How does the AI technology work?

Our AI-first approach uses advanced language models to understand customer intent, qualify leads, and have natural conversations. The AI handles routine inquiries instantly, while complex cases are seamlessly escalated to human experts. This ensures 24/7 availability with response times under 60 seconds.

How long does implementation take?

You can be live within 2 weeks, depending on how quickly the required information is delivered.

What do I need to get started?

We start with a kickoff meeting to understand your goals and current setup. From there, we create a tailored implementation plan. Our team handles the technical integration — whether it's messaging, voice, e-commerce, or support tools.

What about data security and privacy?

We're fully GDPR compliant. All data is encrypted end-to-end, and we never share your customer data with third parties. Our infrastructure is built for enterprise-grade security.

How do you measure success?

Every product in our suite has clear KPIs — whether it's conversion rate, response time, appointments booked, or revenue generated. We provide real-time dashboards and work with you to optimize performance continuously.

Privacy Policy | Conversation24

1. Definitions

The following definitions apply throughout this Privacy Policy:

Term	Definition
Personal Data	Any information that relates to an identified or identifiable natural person. This includes names, email addresses, IP addresses and similar identifiers.
Processing	Any operation carried out on personal data, such as collecting, storing, using, sharing or deleting it.
Controller	The party that determines why and how personal data is processed. Customers of Conversation24 B.V. typically act as controller for the personal data of their own end-users.
Processor	A party that processes personal data on behalf of a controller, acting on that controller's instructions. Conversation24 B.V. acts as processor when handling personal data on behalf of its customers.
Data Subject	The natural person whose personal data is being processed.
Sub-Processor	A third-party supplier engaged by Conversation24 B.V. to process personal data as part of service delivery.
DPA	A written agreement between Conversation24 B.V. and its customers that governs the processing of personal data, as required by Article 28 GDPR.
EEA	The European Economic Area, comprising all EU Member States plus Iceland, Liechtenstein, and Norway.
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council, as applied across EU Member States.
Special Categories	Categories of personal data that carry a higher degree of sensitivity under the GDPR, including health data, ethnic origin, political opinions, religious beliefs, biometric data and data relating to a person's sexual life. These categories are subject to additional protections under Article 9 GDPR.
DPO	A person formally designated to oversee data protection compliance within an organisation, as provided for under Articles 37–39 GDPR.

2. Identity and Contact Details

2.1 Identity of Conversation24 B.V.

Conversation24 B.V. is a Dutch private limited company, registered in the Netherlands. The company develops and operates a cloud-based communication platform that enables organisations to manage customer interactions across multiple channels, including live chat, WhatsApp and email.

Company Name	Conversation24 B.V.
KvK Number	60948086
Address	Westblaak 165, 3012 KJ Rotterdam, The Netherlands
Email	info@conversation24.com
Website	www.conversation24.com

2.2 Role of Conversation24 B.V.

Conversation24 B.V. operates in two distinct roles with respect to personal data:

As processor, when handling personal data of end-users on behalf of its customers. In this role, Conversation24 B.V. processes personal data solely on the basis of documented instructions from the relevant controller, as governed by the applicable Data Processing Agreement.
As controller, when processing personal data of its own customers, prospects and website visitors for purposes such as account management, billing and service-related communications.

Prior to any processing of personal data through the platform, Conversation24 B.V. requires all customers to enter into a Data Processing Agreement. This agreement governs the respective rights and obligations of both parties and ensures that personal data is handled in accordance with the GDPR.

2.3 Data Protection Officer (DPO)

Conversation24 B.V. keeps its obligations regarding the appointment of a Data Protection Officer under ongoing review. Where a DPO has been appointed, contact details are available upon request via info@conversation24.com.

3. Categories of Personal Data Processed

3.1 Data processed as Controller

In its capacity as controller, Conversation24 B.V. may process the following categories of personal data:

Customer and contact data

Name and contact details (email address, telephone number)
Login credentials and account information
Company name and job title
Billing and invoicing details
Communication history, such as support requests

Website visitor data

IP addresses and browser/device metadata
Cookie data (see Section 10)
Behavioural data collected via analytics tools

3.2 Data processed as Processor

In its capacity as processor, Conversation24 B.V. processes personal data on the instructions of its customers. The categories of personal data processed depend on how each customer uses the platform and may include:

Names and contact details of end-users
Chat messages and conversation content
IP addresses and technical session metadata
Files and attachments uploaded by end-users
Data received via connected channels such as WhatsApp, email or social media

In its capacity as processor, Conversation24 B.V. does not determine the purpose or means of processing. The controller remains responsible for ensuring that a valid legal basis exists for all processing carried out via the platform, including any processing of Special Categories of personal data. Where a controller instructs Conversation24 B.V. to process such data, it is the controller's responsibility to ensure that the conditions of Article 9(2) GDPR are satisfied.

4. Purposes and Legal Bases for Processing

Conversation24 B.V. processes personal data only where a valid legal basis under Article 6 GDPR applies. The purposes of processing and the applicable legal bases are described below.

