1. Introduction

Vomenta Technologies Inc. ("Vomenta," "we," "us," or "our") is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page describes how we comply with GDPR requirements when processing personal data through our cloud Contact Center as a Service (CCaaS) platform (the "Service").

We act as both a data controller (for data we collect about our customers and website visitors) and a data processor (for data our customers process through the Service on behalf of their end users).

2. Legal Basis for Processing

We process personal data only when we have a valid legal basis under Article 6 of the GDPR, including:

Contractual necessity: Processing required to provide the Service under our agreement with you (e.g., account management, billing, platform functionality).
Legitimate interests: Processing for purposes such as fraud prevention, platform security, service improvement, and analytics, where our interests do not override your fundamental rights.
Consent: Where required by law, such as for marketing communications, cookies, or optional data processing features. You may withdraw consent at any time.
Legal obligation: Processing necessary to comply with applicable laws, regulations, or court orders.

3. Data We Process

3.1 As Data Controller

We collect and process the following categories of personal data:

Account data: Name, email address, company name, job title, phone number, and billing information.
Usage data: Platform interaction logs, feature usage, performance metrics, and session information.
Technical data: IP addresses, browser type, device identifiers, and access timestamps.
Communication data: Support tickets, feedback, and correspondence with our team.

3.2 As Data Processor

On behalf of our customers, the Service may process end-user personal data including:

Contact information (names, phone numbers, email addresses)
Communication content (call recordings, chat transcripts, email content)
Interaction metadata (timestamps, channel, duration, queue assignments)
Customer-defined custom fields and CRM data

Our customers are the data controllers for this data and are responsible for ensuring their own GDPR compliance, including obtaining appropriate legal bases for processing.

4. Consent Management

Where consent is the legal basis for processing, we ensure the following:

Consent is freely given, specific, informed, and unambiguous, obtained through clear affirmative action.
You can withdraw consent at any time through your account settings, our cookie banner, or by contacting us.
Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
We maintain records of consent for audit and compliance purposes.

5. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at [email protected]:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making (Art. 22): Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

We respond to all data subject requests within 30 days. If your request is complex, we may extend this period by a further 60 days with notice. For data processed on behalf of our customers (where we are the processor), we will direct you to the relevant customer or assist them in fulfilling your request.

6. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance. You may contact our DPO for any questions or concerns:

Email: [email protected]
Address: Vomenta Technologies Inc., Attn: Data Protection Officer, 100 Innovation Drive, Suite 400, Wilmington, DE 19801, United States

7. Data Processing Agreements

We provide a Data Processing Agreement (DPA) to all customers in accordance with Article 28 of the GDPR. Our DPA covers:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the data controller
Sub-processor engagement and approval procedures
Data breach notification obligations
Data deletion and return upon termination

To request a copy of our DPA, contact [email protected].

8. International Data Transfers

Vomenta processes data in data centers located in the European Union, United States, and other regions. When transferring personal data outside the European Economic Area (EEA), we rely on:

Standard Contractual Clauses (SCCs): EU Commission-approved contractual safeguards incorporated into our agreements with sub-processors and customers.
Adequacy decisions: Transfers to countries recognized by the European Commission as providing adequate data protection.
EU-U.S. Data Privacy Framework: Where applicable, we rely on the framework certification for transfers to the United States.

We conduct Transfer Impact Assessments (TIAs) to evaluate the level of data protection in recipient countries and implement supplementary measures where necessary.

9. Data Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

AES-256 encryption at rest and TLS 1.2+ encryption in transit
SOC 2 Type II certified infrastructure
Role-based access controls with multi-factor authentication
Regular penetration testing and vulnerability assessments
Audit logging of all data access and administrative actions
Employee security training and confidentiality agreements
Network segmentation and intrusion detection systems

10. Data Breach Notification

In the event of a personal data breach, we follow the notification requirements under Articles 33 and 34 of the GDPR:

We notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms.
We notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
For data processed on behalf of customers (where we are the processor), we notify the customer without undue delay after becoming aware of the breach.
We maintain a breach register documenting all incidents, their effects, and remedial actions taken.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

Account data: Retained for the duration of the customer relationship, plus 30 days for data export after termination.
Communication records: Retained according to customer-configured retention policies (default: 90 days for recordings, 1 year for transcripts).
Billing data: Retained for 7 years as required by financial regulations.
Audit logs: Retained for 2 years for compliance and security monitoring.

Customers can configure data retention policies within the platform to meet their specific compliance requirements.

12. Cookies and Tracking

Our website and platform use cookies and similar technologies. We categorize cookies as follows:

Strictly necessary: Required for the platform to function (authentication, security). No consent required.
Functional: Remember your preferences (language, timezone). Require consent.
Analytics: Help us understand usage patterns and improve the Service. Require consent.
Marketing: Used for advertising measurement and retargeting. Require consent.

You can manage your cookie preferences at any time through our cookie banner or your browser settings. For details, see our Privacy Policy.

13. Sub-Processors

We engage sub-processors to help deliver the Service. All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data. Key sub-processor categories include:

Cloud infrastructure providers (hosting and storage)
Telecommunications carriers (voice and SMS delivery)
AI and machine learning providers (transcription, sentiment analysis)
Payment processors (billing and subscription management)
Email delivery services (transactional notifications)

We maintain an up-to-date list of sub-processors and notify customers of any changes, providing the opportunity to object before a new sub-processor begins processing data. To request the current sub-processor list, contact [email protected].

14. Children's Data

The Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

15. Your Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. Our lead supervisory authority is the Irish Data Protection Commission (DPC).

16. Changes to This Policy

We may update this GDPR compliance page from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email and/or in-app notification at least 30 days before they take effect.

17. Contact Us

For questions about GDPR compliance or to exercise your data subject rights, please contact us:

Data Protection Officer: [email protected]
Privacy team: [email protected]
Legal team: [email protected]

GDPR Compliance