AI Chatbot Neria Privacy Policy

Last updated: October 7, 2025

This section explains how MB Parnidia ("Parnidia", "we", "us") processes personal data when users interact with our website chatbot Neria at parnidia.com and at our clients’ websites. By engaging in any form of communication with AI chatbot Neria, you acknowledge you have read and understood this Privacy Policy.

Controller vs. Processor. When Neria is embedded on Parnidia’s own website or our own communication channels, Parnidia is the controller. When we deploy Neria for a client, the client is the controller and Parnidia acts as a processor under a Data Processing Agreement ("DPA").

1. What data we process

We only process what is necessary to provide and secure the chatbot service. We do not collect personally identifiable information (PII) unless you voluntarily provide it during the conversation (e.g., by sharing your name, last name, email, phone, or other identifiers).

• Conversation content. Messages you send to Neria and the assistant’s replies; any information you choose to share (e.g., name, email, service interest, booking details, attachments).
• Conversation transcripts. Text logs of a chat session.
• Identifiers & technical metadata. A pseudonymous user ID, timestamps, session/conversation IDs, app and model versions, and signals necessary to operate the chat session.
• Device & network metadata. IP address, browser/OS user‑agent, language/locale, and basic telemetry used for reliability and security (e.g., latency, error codes).
• Operational & security logs. Service status, error diagnostics, abuse/spam prevention signals (e.g., rate‑limit counters, threat‑intel flags).
• Optional contact details. If you ask for follow‑ups or bookings, we may collect your name, email and/or phone to complete the request.
• Client‑selected integrations (processor scenarios only). When a client controller connects their own systems (e.g., calendar, CRM, helpdesk), Neria exchanges the minimum necessary fields to fulfill the requested workflow.

We do not create biometric identifiers or voiceprints and we do not use transcripts to train foundation models.

2. Purposes of data processing

• Provide the service. Run chat sessions, respond to your messages, and execute your requests (e.g., answer questions, create a booking, send a follow‑up).
• Operate & maintain. Monitor performance/reliability, debug issues, and ensure service continuity.
• Quality assurance. Review a small sample of transcripts to improve prompts and configuration for a specific deployment (not for foundation‑model training).
• Security & abuse prevention. Detect spam/fraud, enforce rate limits, and investigate incidents.
• Legal & compliance. Keep records required by law and respond to lawful requests.

3. Lawful bases (GDPR)

• Chat operation & transcripts: Legitimate interests (Art. 6(1)(f)) to provide an efficient support channel and ensure reliability and security.
• Contract / pre‑contract steps (Art. 6(1)(b)).
• Marketing messages (if any): Consent (Art. 6(1)(a)).
• Security/anti‑abuse logging: Legitimate interests (Art. 6(1)(f)).
• Legal obligations: Art. 6(1)(c) and, where appropriate, Art. 6(1)(f).
• Special categories: Not sought. If you disclose such data inadvertently, we minimise collection and remove it where feasible. In client healthcare deployments, the client (controller) typically relies on Art. 9(2)(h); Parnidia processes such data as a processor under the DPA.

‍4. Categories of recipients

We share data only as needed to run and secure the service:

• Voiceflow, Inc. (chat orchestration): conversation runtime, transcripts (if saved), and related metadata.
• LLM providers via API (e.g., OpenAI, Anthropic/Claude). We send necessary text inputs and context to generate a response.
• EU hosting for client portal (France). We store copies of Voiceflow transcripts in our EU (France) client portal for monitoring/reporting.
• Email/SMS & communications providers (if you request follow‑ups, confirmations, OTPs).
• Security & monitoring services (DDoS/anti‑spam, error monitoring).
• Client‑selected systems in processor scenarios (e.g., calendars, CRMs, helpdesks) strictly per controller’s instructions.
• Professional advisers (legal/accounting) bound by confidentiality.
• Public authorities where required by law.
  

A current list of sub‑processors is available to customers on request or via the DPA notice mechanism.

5. Where and how data is processed (security & location)

• Voiceflow-managed hosting & security. Voiceflow provides the primary hosting, orchestration, and security controls for Neria’s runtime (including encryption in transit and at rest, access controls, and operational security).
• Location of Voiceflow processing. Voiceflow is based in Canada and may host, transfer, and process data in Canada and other countries through Voiceflow and its service providers. International transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR.
• Real-time AI responses. Certain assistant responses are generated by the U.S. AI providers under enterprise terms that do not use customer data for model training by default; API inputs/outputs may be retained for up to 30 days for abuse prevention.
• Parnidia EU storage (client portal). For monitoring and client‑reporting purposes, Parnidia stores copies of chatbot conversations in the EU (France) within our client portal/dashboard. This storage is used solely to provide the service (e.g., quality review, troubleshooting, analytics for the controller).
  

Voiceflow compliance posture (as publicly stated by Voiceflow):

• ISO/IEC 27001:2022 (ISMS)
• SOC 2: Type 1 compliant, with live monitoring toward Type 2 (monitored by Drata)
• GDPR: commitments and DPA with SCCs

6. Data retention

• Aligned with Voiceflow. We follow Voiceflow’s default retention posture: data is retained as long as necessary to provide the Service and to meet legal requirements. Voiceflow automatically saves conversation data so that transcripts can be surfaced in our client portal for monitoring and service delivery.
• Parnidia portal copies (EU/France). Copies we maintain in our EU (France) portal mirror this purpose‑based retention. We keep data only for as long as needed to provide and support the service, resolve issues, and comply with legal obligations or the controller’s documented instructions.
• Controller instructions. Where a client (controller) sets explicit retention/deletion periods in the DPA or order form, we will configure Neria and our portal to honor those settings.
• Backups & deletion. Backups rotate on a standard schedule; when data is deleted from active systems, it will age out of backups on the next rotation.

7. Cookies & similar technologies

The chat widget may use essential cookies or local/session storage to maintain session state and preferences. We do not use non‑essential tracking for Neria without consent.

8. Data subject rights

Under the GDPR, you have the rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to a decision based solely on automated processing producing legal or similarly significant effects. Neria automates conversation, but no decisions with legal or similarly significant effects are made solely by automation. If this changes, we will provide additional notice and safeguards.

9. How to exercise your rights

Contact leo@parnidia.com. To help locate records, include: the approximate date/time of the chat and any name/email/phone you provided.

For client deployments, please contact the client (controller); Parnidia will assist the controller under the DPA.

10. Updates

We may update this Privacy Notice to reflect changes in our processing, legal requirements, or product features. Material changes will be announced on our website and, for customer deployments, via email to the designated contact before the change takes effect (unless immediate updates are required by law or security).

Contacts
MB Parnidia
Email: leo@parnidia.com
Company code: 306969354