4.1 Performance of a contract (Article 6(1)(b) GDPR)

Certain processing is necessary to deliver the services Conversation24 B.V. provides. Without it, the company would be unable to operate the platform, manage customer relationships or process payments. This includes:

Providing access to the Conversation24 platform
Managing customer accounts and subscriptions
Providing technical support and customer service
Invoicing and payment processing

4.2 Compliance with a legal obligation (Article 6(1)(c) GDPR)

Conversation24 B.V. is subject to various legal obligations that require the processing of personal data, including:

Retention of financial records under Dutch accounting and tax legislation
Responding to lawful requests from regulators or government authorities
Meeting data breach notification obligations under Articles 33–34 GDPR

4.3 Legitimate interests (Article 6(1)(f) GDPR)

Conversation24 B.V. also processes personal data on the basis of legitimate interests, where those interests are not overridden by the rights and freedoms of the data subjects concerned. This applies to:

Platform security, fraud prevention, and abuse detection
Improvement of platform functionality and service quality
Internal analytics and business operations

Where Conversation24 B.V. relies on legitimate interests as a legal basis, a Legitimate Interests Assessment has been carried out to confirm that the interests of the company do not disproportionately affect the individuals concerned. These assessments are available on request.

4.4 Consent (Article 6(1)(a) GDPR)

Where Conversation24 B.V. relies on consent as a legal basis, such as for placing non-essential cookies or sending marketing communications, consent is obtained before any processing takes place. Data subjects may withdraw their consent at any time by contacting info@conversation24.com or by using the opt-out option made available at the point of consent. Withdrawing consent does not affect the lawfulness of any processing that took place before withdrawal.

4.5 Automated decision-making and profiling

Conversation24 B.V. does not, as controller, make decisions about individuals based solely on automated processing where those decisions produce legal or similarly significant effects, unless this has been explicitly disclosed and appropriate safeguards are in place. Where automated processing is carried out in Conversation24 B.V.'s capacity as processor, compliance with Article 22 GDPR remains the responsibility of the controller.

5. Storage Location and Security Measures

5.1 Storage location

Personal data processed by Conversation24 B.V. is stored on servers located within the EEA, primarily in Germany via Amazon Web Services (AWS). AWS holds ISO 27001, ISO 27017, ISO 27018, and SOC 2 certifications for its European infrastructure. Conversation24 B.V. aligns its own security practices with ISO 27001 principles and maintains a programme of continuous improvement in information security.

Where personal data may be accessible to third-party service providers operating outside the EEA, Conversation24 B.V. ensures that appropriate safeguards are in place. This may include Standard Contractual Clauses or other mechanisms permitted under Chapter V GDPR. Further detail is provided in Section 7.

5.2 Technical and organisational security measures

Conversation24 B.V. maintains a comprehensive set of technical and organisational security measures, proportionate to the risks involved in processing personal data. These include:

Encryption of all data in transit using TLS 1.2 or higher
Encryption of all stored data, including databases, storage volumes and backups
Secure management of encryption keys via dedicated key management services
Role-based access controls based on the principle of least privilege
Multi-factor authentication for all administrative and privileged access
Zero-trust network architecture with VPN and identity-based access verification
Network segmentation, with all backend services deployed in private subnets
Web Application Firewall and DDoS protection at both network and DNS level
Centralised logging with around-the-clock automated monitoring and alerting
Annual external penetration testing and quarterly internal security audits
Regular automated vulnerability scanning across infrastructure and codebase
A secure software development lifecycle, including mandatory code reviews and dependency scanning
Confidentiality agreements and appropriate screening for personnel in roles involving access to personal data
Regular security awareness training for all relevant staff

A detailed description of Conversation24 B.V.'s technical and organisational measures is available on request.

6. Data Retention

Conversation24 B.V. retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law (Article 5(1)(e) GDPR). The following retention periods apply:

Category of Data	Retention Period	Legal Basis
End-user data	Deleted within 30 days of contract termination, unless otherwise agreed in the DPA	Article 28 GDPR / DPA
Encrypted backups	Up to 7 days, after which backups are automatically deleted	Article 32 GDPR
Customer account data	Duration of the contract plus 30 days, after which data is deleted or anonymised	Article 6(1)(b) GDPR
System and access logs	Up to 90 days	Article 6(1)(f) GDPR
Billing and financial records	7 years, in accordance with Dutch accounting legislation	Article 6(1)(c) GDPR
Security incident records	At least 3 years from the date of the incident	Article 6(1)(c) / (f) GDPR
Consent records	For the duration of consent, plus 3 years	Article 7(1) GDPR

Upon termination of a customer relationship, Conversation24 B.V. will delete or return all personal data processed on that customer's behalf, and ensure that existing copies are removed, unless retention is required by law.

7. International Transfers of Personal Data

Conversation24 B.V. processes personal data within the EEA wherever possible. Where a transfer to a third country is necessary, Conversation24 B.V. ensures that one of the following safeguards applies:

An adequacy decision by the European Commission, confirming that the destination country provides a sufficient level of data protection;
Standard Contractual Clauses approved by the European Commission, incorporated into the relevant supplier agreements; or
Other appropriate safeguards permitted under Article 46 GDPR.

