Alviora
LEGAL

Privacy & GDPR

We explain in clear terms which data we use to operate the platform, why we need it, and how you can exercise your rights.

Data controller and contact

XEVI CASES AI SOLUTIONS, S.L. acts as the data controller for the account, billing, security, compliance, and commercial-relationship data described in this policy.

For privacy questions, rights requests, or incidents related to personal data, you can contact legal@xevicases.com.

Contact address: C/Alfons Costafreda nº1, 25300 Tàrrega, Lleida, ES.

Which data we may process

  • Account and contact data: name, email, phone, company, and console role.
  • Billing data: tax profile, address, VAT/tax identifiers, and commercial history linked to the account.
  • Service data: account activation state, assigned numbers, configured agents, and platform preferences.
  • Usage data: calls, conversation metadata, transcripts, and operational logs when needed to provide the service.
  • Form and commercial-relationship data: contact enquiries, demo requests, signups, incidents, and service-related communications.

Processing purposes

  • Creating and managing your account or answering a contact, demo, or activation request.
  • Activating numbers, agents, prompts, and service features.
  • Handling payments, invoicing, accounting duties, and commercial or contractual incidents.
  • Maintaining security, technical traceability, backups, abuse prevention, and operational support.
  • Sending service, legal, or security communications and, where consent or another sufficient legal basis exists, commercial communications related to Alviora.

Legal basis

Processing is mainly based on pre-contractual or contractual necessity, compliance with legal obligations, and, where applicable, our legitimate interest in maintaining service security, quality, and traceability.

In practice: account creation and management, voice operations, billing, and operational support rely on contractual or pre-contractual necessity; tax, accounting, or security retention relies on legal obligations; abuse prevention, incident defense, and operational improvement may rely on legitimate interests where those interests are not overridden by the individual's rights; and marketing communications or optional cookie categories only activate where consent or another sufficient legal basis exists.

Recipients, subprocessors, and international transfers

We do not disclose personal data to unrelated third parties except where needed to provide the service, comply with a legal obligation, manage payments, telecom operations, security, or exercise and defend claims.

To operate the platform we may use categories of technical providers that process personal data on our behalf or, for certain payment or telecom workflows, within their own regulated role. The exact mix may vary depending on the active deployment and the modules enabled for the customer.

If a workflow involves international transfers, we apply the relevant contractual safeguards or other appropriate mechanisms for that case. The concrete provider names and the current transfer path applicable to your setup can be supplied on request or through a controlled contractual document.

Typical recipient categories

  • Payment and billing providers: they handle charges, checkout, invoices, and the financial traceability linked to the account.
  • Telephony and voice providers: they carry calls, numbering, audio, and service metadata related to the line.
  • AI inference and feature providers: they process prompts, audio, transcripts, or generated responses when the customer enables those features.
  • Cloud, hosting, and storage providers: they are required to run the application, database, logs, backups, or equivalent services.
  • Vector or semantic-search infrastructure, if enabled: it may store embeddings, knowledge indexes, and related metadata.
  • Professional advisers, auditors, or competent authorities: only when needed for regulatory compliance, claim defense, or legal obligation.

Retention and deletion

We do not promise immediate deletion in every case. When we receive an account closure or deletion request, we delete or anonymize what is no longer needed and keep blocked records that must remain due to legal, tax, or security obligations.

We apply retention periods or review criteria by data category and reassess datasets that are no longer needed for the original purpose.

Simple retention matrix

  • Account and contact data: while the account is active and for the time needed for basic administrative management. After that, we delete or anonymize what is no longer needed.
  • Service data: while it is needed to operate, support, or defend the service. After account closure or an erasure request, it is reviewed for deletion or anonymization as appropriate.
  • Billing and tax data: may remain blocked for up to six years, or longer where required by the applicable rules.
  • GDPR and compliance evidence: may remain blocked for up to six years to show how we handled the request and to meet accountability duties.

Data accuracy and mandatory data

When we ask you for data in forms or signup flows, some fields are mandatory because without them we cannot create the account, invoice correctly, or handle your request.

You must provide accurate, complete, and up-to-date data. If something changes, you should tell us or update it from the account where available.

Customer-provided data and processing roles

When the customer uploads contacts, numbers, audio, transcripts, prompts, or other third-party data within the service, Alviora may act as a processor for the service data processed on the customer's behalf.

The customer must ensure it has a valid legal basis, the required notices, and sufficient permissions to upload or process that data through the platform. For Alviora's own data such as billing, security, legal acceptances, abuse prevention, or GDPR traceability, Alviora acts as the data controller.

Security and confidentiality

We apply reasonable technical and organizational measures to protect the confidentiality, integrity, and availability of information, taking into account the state of the art and the risks of the processing.

GDPR rights

You may request access, rectification, erasure, restriction, objection, and portability by contacting legal@xevicases.com. If your request affects records that must legally be retained, we will explain what can be deleted and what must remain blocked.

Where any processing relies on your consent, you may withdraw that consent at any time without affecting the lawfulness of the processing carried out before withdrawal.

If you are a CLIENT_ADMIN, many requests can be started from the authenticated portal. Email remains a contact channel, but sensitive changes and the primary availability of information are handled mainly through the authenticated console.

Console tools may register, classify, or prepare a request internally, but we do not promise that a final legal decision will be resolved solely through automation. Where a request is high impact or there is doubt about lawful basis, retention, requester authority, or the applicable controller/processor role, resolution moves to operational and legal review.

If you believe we have not handled your data correctly, you may also lodge a complaint with the Spanish Data Protection Authority (AEPD) or the supervisory authority that applies to you.

CLIENT_ADMIN users can start an export, account closure, or restriction request from the console. High-impact requests stay pending review until a SUPER_ADMIN has verified the requester's acting capacity and the applicable controller/processor path. If a case requires a DPA, annex, or bespoke privacy terms, it will be formalized as a complementary contractual document. We can also provide the current provider categories, the concrete providers applicable to your setup, and the relevant transfer safeguards on request.

See how this AI layer would handle the calls you cannot afford to miss.

Signup still exists and remains direct, but it is no longer the first thing the homepage asks for. It appears here once the value is already clear.

Book a demo Create workspace