Legal
Data Protection & Privacy Policy
Eleva AI Solutions SL
Last updated: 17/06/2026
1. Data Protection Policy
1.1 Purpose
The purpose of this policy is to set out the company's legal and regulatory requirements under the GDPR and the rights of data subjects.
1.2 Scope
All employees and third-party users. Personal Data as defined by GDPR.
1.3 Principle
Personal data is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.
1.4 Data Protection Policy Statement
The company is classed as a Data Controller/Data Processor. This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties.
We have engaged in a programme of Information Security Management which is aligned to the international standard ISO 27001 to ensure that the processing of personal information is conducted using best practice processes.
2. Identification of the Data Controller
The data controller responsible for the processing described in this policy is:
Eleva AI Solutions SL · Calle Camí Ral 155, 08390 Montgat, Barcelona, Spain
Contact for privacy matters: privacy@eleva-ai.com
Where a client connects their own WhatsApp Business or Instagram account to the Eleva platform, Eleva acts as a data processor on behalf of that client, who remains the data controller for the end-user data received through those channels (see section 4).
3. Legal Basis for Processing
Article 6 of the GDPR provides the legal basis under which Personal Data can be processed.
4. Data Received from Meta Platforms (WhatsApp Business and Instagram)
When one of our clients connects their WhatsApp Business or Instagram account to the Eleva platform, we receive and process, on behalf of that client, the messages that visitors send through those channels and the associated contact data (for example, phone number or user identifier and the content of the message).
We process this data for the sole purpose of providing the conversational customer-service on behalf of the client. Specifically:
- We do not share this data between different clients or with third parties unrelated to the provision of the service.
- We do not use this data for advertising or for profiling purposes.
- We retain this data only for as long as necessary to provide the service, and we delete it at the client's request or when it is no longer needed.
The processing of data obtained from Meta's platforms is carried out in accordance with the Meta Platform Terms and applicable data protection law.
5. Data Protection Principles
The company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR). Article 5 of the GDPR requires that personal data shall be:
5.1 Lawfulness, Fairness and Transparency
Processed lawfully, fairly and in a transparent manner in relation to individuals.
We have reviewed and documented the data that we control and/or process and determined the legal basis for processing. We provide privacy notices and inform data subjects of their rights as well as what processing takes place, by whom, for how long and why.
5.2 Purpose Limitation
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.
We ensure we only process data for the purposes it has been collected and communicated and not for other reasons without the agreement and knowledge of the Data Subject(s).
5.3 Data Minimisation
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
We ensure that data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct Data Privacy Impact Assessments as part of our project lifecycle.
5.4 Accuracy
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
We ensure that data is reviewed and assessed for accuracy on a periodic basis and have implemented processes for the rectification and erasure of data without undue delay.
5.5 Storage Period Limitation
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We have implemented a data retention policy and data retention schedule in line with legal, regulatory and company needs.
5.6 Integrity and Confidentiality
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
We have implemented an information security management system in line with ISO 27001, the International Standard for Information Security.
6. Personal Information Classification and Handling
Personal data classification and handling is in line with the Information Classification and Handling Policy.
7. Personal Information Retention
Personal data is retained and destroyed in line with the Information Classification and Handling and the Data Retention Policies.
8. Personal Information Transfer / Transmit
Personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.
9. Personal Information Storage
Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cryptographic Control and Encryption Policy, Backup Policy, and the Data Retention Schedule.
10. Breach
In the event of a breach of the data protection principles, employees inform their line manager, and/or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process.
Breaches are assessed and where appropriate and required, the Data Subjects and/or the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD) are informed without undue delay.
11. The Rights of Data Subjects
11.1 The right to be informed
Individuals have the right to be informed about how we use their Personal Data. This includes:
- The name and contact details of our organisation.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
11.2 The right of access
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request in writing.
- We have one month to respond to a request.
- We cannot charge a fee to deal with a request in most circumstances.
11.3 The right to rectification
- The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
- An individual can make a request for rectification verbally or in writing.
- We have one calendar month to respond to a request.
- In certain circumstances we can refuse a request for rectification.
11.4 The right to erasure (the right to be forgotten)
- The GDPR introduces a right for individuals to have personal data erased.
- Individuals can make a request for erasure verbally or in writing.
- We have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
11.5 The right to restrict processing
- Individuals have the right to request the restriction or suppression of their personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, we are permitted to store the personal data, but not use it.
- An individual can make a request for restriction verbally or in writing.
- We have one calendar month to respond to a request.
11.6 The right to data portability
- Allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
- The right only applies to information an individual has provided to a controller.
11.7 The right to object
- The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- Individuals have an absolute right to stop their data being used for direct marketing.
- In other cases, we may be able to continue processing if we can show that we have a compelling reason for doing so.
- We must tell individuals about their right to object.
- An individual can make an objection verbally or in writing.
11.8 Rights in relation to automated decision making and profiling
Individuals have the right not to be subject to a decision when:
- It is based on automated processing, and
- It produces a legal effect or a similarly significant effect on them.
11.9 The right to lodge a complaint
Individuals have the right to lodge a complaint with the supervisory authority. In Spain, this is the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.
12. Definitions
To ensure the company understands its obligations to the protection of Personal Information, the following definitions apply and are based on current understanding of these terms within the European Union and Spanish law, and specifically in Article 4 of GDPR.
12.1 Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
12.2 Special Categories of Personal Data
Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
12.3 Data Controller
The natural or legal person, public authority, agency, or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
12.4 Data Processor
A natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of a Data Controller.
12.5 Processing
An operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of the data.
12.6 Anonymization
Irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person. The Personal Data processing principles do not apply to anonymized data as it is no longer Personal Data.
13. Policy Compliance
13.1 Compliance Measurement
The information security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
13.2 Exceptions
Any exception to the policy must be approved and recorded by the Head of Information Security in advance and reported to Management.
13.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
13.4 Continual Improvement
The policy is updated and reviewed as part of the continual improvement process.
For any questions regarding this policy, contact us at privacy@eleva-ai.com.