Certain service providers used by Conversation24 B.V. may be subject to US law, including the CLOUD Act, even where data is physically stored within the EEA. Conversation24 B.V. addresses this risk through contractual safeguards and, where appropriate, technical measures including encryption.

8. Sub-Processors

Conversation24 B.V. engages a number of sub-processors to support the delivery of its services. All sub-processors are selected on the basis of their security standards and GDPR compliance. Each sub-processor is bound by a data processing agreement that reflects the same data protection obligations applicable to Conversation24 B.V. itself.

Sub-processors are currently engaged in the following categories:

Category	Purpose	Location	Safeguard
Cloud Infrastructure	Hosting and data storage	EU (Germany)	ISO 27001 / DPA
Security & Anti-malware	Security scanning and threat detection	EU / Global	SCC / DPA
Collaboration Tools	Internal operations	EU / Global	SCC / DPA
Monitoring & Logging	Platform monitoring and security	EU	DPA
Communication Channels	Messaging channel integrations	Global	SCC / DPA

An up-to-date list of sub-processors is maintained and made available to customers on request. Customers are informed in advance of any changes to the sub-processors used, and have the opportunity to raise objections in accordance with their Data Processing Agreement.

Conversation24 B.V. does not sell personal data to third parties and does not share personal data with third parties for marketing purposes.

9. Rights of Data Subjects

9.1 Rights where Conversation24 B.V. acts as controller

Where Conversation24 B.V. acts as controller, data subjects may exercise the following rights:

Right of access	The right to request confirmation of whether personal data is being processed and, if so, to receive a copy.
Right to rectification	The right to have inaccurate personal data corrected promptly.
Right to erasure	The right to request deletion of personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful.
Right to restriction	The right to restrict processing in certain circumstances, such as while the accuracy of data is disputed.
Right to data portability	The right to receive personal data in a structured, machine-readable format for transfer to another controller.
Right to object	The right to object to processing based on legitimate interests or carried out for direct marketing purposes.
Right to withdraw consent	Where processing is based on consent, the right to withdraw that consent at any time.

9.2 Rights where Conversation24 B.V. acts as processor

Where Conversation24 B.V. acts as processor, data subject requests should be directed to the relevant controller, being the customer of Conversation24 B.V. Conversation24 B.V. will provide all reasonable assistance to controllers in responding to such requests, as required by the applicable Data Processing Agreement.

9.3 How to submit a request

Requests relating to the exercise of data subject rights may be submitted to Conversation24 B.V. by email at info@conversation24.com.

Conversation24 B.V. will respond to requests within one month of receipt. Where requests are complex or numerous, this period may be extended by a further two months. In such cases, the data subject will be informed of the extension within the first month.

Data subjects have the right to file a complaint with a supervisory authority. In the Netherlands, the competent authority is the Autoriteit Persoonsgegevens (AP), which can be contacted via autoriteitpersoonsgegevens.nl.

10. Cookies and Website Tracking

The Conversation24 B.V. website uses cookies and similar tracking technologies. Cookies are small files placed on a user's device that support website functionality and enable the collection of analytical data.

10.1 Types of cookies used

Functional cookies that are strictly necessary for the operation of the website. These do not require prior consent.
Analytical and performance cookies used to understand how visitors interact with the website. Consent is obtained before placing these cookies where personal data is involved.
Marketing and tracking cookies used for advertising and cross-site tracking purposes. These are only placed following prior consent.

10.2 Managing cookie preferences

Before placing any non-essential cookies, Conversation24 B.V. obtains consent through a cookie consent banner. Cookie preferences can be adjusted at any time via the cookie settings on the website.

11. Personal Data Breaches

Conversation24 B.V. maintains an internal incident response process covering the detection, assessment and reporting of personal data breaches, in line with Articles 33–34 GDPR.

11.1 Notification as Processor

In its capacity as processor, Conversation24 B.V. will notify the relevant controller without undue delay, and in any event within 48 hours of becoming aware of a personal data breach. Notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of records and data subjects affected, the likely consequences, and the measures taken or proposed to address it.

11.2 Notification as Controller

In its capacity as controller, Conversation24 B.V. will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the individuals concerned, those individuals will also be notified directly without undue delay.

11.3 Documentation

All personal data breaches are documented internally by Conversation24 B.V., regardless of whether formal notification is required. Records include the nature of the breach, the data affected, the impact, and the remedial steps taken.

12. Changes to this Privacy Policy

This Privacy Policy is reviewed and updated periodically to reflect changes in legislation, regulatory guidance or business practices. Material changes are communicated via the Conversation24 B.V. website and, where appropriate, by direct notification to affected parties. The current version is always available at www.conversation24.com.

13. Contact

For questions about this Privacy Policy or the exercise of data subject rights, please contact Conversation24 B.V. using the details below:

Organisation	Conversation24 B.V.
KvK Number	60948086
Address	Westblaak 165, 3012 KJ Rotterdam, The Netherlands
Email	info@conversation24.com
Website	www.conversation24.com
DPO Contact	Available upon request via info@conversation24.com