← Home

Legal

Privacy Policy

Version 2.0 · June 2026

1. Data controller

| | | |---|---| | Legal name | Fusion Ingenieria Eficiente S.L.P | | Tax ID (NIF) | B65619298 | | Address | Carrer Costa Daurada, 8, 5º 3ª, 08394 Sant Vicenç de Montalt (Barcelona) | | Email | rgpd@talqi.io | | Product | talqi — AI Agents for businesses |

2. What we do

talqi develops and operates an AI agent platform that integrates into the communication channels and digital processes of our business clients. The platform includes, but is not limited to:

  • Conversational agent: responds to end-customer enquiries automatically via WhatsApp Business or other integrated channels.
  • Automated booking agent: manages bookings, appointments or availability autonomously on behalf of the business client.
  • Lead capture: collects data from potential customers through web forms and WhatsApp Business integration.
  • Other specialised agents: process automation, support workflows, document management or other features talqi may add to the platform.

Under the GDPR, talqi acts as Data Processor. Our business clients are the Data Controllers of their own customers' and leads' data. This relationship is formalised through a Data Processing Agreement (DPA) signed with each business client, in accordance with Art. 28 GDPR.

3. Data we collect

3.1 From our business clients

  • Company name and representative contact details
  • Professional email address and phone number
  • Billing data (legal name, tax ID, address)
  • WhatsApp Business API access credentials (encrypted at rest)
  • Telegram group ID for agent administration

3.2 From end customers and data subjects (on behalf of our business clients)

  • WhatsApp phone number
  • Contact name (if provided by the user or WhatsApp)
  • Email address (when collected through lead capture forms)
  • Data voluntarily entered in capture forms (name, company, enquiry or other fields configured by the business client)
  • Conversation content (text messages, images, documents)
  • Voice notes: received via WhatsApp and transcribed internally; original audio files are not stored beyond real-time processing
  • Data generated by specialised agents (e.g. booking data, service preferences, availability information) depending on features active for each client
  • Interaction metadata (timestamps, duration, resolution status, type of intervening agent)

4. Purpose of processing

  • Service delivery: processing interactions (conversations, bookings, forms and automations) to generate AI-powered automated responses and actions.
  • Lead capture: collecting and storing data from potential customers through web forms or WhatsApp Business integration, on behalf of and under the instructions of the business client.
  • Booking and automated process management: executing booking flows, confirmation, modification or cancellation of appointments and services autonomously by the agent.
  • Agent improvement: analysing interactions to optimise response quality and agent performance.
  • Metrics and reporting: generating aggregated statistics (resolution rate, response time, lead volume) for clients.
  • Technical support: diagnosing and resolving incidents in agent operation.
  • Billing: invoicing and payment management for business clients.

We do not sell data to third parties. We do not use a client's conversation or lead data to train general-purpose AI models. We do not profile end customers for advertising purposes.

  • Performance of the service contract (Art. 6.1.b GDPR) — for our business clients' data.
  • Legitimate interest, consent or other applicable legal basis as determined by the Data Controller (Art. 6.1.a, b or f GDPR) — talqi, as Processor, does not determine nor is responsible for the legal basis applicable to end-customer or lead data processing; this determination rests exclusively with the business client.
  • Compliance with legal obligations (Art. 6.1.c GDPR) — for fiscal data retention.

In particular, for lead capture via forms or WhatsApp Business, the business client (Controller) determines and ensures the applicable legal basis (typically data subject consent or legitimate interest), and must inform data subjects in accordance with Arts. 13 and 14 GDPR.

