GDPR — EU & UK Data Protection
The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of EU or UK residents, regardless of where the organization is based. This page explains how Converse supports your GDPR obligations.
Roles under GDPR
Understanding who is responsible for what:
Your organization — Data Controller
You determine the purpose and means of processing personal data. You are responsible for obtaining consent, responding to data subject requests, and maintaining records of processing activities. You instruct Converse on how to process data on your behalf.
Converse — Data Processor
Converse processes personal data only on your documented instructions. We implement appropriate technical and organizational measures to protect the data. We do not use your customers' data for any purpose other than providing the platform to you.
Data Processing Agreement (DPA)
Personal data processed by Converse
When you use Converse to contact EU/UK residents, the following personal data may be processed:
- Phone numbers (campaign contacts, inbound caller IDs)
- Names and custom fields provided in CSV uploads or collected during calls
- Voice recordings (if call recording is enabled)
- Call transcripts containing spoken personal information
- Timestamps of calls and message exchanges
GDPR principles and how we support them
Lawful basis & consent
Converse provides a Consent Tracking feature (enable in Settings → Security). When active:
- A consent prompt can be configured at the start of a flow — the caller must explicitly agree before the call continues to recording.
- The consent event is logged with timestamp, caller number, and the exact consent text presented.
- Calls where consent is declined end gracefully with a configurable message.
Your organization must ensure the lawful basis for processing (consent, contract, legitimate interest) is documented and appropriate for each use case.
Data minimization
- Configure agent system prompts to collect only the minimum data required for the stated purpose.
- Use PHI Protection (Settings → Security) to automatically redact sensitive identifiers from stored transcripts.
- Avoid storing sensitive data in agent prompts — inject it via variables at runtime only.
- Assign knowledge base documents to only the agents that need them — not org-wide.
Storage limitation & retention
Configure data retention policies to automatically delete personal data after the required retention period:
- Call transcripts: Can be configured to auto-delete after a specified number of days.
- Call recordings: Auto-deletion available with configurable retention window.
- Campaign contacts: Delete individual contacts or entire campaigns via the API or dashboard. Deletion removes the contact record and all associated call outcomes.
Right of access & portability
When a data subject requests access to their data:
- Use the History page filtered by phone number to find all calls involving that individual.
- Export call transcripts via the API:
GET /calls?from_number=+31... - Export campaign contact data and outcomes via
GET /campaigns/{id}/results/export
Right to erasure ("right to be forgotten")
To delete all data for a specific individual:
- Delete call records by phone number using the Calls API.
- Remove campaign contacts via
DELETE /campaigns/{id}/contacts/{contact_id} - Delete knowledge documents that contain personal information about the individual.
- Contact us for any server-side log purging that cannot be done via the API.
Data breach notification
GDPR requires notification to your supervisory authority within 72 hours of becoming aware of a breach that affects EU personal data. Our obligations:
- We will notify you without undue delay after becoming aware of a personal data breach.
- We will provide the information you need to notify your supervisory authority.
- You must have a breach response plan and know which supervisory authority to notify for your jurisdiction.
Data transfers outside the EU
If Converse processes EU personal data on infrastructure located outside the EU/EEA, appropriate transfer mechanisms must be in place. Contact us to understand our current data center locations and available transfer mechanisms (Standard Contractual Clauses, adequacy decisions, etc.).
Recommended GDPR configuration
Execute DPA with Converse before processing EU/UK personal data
Enable Consent Tracking in Settings → Security for calls that involve recording
Enable PHI Protection to redact identifiers from stored transcripts
Enable Tamper-evident Audit Log
Set transcript and recording retention periods to match your retention policy
Document the lawful basis for each type of call (support, campaigns, etc.)
Ensure outbound campaign contacts have provided consent for automated calling
Create a data subject request procedure using the History and Campaign APIs
Configure campaign opt-out handling — contacts who say "do not call" are auto-marked
