Privacy Policy
Last Updated on February 9, 2026
This Privacy Policy describes how Visor.ai, Portugal S.A. (“Visor.ai”, “we”, “us”, “our”) collects, uses, processes, and protects personal data in connection with our website at https://www.visor.ai and our AI-powered platform (collectively, the “Services”) that enables businesses to create and deploy Voice, Chat, and Quality AI Agents .
Visor.ai is committed to protecting your privacy and ensuring transparency in our data practices. We process personal data in accordance with the General Data Protection Regulation (GDPR).
Company Details:
Legal Name PT: Visor.ai, Portugal S.A.
Address PT: Pci, Creative Science Park Aveiro Region Via do Conhecimento, 3830-352 Ílhavo, Portugal
Legal Name ES: Visor.ai, España SL
Address ES: Avenida General Perón, 22, 2º D 28020 Madrid, Spain
Contact: privacy@visor.ai
Scope and Controller/Processor Roles
This Privacy Policy applies where Visor.ai acts as data controller.
1.1 Visor.ai as Data Controller
Visor.ai acts as the Data Controller (as defined in Article 4(7) of the GDPR) for personal data collected from:
Visitors to our website
Prospective customers and leads
Event participants and newsletter subscribers
Users from customer organizations who access the Visor.ai Platform
When we act as Controller, this Privacy Policy governs how we process your personal data.
1.2 Visor.ai as Data Processor
When our customers use the Visor.ai Platform to build and operate AI Agents for their own end-users, Visor.ai acts as a Data Processor on behalf of the customer. In this context:
Our customer is the Data Controller who determines the purposes and means of processing;
We process personal data strictly according to our customer instructions and contractual terms;
End-users should refer to our customers privacy notice for information about their data practices.
This Privacy Policy does not replace the data protection terms between Visor.ai and our business customers. If you are an end-user of a customer AI Agent, please contact that customer directly regarding your privacy rights.
Definitions
Following the concept of Art. 4 GDPR, this data protection notice is based on the following definitions:
"Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
"Processing" (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.
"Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
"Data processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
"Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Where this Privacy Policy refers to "customer data" or "customer content", it means personal data that we process on behalf of our customers in connection with the Services, as further described in the agreement between Visor.ai and the relevant customer.
Personal Data We Collect
The types of personal data we collect depend on how you interact with our Services. We practice data minimization and only collect data necessary for specified, legitimate purposes.
3.1 Website Visitors and Prospective Customers
When you visit our website or express interest in our Services, we may collect:
Identification and Contact Information:
Name and surname;
Business email address;
Phone number;
Company name and role/title;
Company size (number of employees);
Communication Information:
Content of contact forms;
Free-text information you choose to provide.
Technical and Usage Data:
IP address;
Browser type, version, and language settings;
Device type and operating system;
Pages visited, timestamps, and referral sources;
Cookie identifiers and similar tracking technologies;
Basic interaction analytics (clicks, scrolling, time on page).
Note: For detailed information about cookies and tracking technologies, please see Section 11 (Cookies and Tracking Technologies) and our separate Cookie Policy available on our website.
3.2 Platform Users (Customer Organizations)
When your organization uses Visor.ai’s Platform, we collect data about each authorized users, mainly:
Account and Profile Data:
Full name;
Business email address;
Role and permissions within the Platform;
Associated customer organization.
Authentication Data:
Login credentials (email and hashed password);
Two-factor authentication data (when enabled through approved third-party providers).
Usage and Activity Data:
Login timestamps and session information;
System logs for security, performance monitoring, and troubleshooting;
Actions performed within the Platform.
Support and Communication Data:
Technical support requests and ticket correspondence;
Communication history with our customer success team.
3.3 End-Users of Customer Solutions (Processor Context)
How We Use Personal Data
We process personal data only when we have a valid legal basis under applicable data protection law, particularly the GDPR. Below are our primary processing purposes and their corresponding legal bases.
Porpose
Description
Legal basis (Art. 6 GDPR)
Website Operation & Security
To operate, maintain, and secure our website.
Detect and prevent any abuse, and technical issues.
Ensure service availability and performance.
Legitimate interests Art. 6(1)(f) GDPR: in providing a secure, reliable, and functional website for visitors and customers.
Sales, Marketing and Business Development
To respond to enquiries submitted via forms or email, provide information about our products and service schedule demos; manage our sales pipeline.
Legitimate interests Art. 6(1)(f) GDPR: responding to business enquiries;
Pre‑contractual steps Art. 6(1)(b) GDPR: taking steps at your request prior to entering into a contract.
Consent Article 6(1)(a) GDPR) where applicable for marketing communications, which you may withdraw at any time.
Cookies and Website Analytics
To enable core website functionality, remember preferences, measure and analyze website usage to improve content and usability.
