Privacy Policy
Last Updated
1. Data Controller
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and Organic Law 3/2018 of 5 December on Personal Data Protection and guarantee of digital rights (LOPDGDD), we provide the following information.
1.1. Identity of the Controller
Controller: BEKTOR AI WORKFORCE, S.L.
CIF: B26959254
Address: María de Molina 39, Floor 4, 28006, Madrid, Spain
Trade name: Bektor
Contact email: dpo@bektor.ai
Website: https://bektor.ai
Bektor operates as a trade name under the ownership of the controller mentioned above.
1.2. Who is responsible for processing the data?
BEKTOR AI WORKFORCE, S.L. (Bektor) is responsible for processing your personal data for the purpose of providing you with the services identified in this privacy policy.
Bektor is a company domiciled at María de Molina 39, Floor 4, 28006, Madrid, Spain, and its Tax ID number is B26959254.
At Bektor, we are committed to the fundamental right to the protection of your personal data, and this privacy policy aims to inform you about your rights under the General Data Protection Regulation (GDPR).
We inform you that Bektor has a Data Protection Officer in accordance with the GDPR, available to you for any questions or queries regarding the processing of your data, whom you can contact through the address dpo@bektor.ai.
2. Scope and Acceptance
This Privacy Policy governs the processing of personal data that Bektor carries out in the framework of its professional activity of configuring, training, and managing artificial intelligence agents for business clients.
By contracting our services, using our website, or providing your personal data, you expressly accept and consent to the processing of your personal information in accordance with the conditions established in this Privacy Policy.
3. Data Processing Activities
3.1. As Data Controller
Bektor acts as data controller with respect to personal data of:
Business clients: Contact details of natural persons representing companies that contract our services.
Commercial contacts: Prospects, leads, and contact persons in the development of our commercial activity.
Suppliers and collaborators: Data necessary for administrative and commercial management.
Purposes and legal bases as Controller
Purpose | Legal basis | Retention period |
|---|---|---|
Management of commercial and contractual relationships: Processing of information requests, quotes, contracting of services, invoicing, project follow-up, and communications related to contracted services. | Performance of contract (Art. 6.1.b GDPR) | During the contractual relationship and 6 years after its termination (Art. 30 Commercial Code). |
Invoicing and fiscal and accounting obligations: Issuance of invoices, accounting management, and compliance with tax obligations. | Legal obligation (Art. 6.1.c GDPR in relation to the General Tax Law and the Commercial Code) | 4 years from the last entry (General Tax Law) or 6 years (Commercial Code), whichever is greater. |
Sending commercial communications: Information about new services, functionalities, success stories, valuable content, and offers related to AI agents. | Explicit consent (Art. 6.1.a GDPR) or Legitimate interest for current clients regarding similar services (Art. 6.1.f GDPR and Art. 21 Law 34/2002 LSSI-CE) | Until consent is withdrawn or an objection is raised. In case of inactivity, a maximum 2 years from the last interaction. |
Management of queries and information requests through the website or contact forms. | Explicit consent of the data subject (Art. 6.1.a GDPR) | 1 year from receipt of the query if no commercial relationship materialises. |
Service improvement and development of new AI functionalities through aggregated and anonymised analysis. | Legitimate interest (Art. 6.1.f GDPR) following documented balancing test | Personal data is anonymised or pseudonymised before use for training. Original data is retained according to the main purposes. |
Categories of personal data processed as Controller
Identifying data: name and surname, company trade name
Professional contact data: corporate email, company phone, company postal address
Economic and transactional data: billing information, bank details for payments, transaction history
Web browsing data: IP address, technical and analytical cookies (see section 9)
Important note: Bektor applies the data minimisation principle, collecting only the information strictly necessary for the purposes described. We do not process special categories of data (sensitive data) from our business clients.
