The Data Processing Agreement describes how Intavia processes personal data on behalf of customers in compliance with GDPR and other data protection laws.
This Data Processing Addendum (“DPA”) forms part of the Agreement between Truetide AI Limited (“Processor”, “Provider”, “we”) and any Customer entering into an Order Form or using the Services (“Controller”, “Customer”, “you”).
This DPA reflects the parties’ obligations under the UK GDPR, EU GDPR, and applicable data protection laws governing the processing of Personal Data in connection with the Services.
Capitalised terms have the meanings set out in the Agreement unless defined here.
“Agreement” means the Statement of Work, this DPA, all Order Forms, and any applicable addenda.
“Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in the United Kingdom and, where applicable, the European Union, including without limitation the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), the EU GDPR, and any successor or implementing legislation.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Personal Data Breach” has the meaning given in Data Protection Laws and includes any loss, accidental or unlawful destruction, damage, corruption, alteration, disclosure of, or access to Personal Data.
“Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in Data Protection Laws.
“Customer Data” means all data (including Personal Data) submitted or generated by Customer via the Services.
“Customer Systems” means systems, CRMs, telephony providers, infrastructure, and tools Customer owns or controls.
“Sub-Processor” means any third party engaged by Provider to process Customer Data.
“Services” means the functionality described in the Order Form and Documentation. Any functionality not expressly described in the Order Form or Documentation is excluded.
“Term” has the meaning given in clause 3.3 of this DPA.
Any functionality not expressly described in the Order Form or Documentation is excluded.
For Customer Data processed through the Services, Customer is the Controller and Provider is the Processor.
For Provider’s own processing (billing, account management, fraud prevention, product analytics using aggregated/anonymised data), Provider acts as an independent Controller.
Provider will only process Personal Data on documented instructions from Customer:
If Provider believes an instruction violates Data Protection Laws, it shall notify Customer.
Processing of Customer Data in connection with the provision of the Services.
Provider processes Personal Data to:
Processing continues for the term of the Agreement, plus applicable retention periods.
Detailed processing information appears in Annex 1.
Categories include (without limitation):
| Category | Examples |
|---|---|
| Identification & Contact | Names, phone numbers, email addresses, business identifiers |
| Communication Content | Call audio, transcripts, text interactions, free-text content spoken or entered |
| Metadata | Phone numbers dialled, timestamps, duration, routing, menu selections, call outcomes, tags, labels |
| Booking / Appointment Information | Service types, dates, times, staff members, notes entered by Customer |
| Customer Users | User account details, login identifiers, usage logs |
| Technical Information | IP addresses, device/browser type, operational logs |
| Free-Text Notes | Any text entered by Customer via dashboards or configuration panels |
Not intended to process special category data.
If callers voluntarily share such data, Controller is responsible for:
Data Subjects may include:
Provider shall:
Maintain records of processing activities to the extent required by Data Protection Laws.
Ensure all authorised persons are under confidentiality obligations.
Implement appropriate technical and organisational safeguards (see Annex 2).
Assist Customer (at Customer’s cost where applicable) with Data Subject rights requests.
Assist Customer with:
Provider shall notify Customer without undue delay (and where feasible within 72 hours) of any Personal Data Breach affecting Customer Data, including any loss, unintended destruction, corruption, alteration, unauthorised access to, or disclosure of Personal Data. Provider will supply sufficient information to enable Customer to meet its legal obligations.
Upon termination:
The Services use machine-learning models that may:
AI hallucination, synthetic generation, or inaccurate inference does not constitute a Personal Data Breach unless caused by an underlying security incident.
Customer remains responsible for:
Customer must not require AI to generate, infer, or process special category data unless they have a lawful basis and configure retention/controls accordingly.
Customer authorises the Sub-Processors listed in Annex 3.
Provider may add or replace Sub-Processors.
Customer will be notified of material changes.
If Customer objects on reasonable data protection grounds, parties will seek a solution.