Consent Art. 6(1)(a) GDPR: for non-essential cookies (managed through our cookie consent tool).
Legitimate Interests Art. 6(1)(f) GDPR: for strictly necessary cookies required for website functionality.
Providing and operating the Platform and Services
To create and manage customer accounts. To configure Platform environments, provide and support the Services and fulfill our contractual obligations.
Performance of a Contract Art. 6(1)(b) GDPR: performance of our agreements with business customers.
Platform Monitoring and Security
To monitor service performance, ensure system security, detect and respond to security incidents.
To investigate service issues, maintain audit logs, and protect against unauthorized access or malicious activity.
Legitimate interests Art. 6(1)(f) GDPR: in securing our Services and infrastructure.
Compliance with legal obligations Art. 6(1)(c) GDPR: related to information security
Customer Support and Service Requests
To provide technical support, respond to customer inquiries, resolve service issues, handle data protection requests (such as access or deletion requests), and maintain support documentation.
Performance of a contract Art. 6(1)(b) GDPR): with customers and
Compliance with legal obligations Art. 6(1)(c) GDPR: when handling data protection rights requests.
Legal Compliance and Protection
To comply with applicable laws, regulations, and legal processes.
To respond to lawful requests from authorities, enforce our terms of service, protect our legal rights, and defend against legal claims.
Compliance with legal obligations Art. 6(1)(c) GDPR and Legitimate interests Art. 6(1)(f) GDPR: in protecting our business and legal rights.
4.1 Important Limitations
We do not sell or use your personal data for other purposes besides what was previously described.
AI Model Training: We do not use Customer Data (such as interaction transcripts, voice recordings, or end-user data processed through our Platform on behalf of customers) to train generic AI models in a way that would identify individuals, unless specifically agreed with the customer and permitted by law. Any model improvement activities are conducted in accordance with our customer agreements and industry best practices for privacy and data protection.
Legitimate Interests Balancing: Where we rely on legitimate interests as a legal basis, we balance our interests against your rights and freedoms (as required by Article 6(1)(f) GDPR) and implement appropriate safeguards. You have the right to object to processing based on legitimate interests (see Section 10 and Article 21 GDPR).
Data Sharing and Recipients
In accordance with Articles 13(1)(e) and 14(1)(e) GDPR, we inform you about the categories of recipients who may receive your personal data. We may share personal data with the following categories of recipients under strict confidentiality and data protection obligations:
5.1 Service Providers and Sub-processors
We engage carefully selected third-party service providers who process personal data on our behalf as Data Processors (Article 28 GDPR). These providers are contractually bound to process data only according to our instructions, maintain strict confidentiality, and implement appropriate technical and organizational security measures. Categories of service providers include:
Infrastructure and Hosting Providers:
Cloud infrastructure, server hosting, content delivery networks, and data storage services.
AI and Machine Learning Service Providers:
Speech-to-text, text-to-speech, natural language processing, and large language model providers.
Communication and Support Tools:
Email services, customer support and ticketing systems, communication platforms.
Security and Monitoring Services:
Security monitoring, threat detection, backup services, logging and analytics platforms.
Business and Operational Tools:
Payment processors, accounting software, recruitment platforms, customer relationship management (CRM) systems.
Sub-Processor Transparency: We maintain a current list of our key sub-processors and service providers in our Trust Center. Business customers can consult this resource for detailed information about our processing partners. We will provide reasonable notice of any material changes to our sub-processors in accordance with our customer agreements and Article 28(2) GDPR.
5.2 Service Providers and Sub-processors
We may share personal data with professional advisers (such as lawyers, accountants, financial advisors) and external auditors (including security auditors) to the extent necessary for professional advice, audit, compliance, or legal representation. These parties are bound by professional confidentiality obligations.
5.3 Public Authorities and Legal Obligations
We may disclose personal data to public authorities, law enforcement, regulatory bodies, or courts when required by law, legal process, court order, or governmental request (Article 6(1)(c) GDPR), or when necessary to:
Comply with legal obligations
Protect and defend our legal rights and property
Prevent fraud, abuse, or security incidents
Protect the safety of individuals or the public
5.4 Event Participants and Transparency
When you attend a Visor.ai event (whether physical or virtual), your name and organization may appear on participant lists shared with other attendees or co-organizing partners. We will not share your email address or other contact details without your explicit permission. For events organized jointly with partners, participant information may be shared with those partner organizations for event coordination purposes.
5.5 Public Disclosure for Transparency
For transparency or legal reasons, we may publicly display certain information on our website, such as the names of organizations or individuals from whom we receive funding or grants. Such disclosures are made in accordance with applicable transparency requirements and legal obligations.