6. Data Processing Agreement (DPA)

In accordance with Art. 28 GDPR, talqi enters into a Data Processing Agreement with each business client before the start of service delivery. The full text of the DPA is available under the "DPA" tab on this page. To request a copy prior to contracting: rgpd@talqi.io

7. Sub-processors

To deliver our service, we share data with the following providers:

| Sub-processor | Location | Service | Safeguard | |---|---|---|---| | Anthropic PBC | USA | AI processing (Claude API) | EU SCCs + TIA completed | | Amazon Web Services | EU (Ireland) | Infrastructure and database hosting | eu-west-1 region | | Neon Inc. | EU | Conversation data storage | Neon EU | | Meta Platforms | EU (Ireland) | WhatsApp Business API infrastructure | Meta's European entity |

International transfers: for transfers to Anthropic (USA), EU Standard Contractual Clauses approved by the European Commission have been signed and a Transfer Impact Assessment (TIA) has been carried out. Data will be pseudonymised whenever technically feasible.

8. Data retention

  • Conversation messages and agent interactions: 90 days from the last message or interaction (automatic deletion via TTL).
  • Captured lead data (forms and WhatsApp Business): duration of the contract + 30 days after termination, unless the business client instructs a different period or applicable law requires otherwise.
  • Agent-managed booking data: 90 days from the booking date or the period determined by the business client.
  • Business client data: duration of the contract + fiscal obligations (4 years for invoices).
  • Aggregated and anonymised metrics: retained indefinitely.

9. Security measures

  • Encryption of API credentials at rest (AES-256).
  • Data isolation per tenant — every database query is filtered by tenant_id.
  • Communications encrypted via TLS 1.3 (Cloudflare).
  • Automated daily database backups.
  • Hosting on EU servers (AWS eu-west-1, Ireland).
  • Cryptographic verification of incoming WhatsApp webhooks.
  • Automatic error alerts via the operator's Telegram channel.

10. Security breach notification

If a security breach affecting personal data processed on behalf of a business client is detected, talqi will:

  • Notify the client (Controller) without undue delay and within a maximum of 24 hours of detection.
  • Include in the notification: description of the breach, categories and approximate volume of affected data, likely consequences and measures taken.
  • The client will thus have sufficient time to notify the AEPD within the 72-hour deadline (Art. 33 GDPR).
  • talqi will actively collaborate in the investigation, containment and documentation of the breach.

Security incident contact: rgpd@talqi.io (guaranteed response within 2 hours during business hours)

11. Data subject rights

Under the GDPR and the LOPDGDD, any person has the right of access, rectification, erasure, restriction, portability and objection to the processing of their data.

For end customers and leads who interact with any talqi agent or have provided their data through forms: requests must be directed to the corresponding business, which is the Data Controller.

If talqi directly receives a rights exercise request from an end customer or lead, it will redirect it to the relevant Controller within a maximum of 72 hours and inform the requester. talqi will collaborate with the Controller to facilitate effective exercise in accordance with Art. 28.3.e GDPR.

Contact: rgpd@talqi.io · Complaints to the AEPD: www.aepd.es

12. Use of artificial intelligence

talqi operates multiple types of AI agents. The following general principles apply:

  • Messages and interactions are sent to Anthropic's API for processing. Anthropic does not use this data to train its general models.
  • Responses and actions are generated or executed in real time and are not stored by Anthropic beyond processing time.
  • Each agent operates with business-specific instructions (system prompt) that define its behaviour, limits and functional scope.
  • The conversational agent is designed to escalate to a human when it cannot resolve an enquiry confidently.
  • The booking agent acts only within the parameters configured by the business client and does not perform actions outside that scope.
  • No automated decisions with significant legal effects on end customers or leads are made solely on the basis of AI processing (Art. 22 GDPR), unless the business client explicitly enables this and ensures the corresponding legal basis.

13. Lead capture

talqi offers its business clients lead capture capabilities through two main channels:

13.1 Web forms

Business clients can integrate capture forms into their websites or landing pages managed through the talqi platform. The data collected (name, email, phone or other configured fields) is processed by talqi as Data Processor, following the business client's instructions.

