Parnidia

This section explains how MB Parnidia processes personal data when phone calls are answered by our AI receptionist, Christina.

When Christina handles calls to Parnidia’s own numbers, MB Parnidia is the controller. When Christina is deployed for a client, the client is the controller and MB Parnidia acts as a processor under a Data Processing Agreement.

1. What data we process

Call metadata. Caller and called numbers, timestamps, call duration, routing/call IDs, and similar technical events required to connect and troubleshoot calls. This is personal data where it directly or indirectly identifies a person.
Audio stream (for transcription). It is processed in real time to generate the transcript on every call. We do not create voiceprints or otherwise process the audio to uniquely identify a person.
Call transcripts (text created from the audio for each call).
Interaction content provided by the caller. It is information the caller shares so Christina can assist (e.g., name, surname, preferred contact details, service of interest, appointment date/time, and any free-text details needed to fulfill the request).
Operational and security logs (service status, error codes, abuse/fraud signals) necessary to ensure reliability and security. They may include references to call/session identifiers and are not used to profile callers.

2. Purposes of data processing

Provide the service: handle and route calls, generate live responses, capture caller requests, and create requested follow-ups (e.g., appointment confirmations, messages, CRM updates).
Operate, maintain, and troubleshoot: monitor performance (latency, speech-to-text model’s accuracy, real-time speech AI model’s accuracy), fix faults, and ensure service continuity.
Quality assurance: review some samples of transcripts and audio recordings to improve Christina’s system prompts and configuration for the specific deployment (not to train foundation models).
Security and abuse prevention: detect and mitigate spam/fraud, denial-of-service, and misuse; investigate incidents; enforce rate limits and access controls.
Legal and compliance: comply with retention duties, respond to lawful requests, and resolve or defend legal claims and disputes.

3. Lawful bases of data processing

We rely on the following legal bases for Christina:

Live call handling & real-time transcription: Legitimate interests (GDPR Art. 6(1)(f)) to operate business phone lines, respond efficiently to callers, and ensure service reliability and quality.
Requested follow-ups (e.g., appointment confirmations, messages, CRM updates): Performance of a contract / pre-contractual steps (GDPR Art. 6(1)(b)).
Call recording: Consent (GDPR Art. 6(1)(a)). Recording is announced at call start with an opt-out or an alternative contact method, and consent can be withdrawn without detriment.
Security, fraud and abuse prevention; operational logging: Legitimate interests (GDPR Art. 6(1)(f)) to protect the service and investigate incidents.
Legal and compliance needs (e.g., responding to lawful requests, establishing or defending legal claims): Legal obligation (GDPR Art. 6(1)(c)) and, where appropriate, legitimate interests (Art. 6(1)(f)).

Special-category data (e.g., health information): Not actively sought on Parnidia’s own phone lines. If disclosed inadvertently, collection is minimised and the data is removed where feasible. In healthcare client deployments, the client (controller) typically relies on GDPR Art. 9(2)(h) together with an Art. 6 basis; Parnidia processes such data as a processor under the DPA.

4. Categories of data recipients

Data is shared only as needed to run and secure the service. Below is the list of categories of recipients

Telecom carriers (EU-established) that connect and route calls.
Hosting providers operating EU data centers used for our application and storage.
Speech-to-text (STT) providers that transcribe call audio (transcription is enabled on client lines).
Real-time AI model providers that generate Christina’s responses during the call.
Email/SMS/CRM services used to send requested follow-ups (e.g., appointment confirmations, CRM updates).
Security and monitoring services used to prevent abuse, detect incidents, and ensure reliability (e.g., DDoS/anti-spam).
Professional advisers (legal/accounting) under confidentiality obligations.
Client-selected systems integrated into the workflow in processor scenarios (e.g., the client’s calendar, CRM or ticketing tool), according to the client’s instructions under the DPA.

Public authorities may receive data where required by law; authorities acting in the framework of a particular inquiry are not considered “recipients” under GDPR Art. 4(9).