Important: We do not sell personal data to third parties. All service providers and partners who receive personal data from us are contractually obligated to protect it and use it only for the specified purposes.
International Data Transfers
Visor.ai operates infrastructure within the European Economic Area (EEA) and is designed to support regional data residency requirements for our customers.
6.1 Regional Data Processing
Data Residency by Customer Location:
EU/EEA Customers: For customers based in the European Union and European Economic Area, personal data processed through the Visor.ai Platform (including voice recordings, chat transcripts, and end-user interaction data) is stored and processed within EEA data centers. This means that data from EU customers remains within the EU/EEA region, and no transfer outside the EEA occurs for primary service delivery.
Non-EU/EEA Customers: For customers located outside the EU/EEA (such as in Latin America, Asia-Pacific, or other regions), we may process and store data in the region closest to the customer to optimize performance and latency, in accordance with the customer service configuration and applicable data protection requirements.
6.2 Limited International Transfers
In accordance with Chapter V. of the GDPR (particularly Articles 44-50), certain limited transfers of personal data outside the EEA may occur in the following circumstances:
Sub-Processor Services: Some of our carefully selected sub-processors (such as AI service providers for speech-to-text, text-to-speech, or natural language processing) may be located outside the EEA. However, for EU customers, we prioritize using sub-processors with EU-based operations or those who maintain EU data centers to minimize data transfers.
Technical Support and Monitoring: In limited cases, for technical troubleshooting, security incident response, or service monitoring purposes, authorized Visor.ai personnel or sub-processors may need to access data from outside the EEA. Such access is restricted, logged, encrypted, and subject to strict access controls and contractual safeguards.
Customer-Initiated Transfers: If a customer explicitly configures their service to integrate with third-party applications or services located outside the EEA, any resulting data transfers occur at the customer direction and are governed by the customer's own data transfer agreements with those third parties.
Important for EU Customers: For customers based in the EU/EEA, the primary processing and storage of your Platform data (voice recordings, chat transcripts, interaction logs) occurs exclusively within EU data centers. Any limited transfers that may occur for ancillary services (such as specific AI model processing) are subject to the safeguards documented in our Trust Center.
Data Retention
In accordance with Article 5(1)(e) GDPR (storage limitation principle), we retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods depend on the type of data and the purpose for which it was collected.
7.1 General Retention Principles
ebsite and Technical Logs: Kept for a limited period (typically 12 months) as needed for security, troubleshooting, performance optimization, and service improvement, unless longer retention is required for legal or security purposes.
Marketing and Lead Data: Retained for the duration of our business relationship and for a reasonable period thereafter (typically up to 3 years after last contact) to manage ongoing communications and potential future business opportunities, unless you request deletion earlier.
Customer Account and Billing Data: Retained for the duration of the contractual relationship and subsequently for periods required by applicable accounting, tax, and commercial laws (typically 7-10 years from contract termination for financial records).
Platform Content and Interaction Data: Voice recordings, chat transcripts, and interaction logs processed on behalf of customers are retained according to the configuration and retention periods agreed with each customer in their service agreement. At the end of the agreed retention period or upon contract termination, this data is deleted or anonymized in accordance with our contractual obligations, unless further retention is required by law.
Support Tickets and Communications: Kept for as long as needed to handle the request and maintain appropriate records (typically 3-5 years), or as required for legal or compliance purposes.
Data Security
In accordance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting personal data against unauthorized access, accidental loss, destruction, alteration, disclosure, or unlawful processing.
8.1 Organizational Security Measures
Our technical security measures include, as appropriate to the risks:
Encryption: Data is encrypted in transit (using TLS/SSL) and at rest (using industry-standard encryption algorithms) to ensure pseudonymization and confidentiality (Article 32(1)(a) GDPR).
Access Controls: Role-based access controls (RBAC), multi-factor authentication, strong password policies, and the principle of least privilege to ensure only authorized personnel can access personal data.
Network Security: Firewalls, intrusion detection and prevention systems, network segmentation, and regular security assessments.
Monitoring and Logging: Continuous monitoring of systems and access, security event logging, and automated alerting for suspicious activity to ensure ongoing confidentiality, integrity, and availability (Article 32(1)(b) GDPR).
Environment Segregation: Separation of production, development, and testing environments to prevent unauthorized access to live data.
Backup and Recovery: Regular encrypted backups and tested disaster recovery procedures to ensure the ability to restore availability and access to personal data in a timely manner (Article 32(1)(c) GDPR).
Secure Development: Security-by-design principles (Article 25 GDPR - Data Protection by Design), secure coding practices, code reviews, and vulnerability testing during development.
8.2 Organizational Security Measures
Security Policies and Procedures: Comprehensive information security policies, incident response procedures (in line with Articles 33-34 GDPR for breach notification), and business continuity plans.