The business client is responsible for:

  • Obtaining informed consent from data subjects before data collection, where applicable as the legal basis.
  • Including the required information (Arts. 13/14 GDPR) in the form or in the privacy policy of their own website.
  • Ensuring that subsequent use of the captured data complies with the declared legal basis.

13.2 WhatsApp Business

Through WhatsApp Business API integration, the talqi agent can act as a lead capture channel, collecting contact and interest data from users who initiate a conversation or respond to authorised campaigns.

The business client is responsible for:

  • Complying with WhatsApp Business and Meta usage policies for messaging and data collection.
  • Ensuring that users have given their consent or that another valid legal basis exists for collecting and processing their data through this channel.
  • Informing data subjects about the use of their data in accordance with the GDPR.

Captured lead data is retained as specified in section 8 of this policy.

14. Cookies and web tracking

The Website uses Cloudflare Web Analytics: it does not use cookies, localStorage, or user fingerprinting. Data is processed in an aggregated and anonymous manner. It does not require prior consent under Art. 22.2 LSSI-CE.

The Website may use strictly necessary technical cookies for its operation. These do not require prior consent.

Any analytics or marketing tool that uses cookies (for example, Google Analytics 4 or Meta Pixel) will only be activated after the user's prior, express consent, given through the Website's cookie settings panel. For more details, see the Cookie Policy.

15. Modifications

talqi reserves the right to update this policy. Any material modification will be communicated to business clients by email and published on this page with the update date.

Changes affecting the DPA will be notified at least 30 days in advance.

Privacy Policy v2.0 — talqi · AI Agents for businesses — June 2026

CLAUSE 1. Purpose and scope

1.1. This Agreement governs the conditions under which the Processor shall process personal data on behalf of the Controller in the context of the talqi service, consisting of the deployment and operation of artificial intelligence agents integrated into the Controller's digital channels, including but not limited to: conversational agent, automated booking agent, lead capture via forms and WhatsApp Business, and other specialised agents that talqi may add to the platform.

1.2. The Processor shall process personal data only in accordance with the Controller's documented instructions, unless required to do otherwise by Union or Member State law applicable to the Processor, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

1.3. This Agreement forms an integral part of the Main Contract. In the event of any conflict between the two documents regarding data protection matters, this DPA shall prevail.

CLAUSE 2. Description of processing

2.1. The detailed description of the processing is set out in Appendix A (Description of Processing) which forms part of this Agreement.

2.2. For information purposes, the processing comprises:

| Aspect | Description | |---|---| | Nature | Collection, recording, organisation, consultation, communication, modification and erasure through automated AI systems (conversational, bookings, automations, forms and digital channels) | | Purpose | Provision of AI agent services on behalf of the Controller; end-customer support; automation of bookings and processes; lead capture; analysis to improve the service | | Type of data | Phone number, contact name, email, form capture data, conversation content (text, images, documents), voice note transcriptions, interaction metadata, booking or automated management data | | Categories of data subjects | End customers, users, Controller's contacts and captured leads who interact with any talqi agent via WhatsApp, web form or other integrated channels | | Duration | Duration of the Main Contract + applicable retention period (see Clause 9 of the Privacy Policy) |

CLAUSE 3. Obligations of the Processor

3.1 Controller's instructions

The Processor shall process personal data only in accordance with the Controller's documented instructions. The Processor shall immediately inform the Controller if, in its opinion, any instruction infringes the GDPR or other applicable data protection provisions.

3.2 Confidentiality

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of the Main Contract.