If none is found, Customer may terminate only the affected Services.
Provider ensures Sub-Processors are bound by obligations no less protective than this DPA.
Provider remains liable for Sub-Processor actions.
Provider and Sub-Processors may process Personal Data in the UK, EEA, US, or other jurisdictions.
Where required, Provider relies on:
Provider implements:
Detailed overview: Annex 2.
Where enabled:
Customer is responsible for:
Provider will act on Customer deletion instructions where technically feasible.
Provider may use anonymised or aggregated data to:
Customer may opt out by written notice, acknowledging performance may degrade.
Provider does not sell Personal Data or use it for third-party marketing.
Provider will make available information demonstrating compliance, including:
Where required by law, Customer may conduct audits:
Limited to one audit per year, unless required by a Supervisory Authority or following a confirmed breach.
Costs: Customer bears its own costs and Provider’s reasonable costs unless Provider is in material breach.
If a Data Subject submits a request or complaint directly to Provider, Provider will, where feasible, redirect the individual to Customer or notify Customer without undue delay.
Customer is responsible for responding to Data Subject rights requests and complaints. Provider will assist Customer to the extent required by Data Protection Laws and technically feasible, and may charge for such assistance where permitted by law.
If this DPA conflicts with other parts of the Agreement, this DPA prevails solely for Personal Data Processing.
All other terms remain in full force.
This DPA is governed by the laws of England and Wales.
Courts of England and Wales have exclusive jurisdiction.
Liability arising under or in connection with this DPA is governed exclusively by the liability provisions set out in the Agreement (MSA). No additional liabilities are created by this DPA.
This Annex provides the detail required by Article 28(3) GDPR regarding the nature, scope, purpose, and duration of processing carried out by Provider on behalf of Customer.
Processing of Customer Data (including Personal Data contained in inbound and outbound calls, transcripts, metadata, booking information, logs, and any data surfaced into the Platform) for the purpose of providing the Services.
Processing occurs for:
Customer may request earlier deletion where technically feasible.
Processing activities include:
Customer may opt out of improvement processing (beyond operational necessity) by written notice.
The following categories may be processed (non-exhaustive, depending on Customer configuration):
| Category | Examples |
|---|---|
| Identification & Contact Information | Name, phone number, email address; business or practice name; role/title where provided |
| Call Audio & Transcripts | Voice recordings of callers; text transcripts generated by speech models; metadata associated with recordings; summaries or structured derivatives (tags, actions, labels) |
| Operational Metadata | Call timestamps, duration, routing choices; telephone numbers involved (inbound/outbound); flow paths, menu selections; call outcomes (answered, missed, transferred, completed) |
| Appointment & Booking Data | Appointment type, service category; date, time, location; staff/resource allocation; notes provided by caller or Customer |
| Customer User Data | Authorised user names, emails; role and permission levels; platform activity logs |
| Technical Data | IP address; device/browser information; performance logs and error traces (e.g., via Sentry or Datadog) |
| Free-Text Content | Any unstructured data provided by Customer or callers, manually or verbally |
Provider does not intend to process special category data.
However, callers may voluntarily disclose such data during conversations (e.g., minor health information such as “I have back pain”). If Customer configures flows that lead to such disclosures, Customer is responsible for:
Provider will process such data only as necessary to fulfil Customer instructions.
Provider implements technical and organisational measures appropriate to the risk, in accordance with Articles 28, 32 and 5(1)(f) GDPR.
A high-level summary of measures is outlined below.
Provider ensures Sub-Processors:
These measures are reviewed periodically and updated to reflect evolving risks, best practices, and operational needs.
Provider uses certain Sub-Processors to support the delivery of the Services.
The current list of Sub-Processors is available upon request.
Provider may update the list in accordance with Section 7 of this DPA (Sub-Processors).
Customer will be notified of any material changes in accordance with the Agreement.
Email: team@truetide.ai
Controller: Truetide AI Limited
Registered address: Wembley Park, London