| Item | Description |
|---|---|
| Controller | Customer (organization using the Hay hosted platform) |
| Processor | Hay Labs LDA, Rua …, Lisbon (Portugal) |
| Data Subjects | End-users / customers of the Controller who interact through chat or connected channels Controller's employees and authorized users (admins, agents) |
| Categories of Personal Data | Identification data: name, email, phone, external IDs, account IDs Communication data: chat content, attachments, timestamps, channels, metadata (sentiment, intent) Technical data: IP address, user-agent, session ID Account data: login, role, permissions, audit entries Optional: payment contact (for billing admin) |
| Special Categories of Data | Not intentionally collected, but may appear within free-text messages or uploaded content. Such data is processed only transiently and under Controller responsibility. |
| Nature and Purpose of Processing | Hosting and storage of customer-support conversations Routing, retrieval and orchestration of AI responses (LLM inference and embeddings) Analytics and dashboards for conversation metrics Account administration, billing, and security monitoring |
| Processing Operations | Collection, recording, structuring, storage, retrieval, consultation, transmission to authorized subprocessors, deletion or anonymization. |
| Retention Periods | Conversations & messages → 90 days after last end-user activity, then anonymized LLM usage logs → 90 days Audit/security logs → 7 years Account/billing data → account lifetime + 30 days after termination |
| Frequency of Processing | Continuous, event-driven, and on-demand via API or UI. |
| Data Transfers | To subprocessors listed in Annex C / Subprocessors List, including OpenAI LLC (US) and hosting/email/payment providers, under SCCs or DPF safeguards. |
| Duration of Processing | For the term of the Agreement plus retention/anonymization period required for legal or security obligations. |