Privacy Policy

Last updated: 1 April 2026

This Privacy Policy describes how NoviaMind, a simplified joint-stock company (SAS) with a share capital of €1,000, registered with the Nice Trade and Companies Register under number 989 166 848, with its registered office at 18 rue Masséna, Office 3, 06000 Nice, France (hereinafter "NoviaMind", "we", "us") collects and processes personal data in the context of:

  • its website noviamind.ai (the "Website"), intended exclusively for professionals;
  • its SaaS platform for artificial intelligence voice agents (the "Service"), enabling its professional clients (the "Clients") to deploy AI telephone agents that answer incoming calls or contact their own customers and prospects (the "Contacts") on their behalf.

It is addressed to two categories of individuals:

  1. Professional Clients and Website visitors (direct B2B relationship with NoviaMind).
  2. Contacts of the AI Agents (individuals or professionals contacted by, or calling, a voice Agent deployed by a Client).

It applies in accordance with Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of 6 January 1978, as amended (the "French Data Protection Act").

1. Data Controller

The data controller is:

NoviaMind SAS
18 rue Masséna, Office 3 – 06000 Nice, France
Email: [email protected]
Website: https://noviamind.ai

For any questions regarding your personal data, you may write to us at the above address or via our contact page.

2. Data Collected

2.1. Website Visitors and B2B Prospects

The Website is intended exclusively for professionals. When you browse it or fill in a form, we collect:

  • Browsing data: IP address, browser and device type, pages viewed, date and duration of visit.
  • Cookies: see Section 11 below.
  • Contact data: name, email, phone number, company, message — if you fill in a contact form, demo request or registration form.

2.2. Professional Clients (B2B)

  • Identification data: surname, first name, position, email and phone number of the Client's representative(s).
  • Billing data: company name, address, intra-community VAT number. Banking information is processed exclusively by our secure payment provider (Stripe); NoviaMind does not store it.

2.3. Contacts of the AI Voice Agents (Clients' Customers and Prospects)

When a NoviaMind voice Agent calls you or you call a number handled by a voice Agent, the professional Client that deployed that Agent is the data controller for your personal data. NoviaMind acts as a data processor on behalf of that Client (the respective obligations are defined in our Data Processing Agreement — DPA).

The following data may be processed during these calls:

  • Phone number of the caller/called party.
  • Audio recordings of the conversation (incoming and outgoing calls).
  • Text transcriptions of the exchanges.
  • Call metadata: date, time, duration, call direction (incoming/outgoing).
  • Any data freely communicated during the conversation (name, address, situation, needs, etc.).

Voice data: your conversations are recorded in audio form. Although voice may constitute biometric data within the meaning of the GDPR (Art. 9), NoviaMind does not use voice recordings for biometric identification or authentication purposes. They are processed exclusively for transcription, service delivery and quality improvement. We nevertheless apply an enhanced level of protection to them.

Important: if you are a Contact (the person called by or calling the voice Agent), the professional Client that deployed that Agent is your point of contact for exercising your rights (access, deletion, etc.). If you do not know who that Client is, you may contact us and we will direct you accordingly.

2.4. Calendar Integrations

Our Service may connect to our Clients' calendars to enable automated appointment scheduling by the voice Agent. Depending on the calendar used by the Client, we may access, with their explicit consent, the following data:

  • Account information: name, email address, profile photo.
  • Calendar data: calendars, events, availability slots.

Supported calendar platforms include: Google Calendar, Microsoft Outlook and Apple Calendar (iCloud).

We use this data solely to (i) provide the scheduling features requested by the Client, (ii) verify identity and maintain account security, and (iii) display and manage events within our Service.

Google Data Specific Provisions

The following commitments apply specifically to data accessible via Google APIs:

Sharing: we do not share Google data with any third party, except (a) with your explicit consent, (b) with technical sub-processors under strict confidentiality agreements, or (c) as required by law.

We do not:

  • sell or rent Google data to third parties;
  • use Google data for advertising or marketing purposes;
  • share Google data with data brokers or advertising networks.

Protection: Google data is protected by encryption in transit and at rest, with secure connections via the OAuth 2.0 protocol.

Deletion: you may revoke our access to your Google account at any time from your Google settings. We automatically delete your Google data upon revocation. You may also request deletion by contacting us at [email protected]. Some data may persist for up to 30 days in backups before final deletion.

Access Revocation (All Calendars)

For other calendars (Outlook, Apple), you may revoke NoviaMind's access from your account settings on the relevant platform or from your NoviaMind client dashboard. Deletion of related data occurs automatically within 30 days.

2.5. CRM Integrations

Our Service may connect to the CRM (Customer Relationship Management software) used by the Client in order to synchronise contacts, business records and data from voice Agent calls (transcriptions, qualifications, appointments).

Supported CRMs include: Apimo, HubSpot, Modelo, Bitrix24, as well as other platforms as the Service evolves.

