Global Privacy Policy: ChatLayer Media Technologies Ltd. and Affiliated Services

Who we are and our location

ChatLayer Media Technologies Ltd (hereinafter “the Company”) provides a B2B AI‑powered conversational (NLP) platform that enables our clients to offer messaging‑based interactions (e.g., via WhatsApp, Telegram, etc.) with their own users.

Registered country: Cyprus (EU)

Registered address: Georgiou Christoforou, 8. 1st floor, Flat/Office 11. Strovolos, 2012, Nicosia, Cyprus.

email: hello@chatlayer.tech

Scope of the policy

The purpose of this Policy is to guarantee the rights that Data Subjects have under the General Data Protection Regulation (GDPR), in particular the right to the protection of personal data, and it shall apply to all types of processing, whether total, partial, or automated. Furthermore, this policy covers our public websites, APIs, and platform services delivered to clients, and any other channels that collect personal data. Personal data will be processed lawfully, fairly and in a transparent manner,

Territorial scope

This policy applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Personal Information we collect and Data sources

  • From our clients (as Controllers): minimal identifiers or tokens required to route messages and execute client instructions.
  • From messaging channels (metadata): e.g., phone number or chat ID, timestamps, delivery status.
  • From endusers (indirectly, via chat): the raw conversational content (text and, if applicable, voice transcripts) sent to the client through our channel. This content is processed on the client’s behalf to generate the Derived Data below.
  • From AI Processing (Derived Data): e.g., AI interaction metrics, language model insights, behavioral inferences and personalized risk / interaction preferences (we process on the client’s behalf as Processor).
  • From business contacts (B2B): name, role, work email/phone for client/vendor relationship management.
  • From candidates/employees: CV and HR data for recruiting and employment (we act as independent Controller for HR).

Purpose and lawful basis of processing

Personal data will be collected for specified, explicit and legitimate purposes. Those purposes are:

  1. As Processor (End-User Data): We process end-user data only on the Client Controller’s instructions to: route messages between end‑users and client back‑ends, maintain conversation context for conversation continuity and seamless user experience, and generate interaction metrics and behavioral inferences for the client based on raw conversational content.

Our clients are responsible for managing their relationships with their end-users, including all registration and notice obligations. End-users register with our clients—not with us—and clients do not share their full user databases or other unrelated personal information with us. When we process end-user data strictly as necessary to deliver our services (such as routing messages through our APIs), we act as a Processor and follow the client’s instructions for that limited purpose. We also retain conversation transcripts by default solely to ensure conversational continuity of the bot service. Additionally, we retain only the minimal technical and log data required to operate and protect the service, based on our Legitimate Interests in maintaining platform security and service quality, and the Performance of Contract for the bot functionality.

  1. As Controller (Our Own Data): We process data for: service operation and security to maintain platform security and service quality (Legal Basis: Legitimate Interest); client and labor relationships management, HR and recruitment (Legal Basis: Contract); legal compliance (Legal Basis: Legal Obligation); and AI personalization and profiling service (Legal Basis: Legitimate Interest/Consent).

Consent and other legal bases

Processing is based on consent, performance of a contract, legal obligation, or legitimate interest. When based on Consent, data subjects provide to the Company with prior, express, and informed consent for the processing of their personal data. The consent will be requested clearly, separately from unrelated matters, and in plain and accessible language. Data subjects may withdraw their consent at any time.

Security Controls

We deploy measures to ensure a level of security appropriate to the risk. These measures include: (a) Encryption in transit (TLS); (b) Access control on a least‑privilege basis; (c) Environment segregation; (d) Audit logging; (e) Vulnerability management; and, (f) Incident response with breach notification where legally required. Furthermore, these controls are designed to specifically protect data against risks related to the AI processing, incorporating pseudonymization in compliance with article 25 and article 32 of the GDPR.

Data minimization and deletion

Data is retained strictly according to the principle of storage limitation of the GDPR, meaning the full conversation history is deleted upon termination of the client’s service or upon a valid request for erasure from the end-user. We do not build independent end‑user profiles.

Retention Period

Personal data will be retained only for as long as is reasonably necessary to fulfill the purposes for which it was originally collected. The information will be retained for the statutory limitation periods requiredto comply with legal, contractual, regulatory, tax, and/or accounting obligations.

Data Subject´s rights

  • To access, rectify, erase, restrict, and object to the processing of the personal data.
  • To withdraw consent (where applicable).
  • Transparent communication and information.
  • Data portability
  • Right not to be subject to automated decision-making, including profiling.
  • Right to lodge a complaint with a Supervisory Authority (e.g., The Commissioner for Personal Data Protection in Cyprus).

International transfers

Data may be transferred outside the European Economic Area only under the conditions set out in Chapter V of the GDPR. We ensure adequate protection through appropriate safeguards.

The primary mechanism used is the Standard Contractual Clauses (hereinafter “SCCs”) adopted by the European Commission. Furthermore, in compliance with current regulatory guidance, for every transfer not based on an adequacy decision, we conduct a Transfer Impact Assessment (hereinafter “TIA”) to evaluate the legal regime of the third country. When the TIA determines that the SCCs alone do not guarantee an adequate level of protection, we implement supplementary technical and organizational measures (such as encryption, pseudonymization, and strong access controls) to ensure the data remains protected. Transfers will not proceed if the necessary protection cannot be guaranteed.

Requests

  1. If you are an enduser of a client: Your Controller is our client. Please submit requests to the client first. We will assist the client in fulfilling your request.
  2. If you interact directly with us (B2B contact, candidate, vendor, employee): email hello@chatlayer.tech. We generally respond within one (1) month. In some cases, this period may be extended by two further months where necessary, considering the complexity and number of the requests. In this last scenario, the Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Data Protection Officer

The Company designates Juan Camilo Turbay as the Data Protection Officer, who is involved in all matters related to the protection of personal data. You may contact the Data Protection Officer at: hello@chatlayer.tech

Scroll to Top