Staff Training: Regular security awareness training for all employees and contractors who handle personal data, ensuring understanding of GDPR obligations.
Vendor Management: Due diligence and contractual safeguards with all third-party processors and service providers (Article 28 GDPR), including security requirements and audit rights.
Testing and Review: Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures (Article 32(1)(d) GDPR), including penetration testing and compliance audits.
8.3 Security Certifications and Compliance
Visor.ai is certified under ISO/IEC 27001, the international standard for information security management systems (ISMS). This certification demonstrates our commitment to maintaining the highest standards of information security and our implementation of a comprehensive, risk-based approach to protecting personal data and customer information. Our ISO 27001 certification covers:
Systematic risk assessment and treatment processes
Documented information security policies and procedures
Regular internal and external audits of our security controls
Continuous improvement of our security management practices
Incident management and business continuity planning
Our ISO 27001 certification is independently audited and verified on an annual basis to ensure ongoing compliance with the standard. This certification aligns with and supports our GDPR compliance obligations, particularly regarding the security requirements under Article 32 GDPR.
Additional Documentation: A more detailed description of our security measures, ISO 27001 certificate, statement of applicability (SOA), and audit reports is available in our Trust Center. Enterprise customers may request additional security documentation, including our ISO 27001 certificate and audit summaries, through their account representative.
Your Privacy Rights Under GDPR
Under certain circumstances, you have rights under data protection laws in relation to your personal data. We are committed to facilitating the exercise of these rights in a transparent, accessible manner.
You may have the following rights:
Right of Access: Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right of Rectification: Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Right to Erasure / To be Forgotten: Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to Restriction of Processing: You may request that we restrict processing of your personal data in certain situations:
When you contest the accuracy of the data (for the period we verify accuracy)
When processing is unlawful but you oppose erasure and request restriction instead
When we no longer need the data but you need it for legal claims
When you object to processing based on legitimate interests (while we verify whether our legitimate grounds override yours)
Right to Data Portability: Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to transmit that data to another controller where technically feasible.
Right to Object: You have the right to object at any time to processing of your personal data based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent: You have the right to Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.
9.1 How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@visor.ai or write to us at:
Name: Visor.ai, Portugal S.A.
Address: PCI, Creative Science Park Aveiro Region, Via do Conhecimento, 3830-352, ílhavo, Portugal
We will respond to your request without undue delay and within one month of receiving your request (Article 12(3) GDPR). In complex cases or when we receive numerous requests, we may extend this period by an additional two months, and we will inform you if an extension is necessary along with the reasons for the delay.
9.2 Identity Verification
To protect your privacy and security, we may need to verify your identity before fulfilling your request. We may request additional information to confirm your identity (Article 12(6) GDPR), particularly for requests involving access to or deletion of personal data.
9.3 Requests Regarding Customer-Processed Data
If you are an end-user of one of our customer AI Agents, and we are processing your data as a Processor on behalf of that customer (Article 28 GDPR), you should generally contact the customer directly to exercise your rights, as they are the Data Controller. If we receive a request relating to data we process on behalf of a customer, we will forward it to the relevant customer and support them in responding to your request (Article 28(3)(e) GDPR).
9.4 Right to Lodge a Complaint (Article 77 GDPR)
If you believe that our processing of your personal data violates the GDPR or other data protection laws, you have the right to lodge a complaint with the competent supervisory authority. For Portugal, this is - “Comissão Nacional de Proteção de Dados – CNPD” (http://www.cnpd.pt/).
Cookies
We use cookies and similar technologies on our website in accordance with the ePrivacy Directive (Directive 2002/58/EC as amended) and Article 6(1)(a) and (f) GDPR. Cookies help make our website function properly, remember your preferences, understand how the website is used, and improve user experience.
Children Privacy
In accordance with Article 8 GDPR (conditions applicable to children's consent in relation to information society services), our Services are designed for businesses and are not intended for use by individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.
If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at privacy@visor.ai. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information as quickly as possible.
Note for Customers: If our customers use the Visor.ai Platform to provide services to end-users who may include minors, the customer is responsible for obtaining appropriate parental consent and complying with applicable laws regarding children's data, including Article 8 GDPR and any applicable national laws implementing special protections for children.
12. Changes to this Privacy Policy
We reserve the right to alter this privacy notice at any time. Such alterations will be posted on our website. You can also obtain an up-to-date copy of our privacy notice by contacting us.
13. Contact Us
If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may contact us through:
Email
privacy@visor.ai
Mail
Visor.ai, Portugal S.A.
Privacy Team
PCI, Creative Science Park Aveiro Region, Via do Conhecimento, 3830-352, Ílhavo, Portugal.
For security-related concerns: securityoffice@visor.ai