3.3 Security of processing

The Processor shall implement the technical and organisational measures described in Appendix B, ensuring a level of security appropriate to the risk in accordance with Art. 32 GDPR, including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Pseudonymisation of data where technically feasible
  • Ensuring the ongoing confidentiality, integrity, availability and resilience of systems
  • The ability to restore the availability and access to data in the event of an incident
  • A process for regularly testing, assessing and evaluating the effectiveness of measures
  • Data isolation per tenant through tenant_id filtering on all queries
  • Cryptographic verification of WhatsApp webhooks

3.4 Sub-processors

The Controller grants the Processor a general authorisation to engage sub-processors, subject to the following conditions:

  • The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors.
  • The Controller may object with cause to such change within the 30-day period.
  • The Processor shall impose on sub-processors the same data protection obligations set out in this DPA.
  • The Processor shall remain liable to the Controller for the sub-processor's compliance.

Currently authorised sub-processors are listed in Appendix C.

3.5 Assistance to the Controller

The Processor shall assist the Controller, insofar as possible, in fulfilling its obligations regarding:

  • Exercise of data subject rights (Arts. 15 to 22 GDPR): the Processor shall redirect any request received to the Controller within a maximum of 72 hours.
  • Notification of security breaches to the supervisory authority and communication to data subjects (Arts. 33 and 34 GDPR): the Processor shall notify the Controller within a maximum of 24 hours of detection.
  • Data protection impact assessments (DPIAs) where required (Art. 35 GDPR).
  • Prior consultation with the supervisory authority (Art. 36 GDPR).

3.6 Security breach notification

In the event of a security breach affecting personal data processed under this Agreement, the Processor shall:

  • Notify the Controller without undue delay and within a maximum of 48 hours of detection.
  • Provide the Controller with at minimum the following information: (a) description of the nature of the breach; (b) categories and approximate number of data subjects affected; (c) approximate number of data records affected; (d) name and contact details of the data protection officer or contact point; (e) likely consequences; (f) measures taken or proposed to remedy the breach.
  • Collaborate in the investigation, containment and documentation of the breach.
  • Immediately adopt measures necessary to limit the damage.

CLAUSE 4. International data transfers

4.1. The Processor shall not transfer personal data to third countries or international organisations unless required for service delivery and provided an adequate level of protection is ensured in accordance with Chapter V of the GDPR.

4.2. For processing by Anthropic PBC (USA) through its natural language processing API:

  • The Standard Contractual Clauses approved by the European Commission (Decision 2021/914) have been signed.
  • A Transfer Impact Assessment (TIA) has been carried out concluding that safeguards are adequate.
  • Data will be pseudonymised prior to transfer whenever technically feasible.
  • The Processor shall keep the TIA up to date and notify the Controller of any relevant change in transfer conditions.

CLAUSE 5. Obligations of the Controller

The Controller undertakes to:

  • Provide the Processor with documented, lawful and sufficiently precise instructions for the processing of personal data.
  • Ensure it has the appropriate legal basis for processing end-customer and lead data before instructing the Processor to process it.
  • Inform its end customers and leads about the use of AI agents (conversational, booking, forms or other) in customer service and lead capture, in accordance with Arts. 13 and 14 GDPR.
  • Notify the Processor without delay of any change in processing instructions.
  • Cooperate with the Processor for the fulfilment of obligations under this DPA.
  • Ensure that its use of the talqi service complies with applicable regulations in its sector of activity.

CLAUSE 6. Liability

6.1. Each party shall be liable to data subjects and supervisory authorities for compliance with the obligations incumbent upon it under the GDPR in its respective capacity as Controller or Processor.

6.2. The Processor shall be liable to the Controller for damages caused as a result of non-compliance with the obligations set out in this DPA that are specifically attributable to it.

6.3. The Processor shall be exempt from liability if it demonstrates that it is not in any way responsible for the event giving rise to the damage, in accordance with Art. 82.3 GDPR.

CLAUSE 7. Governing law and jurisdiction

This DPA shall be governed by and construed in accordance with Spanish law and the GDPR. For the resolution of any dispute arising from its interpretation or performance, the parties submit to the Courts and Tribunals of Barcelona, expressly waiving any other jurisdiction that may apply.

Data Processing Agreement (DPA) v2.0 — talqi · AI Agents for businesses — June 2026