Privacy Policy

1. Introduction and scope of application

This Privacy Policy is issued by Astrorant and describes how Astrorant collects, uses, stores and protects the personal data of users and Customers (restaurants, pizzerias and other venues) who use the Astrorant platform. The platform enables operations such as managing phone reservations through a voice AI agent, transcribing conversations (with consent), checking table availability, recording reservations, voice assistant configurations and viewing interactions by the venue. The policy applies to data collected through the platform and to interfaces (front-end, API, forms) used by Users and Customers.

2. Data Controller and Processor

The Data Controller is Astrorant. Astrorant also operates as a Data Processor for operations necessary for the provision of the service (Art. 28 GDPR). The Customer (restaurant/venue) using the platform remains the Controller of the data contained therein and their use. For phone call management and conversation transcription, Astrorant uses third-party providers specialized in call management and voice transcription services, which act as sub-processors (Art. 28 GDPR). Such providers process voice data and conversation transcriptions on behalf of Astrorant. Cloud service providers and infrastructure act as sub-processors for cloud infrastructure and related services.

3. Types of data processed and purposes

Personal data elements that may be processed include: conversation transcriptions (texts generated from user-AI interactions for verification, quality analysis, supervision and service improvement); biometric and voice data (audio recordings of phone conversations and voice data - "Voice Data" - processed through specialized third-party providers for call management and transcription, which may constitute biometric data under applicable law); reservation data (name, phone number, email, times, number of people, special notes for synchronization and appointment management); assistant configurations (voice tone, welcome messages, operational rules for assistant personalization); platform users (name, email, role, access logs for access control, rights attribution, audit and security); metadata and logs (temporal logs, call duration, outcomes for analysis and model improvement). Legal basis: service execution (Art. 6.1.b GDPR); consent for certain operations (e.g., transcription/analysis of conversations, processing of biometric data); legitimate interest of the Controller for aggregate analysis and improvement, respecting the rights and freedoms of data subjects.

4. Processing methods and security measures

Astrorant adopts appropriate security measures to protect personal data: encryption in transit (TLS) and at rest on backup/cloud infrastructure; role-based access controls (RBAC) with minimum privileges; access logs and internal audit trail; regular backups and disaster recovery plans; confidentiality management; procedures for managing data breaches with notification to authorities, where necessary.

5. Storage and retention criteria

Personal data is stored for the time strictly necessary to achieve the purposes and within legal limits. Biometric and voice data (Voice Data) processed through specialized third-party providers are stored for a maximum period of 3 years from the last interaction, except where legal obligations require longer retention. Transcripts, logs and analytical data may be anonymized or deleted according to policies agreed with the Customer. In case of service termination, upon request, data return or definitive deletion is provided, including biometric and voice data.

6. Data subject rights

Data subjects have the right to: access, rectification, erasure (right to be forgotten), restriction, objection, data portability; withdrawal of consent, where applicable; complaint to the Data Protection Authority. Requests can be sent to the email address indicated in the contact section of the website, indicating subject, description and identification documentation.

7. International data transfers

Astrorant uses specialized third-party providers for call management and transcription. Such providers maintain servers and data centers in third countries, including the United States, the Netherlands, and Singapore. This means that personal data, including biometric and voice data, may be transferred outside the EU. For international transfers, Astrorant and its third-party providers adopt adequate safeguards compliant with GDPR, including: EU Standard Contractual Clauses (SCC), participation in the EU-U.S. Data Privacy Framework where applicable, and other appropriate contractual safeguards. Data is transferred for the time necessary to achieve the purposes for which it is processed. If part of the processing or storage takes place outside the EU through cloud service providers, adequate safeguards will be adopted: standard contractual clauses, adequacy decisions or other mechanisms compliant with GDPR.

8. Privacy Policy modifications

Astrorant may update this Privacy Policy for technical, regulatory or operational needs. Changes will be published on the website and, if necessary, notified to users/Customers.

9. Additional information about biometric data

Astrorant services may involve the collection of biometric information, particularly voice data (Voice Data) processed through specialized third-party providers in call management and transcription services. This data is collected for verification purposes, call management and conversation transcription. Biometric data may be shared with specialized third-party providers, their affiliates, service providers and collaborators to provide and develop services. Biometric data is retained until it is no longer needed for the purposes for which it was collected, or after 3 years from the termination of the relationship with the user, whichever is sooner. Users have the right to request deletion of their biometric data at any time, except where legal obligations require longer retention.

10. Contacts

For questions about the Privacy Policy or to exercise your rights, including rights related to biometric data, you can contact us through the channels indicated in the contact section of the website.