3.2. As Data Processor
Bektor acts as data processor when it processes personal data on behalf of its business clients (the "data controllers") in the framework of configuring, training, and managing artificial intelligence agents.
In this context, Bektor only processes data following the documented instructions of the client controller, with whom a Data Processing Agreement is formalised in accordance with Article 28 of the GDPR.
Processing activities as Processor
Technical configuration of AI agents: system parameterisation, integration with client CRM, personalisation of conversational flows
AI model training: adjustment and optimisation of agents using data provided by the client (call recordings, transcripts, knowledge bases)
Operational management and maintenance: supervision of operation, resolution of technical incidents, updates and improvements
Performance analysis: generation of metrics, usage reports, and optimisation recommendations
Categories of data processed as Processor
The personal data that Bektor may process as a processor depends on each specific project and the client controller's instructions. They typically include:
Voice conversation recordings: interactions between AI agents and end users
Call transcripts: textual version of conversations
Contact data: names, phone numbers, and email addresses of end users
Metadata: date and time of calls, duration, session identifiers
Important note on voice biometric data: Voice recordings constitute personal data. When used for biometric identification or authentication, they are considered special category data (Art. 9 GDPR), requiring enhanced security measures and, where applicable, a Data Protection Impact Assessment (DPIA) by the client controller.
Bektor does not determine the purposes or essential means of processing this data, which remain under the exclusive responsibility of the client.
Obligations of Bektor as Processor
In accordance with Article 28.3 of the GDPR, Bektor commits to:
Processing data only following the controller's documented instructions
Ensuring that persons authorised to process data are subject to confidentiality obligations
Implementing appropriate technical and organisational security measures
Not subcontracting without prior written authorisation from the controller
Assisting the controller in fulfilling data subjects' rights
Helping the controller comply with its security obligations, impact assessments, and breach notifications
Deleting or returning data at the end of service provision, eliminating existing copies
Making available to the controller all information necessary for audits and inspections
4. Recipients and Data Disclosure
4.1. Data Processors (service providers)
For the provision of our services, Bektor may disclose your data to specialised technology providers acting as processors under our supervision, with whom we have formalised the corresponding processing agreements in accordance with Article 28 GDPR:
a) Cloud infrastructure and hosting providers: Google Cloud Platform (GCP), Vercel, Railway, Ionos
b) AI and voice processing platforms: VAPI (orchestrator), Retell AI (orchestrator), OpenAI (LLM), ElevenLabs (voice synthesiser), Deepgram (transcriber), Twilio (digital telephony)
c) CRM and marketing automation services: GoHighLevel, Instantly, Make, n8n
d) Payment gateway and billing management: Stripe, Holded, BankTrack, Qonto
e) Web analytics: Google Analytics 4 (GA4), Google Tag Manager, Meta Pixel, Framer
f) Forms and lead capture: Tally, Typeform, Framer Forms
g) Other relevant providers: Calendly (calendar/meetings), Cal.com (calendar/meetings), Meet (video conferencing)
All these providers are contractually obliged to implement appropriate technical and organisational measures to protect your personal data, processing it only in accordance with our instructions and for the established purposes.
4.2. International Data Transfers
Some of our technology providers are located outside the European Economic Area (EEA), which implies international transfers of personal data. We guarantee that such transfers are carried out with appropriate safeguards.
Transfers to the United States:
Applicable legal mechanism: EU-U.S. Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023)
Certified providers: Vercel, Railway, Twilio, GoHighLevel, Stripe, Google, Meta, Calendly
Non-certified providers: VAPI, Retell AI, OpenAI, ElevenLabs, Deepgram, Instantly, Cal.com
Complementary measures: Standard Contractual Clauses (SCCs) approved by the European Commission when the provider is not certified under the DPF
Transfers to other third countries:
When necessary to transfer data to countries without an adequacy decision, we apply the safeguards of Article 46 GDPR, primarily through Standard Contractual Clauses (SCCs) together with complementary technical security measures.
