A1. Our Commitment
Ovysion Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) as a data controller and, where applicable, as a data processor on behalf of Customers.
A2. The Six Data Protection Principles
All personal data processed by Ovysion is handled in accordance with the principles set out in Article 5 of the UK GDPR:
- Lawfulness, fairness, and transparency — we have a lawful basis for every processing activity and are transparent with data subjects
- Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed further incompatibly
- Data minimisation — we collect only what is necessary for the stated purpose
- Accuracy — we take reasonable steps to ensure data is accurate and up to date
- Storage limitation — data is retained only as long as necessary under documented retention schedules
- Integrity and confidentiality — appropriate technical and organisational security measures are in place
A3. Lawful Bases We Rely On
- Article 6(1)(b) — Contract: Processing necessary to perform our subscription agreement with Customers
- Article 6(1)(a) — Consent: Marketing communications, non-essential cookies, optional call recording features
- Article 6(1)(f) — Legitimate interests: Website security, fraud prevention, service improvement, analytics
- Article 6(1)(c) — Legal obligation: Retaining accounting records, responding to lawful regulatory requests
Delia does not intentionally collect special category data (Article 9). Where a caller incidentally discloses sensitive information during a call, it is handled with additional access controls.
A4. Data Subject Rights — How We Handle Them
Requests should be directed to privacy@ovysion.com:
| Right | How we handle it | Timescale |
|---|---|---|
| Right of access (SAR) | Acknowledged promptly; full response provided | 1 calendar month |
| Right to rectification | Inaccuracies corrected | 1 calendar month |
| Right to erasure | Assessed against legal retention grounds; actioned where lawful | 1 calendar month |
| Right to restriction | Processing paused on valid request | Within 72 hours |
| Right to portability | Data provided in CSV or JSON format | 1 calendar month |
| Right to object | Marketing objections honoured immediately; others assessed individually | Without undue delay |
A5. International Data Transfers
| Sub-processor | Location | Safeguard |
|---|---|---|
| Twilio Inc. | USA | UK IDTA / Standard Contractual Clauses |
| OpenAI, Inc. | USA | UK IDTA / Standard Contractual Clauses |
| Deepgram Inc. | USA | UK IDTA / Standard Contractual Clauses |
| ElevenLabs, Inc. | USA | UK IDTA / Standard Contractual Clauses |
| Vapi AI | USA | UK IDTA / Standard Contractual Clauses |
| Replit Inc. | USA | UK IDTA / Standard Contractual Clauses |
A6. Data Breach Management
- Contain and assess the breach immediately upon discovery
- Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms
- Notify affected individuals without undue delay where the breach is high-risk
- Record all breaches in our internal breach register
Where a breach involves Customer data processed by Ovysion as Processor, we will notify the Customer within 48 hours of becoming aware, to allow the Customer to fulfil their own obligations as Controller.
A7. Data Protection Governance
Ovysion has appointed a nominated data protection contact who oversees GDPR compliance, responds to data subject rights requests, and manages ICO relationships. Contact: privacy@ovysion.com.
We conduct Data Protection Impact Assessments (DPIAs) for new or changed processing activities likely to result in a high risk to individuals. Processing activities are reviewed at least annually.
Part B — Data Processing Agreement (DPA)
B1. Parties and Roles
Controller: The Customer (the subscribing business). The Controller determines the purposes and means of processing personal data of their callers and end-users.
Processor: Ovysion Ltd. The Processor processes personal data solely on documented instructions from the Controller, as configured during onboarding and as set out in the Terms.
B2. Subject Matter, Nature, Purpose, and Duration
| Subject matter | Personal data of the Customer's callers and end-users processed via Delia |
| Nature | Collection, recording, transcription, analysis, storage, transmission, deletion |
| Purpose | To provide the Delia AI receptionist service as configured by the Controller |
| Data types | Name, phone number, voice recording, transcript, SMS content, booking details, call summaries |
| Data subjects | The Controller's callers, customers, clients, and other end-users |
| Duration | For the subscription term, plus the applicable post-termination retention period |
B3. Processor Obligations
Ovysion as Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by UK law
- Ensure all authorised persons are subject to appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures (Article 32 UK GDPR)
- Not engage new sub-processors without general authorisation from the Controller — accepted at sign-up; 14 days' advance notice of changes given; Controller may object
- Ensure sub-processors are bound by equivalent data protection obligations
- Assist the Controller in responding to data subject rights requests where technically feasible
- Assist with obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs)
- Delete or return all personal data on termination, subject to legal retention requirements
- Make available information necessary to demonstrate compliance and cooperate with audits at reasonable notice
B4. Security Measures (Article 32 UK GDPR)
- TLS 1.2+ encryption for all data in transit
- AES-256 or equivalent encryption for call recordings and transcripts at rest
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication for all staff access to systems holding personal data
- Regular third-party security assessments and vulnerability scanning
- Security incident detection, logging, and response procedures
- Annual staff training on data protection and information security
- Documented business continuity and disaster recovery plans
B5. Breach Notification
In the event of a confirmed personal data breach affecting the Controller's data, Ovysion will notify the Controller within 48 hours of becoming aware, including:
- Nature of the breach and categories/numbers of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address and mitigate the breach
The Controller remains solely responsible for notifying the ICO and affected data subjects as required by UK GDPR.
B6. Retention and Deletion
On expiry or termination of the subscription, Ovysion will:
- Retain caller personal data for the period specified in the Controller's dashboard settings (default: 90 days post-termination)
- Delete or anonymise all caller personal data within 90 days of termination unless a legal retention period applies
- Retain subscriber account and billing data for 7 years (HMRC requirement)
- Provide confirmation of deletion to the Controller on request
B7. Governing Law and Acceptance
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any disputes under this DPA.
This DPA is accepted by the Customer at the point of electronic sign-up. Electronic acceptance is valid — no wet-ink signature is required. A signed copy is available on request at privacy@ovysion.com.