Data exchanged with the CRM may include:

  • Contact data: name, phone number, email, address of Contacts.
  • Interaction data: call summary, qualification, scheduled appointment.
  • Client business data: records, product or service characteristics, and any structured data specific to the Client's business, synchronised via the CRM.

The Client is the data controller for data imported into or exported from their CRM. NoviaMind acts as a data processor and only retains a technical synchronisation copy, which is deleted at the end of the contract in accordance with the DPA.

3. Purposes and Legal Bases

PurposeLegal BasisRetention Period
Provide and manage the Service (AI calls, transcriptions, appointments)Performance of contractDuration of the contract + 3 years archival
Respond to your contact or demo requestsLegitimate interest / pre-contractual measures3 years after last contact
Client relationship management and billingPerformance of contract / legal obligationDuration of the contract; invoices retained for 10 years (accounting obligation)
Improve the Service and AI model qualityLegitimate interest of NoviaMindAudio recordings: 6 months max, then deletion or irreversible anonymisation
Statistical analysis of the Website (audience, performance)Legitimate interest / consent (cookies)13 months max for analytics cookies
Calendar and CRM integrationsPerformance of contract / consentAs long as the integration is active; deleted within 30 days after revocation or end of contract
Compliance with legal obligations and dispute managementLegal obligation / legitimate interest5 years after the end of the relationship or dispute
B2B commercial prospectingLegitimate interest (with right to object)3 years after last contact

Upon expiry of the indicated periods, data is deleted or irreversibly anonymised.

Mandatory or optional nature of data provision: data marked with an asterisk (*) in our forms is necessary for the provision of the Service or the processing of your request. Without it, we will not be able to respond to you or provide the Service. Other data is optional and aims to improve the quality of our support.

4. Data Recipients

Your data may be disclosed to:

  • Our authorised staff (technical, sales, support teams), strictly limited to what is necessary.
  • Our technical sub-processors, operating in the following categories:
    • Hosting and database: providers ensuring the storage of all application data in France, within the European Union.
    • Artificial intelligence: certified providers (ISO 27001, ISO 27018, ISO 27701, ISO 42001), covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Audio retention disabled; data not used for training third-party AI models.
    • Telephony: certified provider (ISO 27001, SOC 2 Type II, PCI DSS Level 1), covered by Binding Corporate Rules (BCR) Processor, the Data Privacy Framework and SCCs. Data processed within the EU. No call recordings stored.
    • SMS notifications: provider based in France (EU), ISO 27001 certified.
    • Email notifications: provider covered by the EU-U.S. Data Privacy Framework and SCCs.
    • Payment: European provider (Ireland), covered by the Data Privacy Framework.
    • Calendar and CRM: third-party platforms activated by the Client (Google, Microsoft, Apple, HubSpot, Apimo, Modelo, Bitrix24, etc.), whose transfers are covered by the Data Privacy Framework or Standard Contractual Clauses depending on the provider. Data is only transmitted to these platforms as part of the synchronisation activated by the Client.
  • Our professional Clients: data collected by the voice Agent (transcriptions, qualifications, appointments) is made available to the Client on whose behalf the Agent operates, as data controller.
  • Competent authorities, in cases of legal obligation.
  • Our advisors (lawyers, accountants), bound by professional secrecy.

The complete list of our sub-processors and the applicable protection mechanisms for each transfer are detailed in our Data Processing Agreement (DPA) and our International Transfers Policy (SCCs), available upon request.

We do not sell or rent your personal data to third parties.

5. Transfers Outside the European Union

All data processed as part of our AI voice agent Service is stored in France (application hosting and database located in the Paris region).

Some of our technical sub-processors are US-based entities. For each transfer outside the EU, we implement at least one of the following protection mechanisms, in accordance with Chapter V of the GDPR:

  • Adequacy decision: the EU-U.S. Data Privacy Framework (Commission Decision 2023/1795) covers our AI, telephony, email notification and payment providers that are certified under it.
  • Standard Contractual Clauses (SCCs): in accordance with Commission Implementing Decision 2021/914, applied to all US-based sub-processors, including those already covered by the DPF (dual protection).
  • Binding Corporate Rules (BCR): our telephony provider holds BCR Processor status approved by European data protection authorities.

Supplementary safeguards:

  • AI providers are configured with audio retention disabled and data not used for training third-party AI models.
  • Our telephony provider processes data within the EU (Ireland) via an activated regional option; no call recordings are stored.
  • Our database provider hosts data exclusively in France (AWS Paris); SCCs govern any potential access from the United States by support staff.
  • Calendar and CRM integrations activated by the Client may involve transfers to US-based providers covered by the Data Privacy Framework or SCCs.

Full details of the mechanisms applicable to each sub-processor are available in our International Transfers Policy (SCCs) and our DPA, provided upon request.