4.3. Other Data Disclosures
Your personal data will not be disclosed to third parties, except:
Legal obligation: when required by law, regulation, court order, or administrative resolution (e.g. Tax Agency, courts)
Explicit consent: when you have expressly authorised the disclosure
Bektor does not sell, transfer, or rent personal data to third parties for commercial purposes.
5. Artificial Intelligence Processing
Bektor uses artificial intelligence systems as a central element of the services provided. Below, we detail specific information about the use of AI in accordance with Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act).
5.1. Nature of AI Systems Used
The AI agents we configure and deploy for our clients use:
Natural language processing (NLP) models: to understand and generate human language
Voice synthesis (Text-to-Speech): to convert text into natural speech
Voice recognition (Speech-to-Text): to transcribe speech to text
Conversational models: to manage contextual dialogues and provide appropriate responses
These systems are classified as limited risk under the AI Act, subject primarily to transparency obligations.
5.2. Information at the Start of Each Interaction
Compliance with Article 50 of the AI Act:
When end users of our clients interact with an AI agent managed by Bektor, clear information is provided at the start of each conversation, indicating that:
They are interacting with an artificial intelligence system, not a human person
The conversation may be recorded for service improvement, quality control, or system training purposes
Users can consult further information in the client controller's privacy policy
Standard informational message example: "Hello, I am the virtual assistant of [Client Name] and this call may be recorded to improve our service. For more information, visit our privacy policy at [URL]."
5.3. Data Processing for AI Training
When Bektor acts as Controller:
Bektor may use aggregated, anonymised, or pseudonymised data derived from the operation of AI agents to improve algorithms and models, develop new functionalities, and conduct research and development of best practices.
Legal basis: Legitimate interest (Art. 6.1.f GDPR), following a balancing analysis ensuring our interest does not prevail over data subjects' rights and freedoms.
Protection measures: Anonymisation or pseudonymisation of personal data before use for training; impossibility of re-identifying specific individuals; analysis in secure environments with restricted access.
When Bektor acts as Processor:
Training of specific models for each client is carried out strictly following their documented instructions. Bektor does not use data from one client to benefit other clients, nor to train general models. Each implementation and training is independent and confidential.
5.4. Automated Decisions and Profiling
The AI agents we configure for our clients may take certain automated operational decisions such as directing a call to the appropriate department, providing standard information about products or services, scheduling appointments based on availability, or classifying the type of query. These decisions are operational in nature and do not produce legal effects or significantly affect data subjects under Article 22 GDPR.
Our systems are designed so that complex or atypical situations requiring qualified assessment are escalated to human agents. If an AI agent were to take an automated decision that produces legal effects, the data subject has the right (Art. 22 GDPR) to obtain human intervention, express their point of view, and contest the decision. This right must be exercised with the client controller that implements the agent.
6. Recording of Conversations and Voice Data Processing
6.1. Information on Call Recording
When AI agents managed by Bektor record conversations, legal requirements for information and legitimation are met. Before starting the recording, the caller is informed of: the fact that the conversation will be recorded; the purpose of the recording; the identity of the data controller (the Bektor client); and data subjects' rights and how to exercise them.
6.2. Nature of Voice Data
Voice is personal data that allows identification of a natural person and its processing is therefore subject to the GDPR. When voice recordings are used for biometric identification or authentication, they are considered special category data under Article 9 GDPR. In such cases, a specific legal basis under Article 9.2 GDPR is required, a DPIA is mandatory, and enhanced security measures are implemented.
Bektor, in its usual role as data processor, configures systems that record conversations for service improvement and performance analysis, not for biometric identification or authentication.
6.3. Retention of Recordings
Conversation recordings are retained for:
Operational purpose (service improvement): the minimum necessary period, generally between 30 days and 12 months, as established by the client controller
AI training purpose: once the model is trained, original recordings may be deleted if anonymised patterns have been extracted
Legal obligations: when a legal retention obligation exists, recordings are retained for the period established by the applicable regulations
7. Data Retention Periods
Bektor applies the storage limitation principle of Article 5.1.e GDPR, retaining personal data only for as long as necessary for the purposes of processing.
