent cross-contamination between accounts.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to deliver the services agreed with our clients, including billing, support, and service operation.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as platform security, abuse prevention, and service improvement, where these interests are not overridden by the rights of the individuals concerned.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including tax and invoicing obligations.

4. Data We Process

To operate the Service and comply with our legal obligations, we process the following:

• Client Data: Name, billing address, VAT number (if applicable), email address, and phone number. Retained for the duration of the contractual relationship and as required by Luxembourg tax law (minimum 10 years for invoicing records).
• End-User Data: Phone numbers, voice data, and interaction logs of your customers engaging with the AI. Retained ephemerally by default (see Section 2), or for the duration configured by the client where persistent features are enabled.

5. International Data Transfers

Some of our third-party sub-processors are based outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) or reliance on sub-processors who participate in recognised adequacy frameworks. By engaging our services, clients acknowledge that their end-users’ interaction data may be processed by these international sub-processors as part of service delivery.

6. Third-Party Sub-Processors

We use trusted, compliant third-party infrastructure to deliver and manage the service. These partners process data only under strict instructions from Solfaia. The key processing categories are:

• Payments: Stripe (financial and billing data).
• AI & Communications: OpenAI, Anthropic, Gemini (NLP processing), ElevenLabs (voice synthesis), Twilio / Vapi (telephony and voice), String (messaging management).
• Infrastructure & Automation: Workflow automation platforms (e.g., n8n), CRM systems, and hosting services.

A complete, up-to-date list of all engaged sub-processors is available upon written request to ensure transparency and ongoing GDPR compliance.

7. Consulting & Content Creation — Confidentiality

Where a client engages Solfaia for AI strategy consulting or AI content creation services, any business information, briefs, strategies, or materials shared by the client during those engagements are treated as strictly confidential. Such information is used solely for the purpose of delivering the agreed service and is never shared with third parties, used to inform work for other clients, or retained beyond what is necessary to complete the engagement. Clients retain full ownership of any materials they provide.

8. Website Chat Widget

The Solfaia website includes a live chat widget that allows visitors to interact with our AI assistant. By initiating a conversation through this widget, you acknowledge that:

• Conversation Data: The content of your chat session, including any personal information you voluntarily share (such as your name, business details, or contact information), is processed in order to respond to your enquiry.
• Ephemeral by Default: Chat conversations are processed ephemerally in line with our default data architecture (see Section 2). Transcripts are not permanently stored unless you explicitly request follow-up or a record of the conversation.
• No Passive Collection: The chat widget does not collect any data beyond what you actively type into it. It does not track your browsing behaviour or collect device identifiers.
• Policy Acknowledgement: The notice displayed at the start of each chat session ("By chatting, you agree to our privacy policy") serves as a pointer to this policy. This policy is the complete and authoritative description of how your chat data is handled. Continuing to use the chat constitutes acknowledgement of these terms.

9. Cookies & Tracking

The Solfaia website does not currently use tracking cookies or third-party analytics tools that collect personal data. If this changes, this policy will be updated and appropriate consent mechanisms implemented.

10. Your Rights (GDPR)

Under the GDPR, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, as well as the right to data portability. You also have the right to lodge a complaint with the Luxembourg data protection authority (Commission Nationale pour la Protection des Données — CNPD) at cnpd.public.lu. To exercise your rights directly with Solfaia, please contact: [email protected].