For any other potential transfer, we rely on an adequacy decision by the European Commission or Standard Contractual Clauses accompanied by supplementary protection measures where applicable.

You may contact us to obtain a copy of the applicable safeguards.

6. Data Security

We implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Strict logical segregation of each client's data.
  • Enhanced access control: strong authentication (2FA), least privilege principle.
  • Regular backups and recovery plan.
  • Staff awareness and confidentiality commitments.

In the event of a data breach presenting a high risk to your rights and freedoms, we will inform you as soon as possible, in accordance with Article 34 of the GDPR.

7. Your Rights

Under the GDPR and the French Data Protection Act, you have the following rights:

RightDescription
AccessObtain confirmation that your data is being processed and receive a copy
RectificationHave inaccurate or incomplete data corrected
ErasureRequest deletion of your data when it is no longer necessary
RestrictionRequest temporary suspension of processing in certain cases
PortabilityReceive your data in a structured, machine-readable format
ObjectionObject to processing based on legitimate interest, or refuse prospecting at any time
Withdrawal of consentWithdraw your consent at any time (without affecting the lawfulness of prior processing)
Post-mortem directivesDefine instructions for the handling of your data after death

To exercise your rights: write to us at [email protected] or via our contact page, specifying your request and enclosing proof of identity if necessary. We will respond within one month (extendable by two months for complex requests).

Complaint: if you believe that your rights are not being respected, you may lodge a complaint with the CNIL — Commission Nationale de l'Informatique et des Libertés — www.cnil.fr.

8. Voice Recordings — Specific Provisions

Interactions with our AI voice agents may be recorded and transcribed for the purpose of:

  • Providing the requested service (exchange history, qualification, appointment scheduling).
  • Improving the quality and performance of the AI Agent.
  • Ensuring traceability and complying with potential legal obligations.

Retention periods:

  • Audio recordings: 6 months maximum, then deletion or irreversible anonymisation.
  • Text transcriptions and metadata: retained for the duration of the client contract, then archived for 3 years after the end of the contract before destruction.

If you are a professional Client of NoviaMind: you may request access to recordings, their deletion or object to their use for improvement purposes, by exercising your rights (Section 7).

If you are a Contact (the person called by or calling the voice Agent): please direct your request to the relevant professional Client who is the data controller (see Section 2.3).

9. Automated Decisions and Profiling

Our AI voice Agent performs automated processing of conversations to qualify requests, assess needs and propose appointments. This processing may constitute profiling within the meaning of Article 4(4) of the GDPR (automated evaluation of aspects relating to a natural person).

However, in accordance with Article 22 of the GDPR, no decision producing legal effects or significantly affecting you is made on a solely automated basis. The AI Agent's qualifications and recommendations are systematically subject to human intervention (the Client's staff) before any commercial or contractual action.

You may object to this profiling under the conditions set out in Section 7.

10. Artificial Intelligence and Transparency (AI Regulation)

In accordance with Article 50 of Regulation (EU) 2024/1689 on artificial intelligence (the "AI Act"), we inform you that:

  • The NoviaMind voice Agent is an artificial intelligence system designed to interact directly with natural persons by telephone.
  • The Agent's voice is generated by speech synthesis (Text-to-Speech); it is not a human being.
  • Each telephone conversation begins with an explicit announcement informing the Contact that they are interacting with an AI agent. This transparency mechanism cannot be disabled by the Client.

NoviaMind, as the provider of the AI system, ensures that the voice Agent is designed and operated in compliance with the transparency and information requirements of the AI Regulation. The Client, as the deployer, is required to comply with their own obligations under this same regulation.

11. Cookies

In accordance with Article 82 of the French Data Protection Act (transposing the ePrivacy Directive), our Website uses cookies and similar technologies:

  • Strictly necessary cookies: technical operation of the Website (no consent required).
  • Analytics cookies: audience measurement and experience improvement (subject to your prior consent).
  • Preference cookies: remembering your choices (language, settings).

You may manage your preferences at any time via the cookie banner displayed on the Website, your browser settings, or our "Cookie Settings" module. Declining non-essential cookies does not affect access to the Website. The maximum lifespan of cookies is 13 months, in accordance with CNIL recommendations.

12. Protection of Minors

Our services are intended exclusively for professionals in the course of their business activities. We do not knowingly collect personal data from minors. If you believe that a minor has communicated data through our Service, please contact us so that we can delete it as soon as possible.

13. Changes to this Policy

We may amend this Privacy Policy at any time. In the event of a substantial change, we will inform you by appropriate means (email, notification on the Website) at least 15 days before it takes effect. The date of the last update at the top of this page will be revised accordingly.

14. Contact

For any questions regarding this Privacy Policy or the processing of your data:

NoviaMind SAS
18 rue Masséna, Office 3 – 06000 Nice, France
Email: [email protected]
Contact page: https://noviamind.ai/contact