7.1. General Conservation Criteria
Data category | Retention period | Legal basis |
|---|---|---|
Client data and contractual relationship | Duration of contract + 6 years | Art. 30 Commercial Code + Art. 1964 Civil Code |
Fiscal and accounting documentation (invoices, books) | 4–6 years from last entry | Arts. 66–67 General Tax Law + Art. 30 Commercial Code |
Commercial communications (contact lists) | Until consent is withdrawn or after 2 years of inactivity | Minimisation principle + Art. 6.1.a GDPR |
Web queries and contact forms without a commercial relationship | 1 year from receipt | Minimisation principle + legitimate interest |
Conversation recordings (as a processor) | As per the client controller's instructions, generally 30 days to 12 months | Service improvement and training purpose |
Anonymised or aggregated data | Indefinitely (not personal data) | Irreversibly anonymised data is not subject to the GDPR |
7.2. Data Blocking
In accordance with Article 32 of the LOPDGDD, when data is no longer necessary for the purpose for which it was collected but must be retained for legal obligations, Bektor applies data blocking. Data is kept available exclusively for judges, courts, the Public Prosecutor, and competent administrative authorities, not accessible for operational or commercial use.
8. Rights of Data Subjects
As a data subject whose personal data is processed by Bektor, you have the following rights recognised by the GDPR and LOPDGDD:
Right of access (Art. 15 GDPR): Obtain confirmation of whether we are processing your personal data and, if so, access it along with information about purposes, categories, recipients, and retention periods.
Right of rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
Right of erasure / "right to be forgotten" (Art. 17 GDPR): Request deletion of your personal data when it is no longer necessary, you withdraw consent, you object to processing, data has been unlawfully processed, or deletion is required by law. Not applicable when processing is necessary to comply with legal obligations or to establish, exercise, or defend legal claims.
Right to restriction of processing (Art. 18 GDPR): Request temporary blocking when you contest accuracy, processing is unlawful, but you oppose deletion, we no longer need the data, but you need it for claims, or you have objected pending verification.
Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21 GDPR): Object at any time to processing based on legitimate interest, including the sending of commercial communications. You may object to direct marketing at any time and without justification.
Right not to be subject to automated decisions (Art. 22 GDPR): Not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.
Right to withdraw consent: Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
8.1. How to Exercise Your Rights
You may exercise any of these rights by contacting:
Address: María de Molina 39, Floor 4, 28006, Madrid, Spain
Email: dpo@bektor.ai
Subject line: "Exercise of GDPR rights – [indicate right you wish to exercise]
Your request must include your full name, a copy of your ID or equivalent document, a clear description of the right you wish to exercise, and an address to receive the response.
We will respond within 1 month of receipt, extendable by a further 2 months for complex requests.
8.2. Right to Lodge a Complaint with the Supervisory Authority
If you consider that the processing of your personal data violates the GDPR or LOPDGDD, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):
Agencia Española de Protección de Datos (AEPD)
Address: Jorge Juan 6, 28001 Madrid
Phone: 901 100 099 / 912 663 517
Website: https://www.aepd.es
Electronic office: https://sedeagpd.gob.es
9. Cookies and Similar Technologies
Bektor uses cookies and similar technologies on its website to improve the user experience, remember preferences, and analyse site usage.
For detailed information about which specific cookies we use, how to accept, reject, or configure them, and the privacy policies of third parties, please consult our full Cookie Policy.