5. Where and how data is processed (security & location)

Telecom carrier. Calls are carried by an EU-established telecom partner.
Application hosting. The application backend runs on EU-hosted servers (Amsterdam) with TLS in transit, encryption at rest, role-based access controls, least-privilege operations, and audit logging, consistent with GDPR Article 32.
Transcription. Enabled on all client lines. Performed by EU-region speech-to-text providers configured for no content logging/no training where supported; the audio stream is processed in real time and not retained by the STT service beyond processing. (Major providers offer regional processing and logging controls.)
Real-time AI responses. Certain assistant responses are generated by a U.S. AI provider under enterprise terms that do not use customer data for model training by default; API inputs/outputs may be retained for up to 30 days for abuse prevention.
International transfers & safeguards. Where processing occurs outside the EEA (e.g., real-time AI in the U.S. or non-EEA call termination), transfers rely on Standard Contractual Clauses (SCCs) and, where applicable, the provider’s certification under the EU-U.S. Data Privacy Framework (DPF).

A current list of subprocessors is available on request.

6. Data retention

Parnidia enforces a 30-day retention policy across all deployments, unless a longer period is required by law or a shorter/longer period is explicitly agreed in the DPA or documented controller instructions (storage-limitation principle, GDPR Art. 5(1)(e)).

Audio recordings: stored in the EU (encrypted at rest) for up to 30 days, then auto-deleted.
Call transcripts and interaction notes: retained for 30 days, then auto-deleted. Transcription is enabled on client lines; transcripts are handled as personal data.
Operational and security logs: retained for up to 30 days, then auto-deleted.
Speech-to-text (STT) provider: audio is processed in real time to generate transcripts and is not retained beyond processing when “no-logging/no-training” modes are used, which we enable where supported.
Real-time AI model provider (U.S.): API inputs/outputs may be retained up to 30 days for abuse prevention; provider terms state data is not used to train models by default.

Legal holds & exceptions. If a longer retention period is required by law, necessary to establish, exercise or defend legal claims, or imposed by a competent authority, the minimum necessary data are isolated with restricted access and deleted once the requirement ends. (This may apply to third-party systems as well.)

Processor deployments. Where Parnidia acts as processor, the default 30-day schedule above is applied and enforced unless the controller instructs otherwise in writing in the DPA or implementation documents.

7. Data subject rights

Under the GDPR, data subjects have the rights to be informed, access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, and not to be subject to a decision based solely on automated processing producing legal or similarly significant effects.

Automated decision-making. Christina automates conversation (GDPR Art. 22), but no decisions with legal or similarly significant effects are taken based solely on automated processing (GDPR Art. 22). If this ever changes, additional notice and safeguards will be provided.

Right to complain. Data subjects may lodge a complaint with a supervisory authority, in particular in the EEA Member State of habitual residence, place of work, or alleged infringement (GDPR Art. 77). In Lithuania, this is the State Data Protection Inspectorate (VDAI): L. Sapiegos str. 17, LT-10312 Vilnius. Contact email: ada@ada.lt. Please visit VDAI’s website for most updated information.

8. How to exercise rights

Contact leo@parnidia.com to exercise rights. To help locate records, include: the phone number used, the approximate date/time of the call, and call receiver’s business name. Controllers must facilitate rights requests; processors assist controllers (EDPB guidance).

Recording: where recording is enabled, the caller is informed at call start and can opt out or use an alternative channel.
Transcription: transcription is enabled by default for service operation. Callers who object to transcription may discontinue the call and use an alternative contact method (e.g., email or web form); upon receipt of an objection or erasure request, transcripts will be handled in line with GDPR rights and the retention policy.

For client deployments, requests should be directed to the client (controller); Parnidia will assist the controller under the DPA

9. Updates

We may update this Privacy Notice to reflect changes in our processing activities, legal requirements, or product features. When changes are material (i.e., they meaningfully affect your privacy information under GDPR Articles 13/14), we will give prominent notice on our website and, for customers who have deployed Christina, send direct email to the designated contact person before the change takes effect (unless immediate updates are required by law or security). The “Last updated” date at the top of this section shows when this notice was last revised.

‍

Christina Privacy Policy