Overview of how SUSANchat acts responsibly when processing data
SUSANchat supports responsible data processing through:
Processing based on chatbot owner configuration
GDPR-aligned operation at all times
Full tenant isolation
Data minimization and purpose limitation
No AI training on customer data by default
Configurable retention and deletion
EU/EEA-based processing options
Human oversight for decisions
Who controls the data in SUSANchat?
The chatbot owner acts as the Data Controller and decides the purpose, scope, and configuration of personal data processing.
SUSANchat operates as a Data Processor and processes personal data only according to the chatbot owner’s configuration and documented instructions.
All processing is carried out in accordance with GDPR. If any configuration conflicts with GDPR requirements, GDPR obligations always take precedence.
What personal data may SUSANchat process?
Depending on how the chatbot owner has configured the service, SUSANchat may process:
User text or voice messages
Files uploaded by users (such as documents, images, or resumes)
Basic technical information required for system operation, including:
Timestamp
Session identifier
IP address (in security logs)
Data processing is limited to what is necessary for the configured service.
Special categories of personal data are not intentionally processed unless the chatbot owner has explicitly configured the service to handle such information and a valid GDPR legal basis exists.
GDPR requirements always override system configuration.
Why is personal data processed?
Personal data is processed only to support the services enabled by the chatbot owner’s configuration. This may include:
Responding to user questions
Providing guidance or information
Supporting optional functions such as registrations, recruitment support, interviews, or event participation
Only the information necessary for each function is processed.
All processing follows the principles of purpose limitation and data minimization under GDPR. If a configured use case does not meet GDPR requirements, it must not be used.
Does SUSANchat create user profiles or track individuals?
By default, SUSANchat does not create structured user profiles or track individuals over time.
User profiles or structured records are created only if this functionality has been explicitly configured by the chatbot owner and is necessary for the service.
The platform does not combine data from external sources or infer additional personal information unless this is part of a configured service and compliant with GDPR.
GDPR principles always take precedence over configuration choices.
Is user data used to train AI models?
No.
By default, user and customer data is not used to train AI models.
Training or fine-tuning using customer data may occur only if explicitly requested and configured by the chatbot owner, and only where a valid GDPR legal basis exists.
If GDPR requirements are not met, such training cannot take place, regardless of configuration.
Is data shared between different organizations?
No.
SUSANchat uses full tenant isolation:
Each organization’s data is stored and processed separately
Data is not shared across organizations
This separation applies regardless of configuration and supports GDPR requirements for confidentiality and data protection.
Where is the data stored?
Depending on the deployment configuration selected by the chatbot owner, data is processed within EU/EEA-based infrastructure.
Personal data is not transferred outside the EEA unless explicitly configured and appropriate GDPR safeguards are in place.
If adequate safeguards cannot be ensured, the transfer must not occur, even if requested.
How much personal data is required to use SUSANchat?
The amount of data processed depends on the chatbot owner’s configuration.
SUSANchat is designed to support data minimization:
Many services can be configured to operate without user accounts
Users provide information voluntarily
Only the data necessary for the enabled function is collected
If a configuration requests unnecessary data, GDPR principles of minimization must be applied.
How long is data stored?
Data retention is configurable by the chatbot owner.
Personal data is:
Stored only for as long as necessary for the defined purpose
Deleted according to configured retention policies
Removed when the service ends, unless retention is required by law
Retention periods must comply with GDPR and applicable legal requirements. GDPR obligations override any configuration settings.
Can users delete or update their data?
Yes.
Depending on the configuration, users or administrators can:
Edit personal information where applicable
Delete personal data using available controls
Once deleted, the data is no longer processed.
Requests for deletion or correction must be handled in accordance with GDPR rights, regardless of system configuration.
How is data kept secure?
Security measures include:
Processing within a controlled technical environment
Role-based access control
Access limited to authorized personnel
Security and operational logging
Encryption in transit and at rest where appropriate
Defined retention and deletion processes
Security measures are applied based on the level of risk and always in line with GDPR requirements.
Are automated decisions made about users?
Depending on configuration, AI tools may support analysis or organize information.
However, any decisions that significantly affect individuals must involve human review, in accordance with GDPR.
Configurations that would result in prohibited automated decision-making are not permitted.
How are users informed about data processing?
User information is provided through:
A general privacy notice within the service
Additional notices where specific features collect additional personal data
The chatbot owner is responsible for ensuring that information provided to users meets GDPR transparency requirements.
What is the legal basis for processing?
The legal basis for processing is determined by the chatbot owner and may include:
Public interest tasks
Contractual necessity
User consent
All processing must comply with GDPR Articles 5 and 6. If a valid legal basis does not exist, the processing cannot take place, regardless of configuration.
What happens to data if the service is discontinued?
If the service is terminated:
Personal data is deleted according to agreed procedures
Data is not retained unless required by law
Deletion processes must comply with GDPR and any applicable legal retention obligations.
Does SUSANchat process national identity numbers or highly sensitive data?
By default, SUSANchat does not process personal identity numbers or special categories of personal data.
Such data may be processed only if explicitly configured and requested by the chatbot owner, and only where:
A valid GDPR legal basis exists
Appropriate safeguards are in place
If GDPR requirements cannot be met, such processing must not occur, regardless of configuration.