10. Security Measures
In accordance with Article 32 of the GDPR, Bektor has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Technical measures include:
Communications encrypted using TLS/SSL protocols (HTTPS)
Encryption of sensitive data at rest
Robust authentication with strong passwords and, where applicable, multi-factor authentication (MFA)
Principle of least privilege: each user/role has access only to the data they need
Firewalls and intrusion detection systems
Regular system updates and security patches
Periodic backups with restoration verification
Organisational measures include:
All staff with access to personal data are subject to confidentiality obligations
Periodic training in data protection and security awareness
Documented incident response procedure for security breaches
Notification to the AEPD within 72 hours of security breaches entailing risk
Privacy by design and by default in new processing activities
10.1. Data Protection Impact Assessments (DPIA)
Bektor, given the nature of its processing activities (use of innovative AI technologies, possible processing of voice data for biometric purposes, profiling), carries out DPIAs in accordance with Article 35 GDPR when implementing new processing that uses innovative technologies, or when there is a high risk to the rights and freedoms of individuals.
11. European Artificial Intelligence Regulation (AI Act)
Bektor operates in compliance with Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act), which entered into force on 1 August 2024 with progressive application.
The AI conversational and operational systems that Bektor configures and deploys are classified as limited risk (Article 50 AI Act), subject primarily to transparency obligations. They would only be high risk if used for real-time remote biometric identification in public spaces, for automated decisions significantly affecting employment or access to essential services, or if integrated into critical infrastructure.
As a deployer/integrator of AI systems, Bektor guarantees: clear information to users at the start of each interaction that they are interacting with an AI system; detectability of AI-generated content; and human supervision for complex or atypical situations.
Bektor is committed to cooperating with the Spanish AI Supervisory Agency (AESIA) within the framework of its supervisory functions.
12. Minors
The services of Bektor are directed exclusively at companies and professionals (B2B). We do not intentionally process personal data of individuals under 18 years of age.
If Bektor were to become aware that it had inadvertently collected data from a minor without parental or guardian consent, it will proceed to delete it immediately.
13. Links to Third-Party Websites
The website of Bektor may contain links to third-party websites. Bektor is not responsible for the privacy policies or data processing practices of these third-party websites. We recommend reading their privacy policies carefully before providing them with personal information.
14. Updates and Modifications
Bektor reserves the right to modify this Privacy Policy to adapt to regulatory changes, new services or functionalities, changes in technology providers, or improvements in privacy practices.
Any substantial modification will be notified in advance through: publication of the updated version on this page with the date of last modification indicated; communication by email to active clients; and an informational banner on the website for significant changes.
15. Applicable Law and Jurisdiction
This Privacy Policy is governed by Spanish and European data protection legislation, including:
Regulation (EU) 2016/679 (GDPR)
Organic Law 3/2018 (LOPDGDD)
Regulation (EU) 2024/1689 (AI Act)
Law 34/2002 (LSSI-CE)
AEPD Guidelines and guidance
For any dispute related to the interpretation or application of this Privacy Policy, the Courts of the city of Madrid shall have jurisdiction, unless applicable law provides otherwise.
16. Contact and Controller Details
For any query, doubt, or exercise of rights related to this Privacy Policy or the processing of your personal data, you may contact us at:
Controller: BEKTOR AI WORKFORCE, S.L.
CIF: B26959254
Address: María de Molina 39, Floor 4, 28006, Madrid, Spain
Trade name: Bektor
Contact email: dpo@bektor.ai
Website: https://bektor.ai
17. Acceptance and Consent
The use of Bektor's services, browsing our website, and the voluntary provision of personal data imply that you have read, understood, and accept the processing conditions established in this Privacy Policy.
Where processing requires your explicit consent (commercial communications, analytical cookies), this will be requested in a clear, unambiguous, and separate manner through: checkboxes that must be actively ticked (not pre-ticked); clear statements about what you are consenting to; and the possibility of withdrawing consent at any time with the same ease with which it was granted.
Document prepared in accordance with:
Regulation (EU) 2016/679 (GDPR)
Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD)
Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act)
Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE)
AEPD Guidelines and guidance