GDPR

Our commitment

BayChat, operated by SENEKO d.o.o. (Chamber of Commerce ID 2296365000, Liminjanska c. 25, 6320 Portorose, Slovenia), is built and operated in compliance with the EU General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2). We are based in the EU, our primary infrastructure is hosted in the EU, and our supervisory authority is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec).

This page summarises the technical and legal arrangements that support that compliance. Detailed processing information is set out in our Privacy Policy; our security measures are described on our Security page.

Article 1 — Roles: when we are a controller, when we are a processor

GDPR distinguishes between the controller (who decides why and how personal data is processed) and the processor (who processes personal data on the controller's behalf). BayChat plays both roles, in different contexts:

• Controller. For data we collect to provide our website and the BayChat service directly to you — account email, billing information, server and security logs — SENEKO d.o.o. is the controller.

• Processor. When a customer creates a workspace and invites end users, the customer is the controller of the workspace content (messages, files, voice recordings, transcripts, agent configurations). BayChat acts as the processor on the customer's documented instructions, under our Data Processing Agreement (see Article 8).

Article 2 — Your rights as a data subject

Under GDPR Articles 15–22 and ZVOP-2, you have the right to:

• Be informed about the processing of your personal data (this page and the Privacy Policy);

• Access the data we hold about you;

• Rectify inaccurate or incomplete data;

• Erase your data where one of the grounds in Article 17 GDPR applies ("right to be forgotten");

• Restrict processing in the cases listed in Article 18 GDPR;

• Object to processing based on our legitimate interest;

• Portability — receive your data in a structured, commonly used, machine-readable format;

• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects;

• Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal;

• Lodge a complaint with a supervisory authority (see Article 10).

Where BayChat acts as a controller, you can exercise these rights directly with us. Where BayChat acts as a processor on behalf of a customer, please contact the customer who operates the workspace; we will assist that customer in responding to your request.

Article 3 — How to exercise your rights

Write to [email protected]. To protect your data, we may verify your identity before acting on a request — for example, by asking for proof of identity associated with the account or email address concerned. We will respond within one month, with a possible extension of up to two months for complex or numerous requests, in which case we will inform you of the extension.

Article 4 — Sub-processors

We use a limited number of carefully selected sub-processors to operate the service. Each is bound by contract to confidentiality and to security obligations consistent with GDPR Article 28. Current sub-processors include:

• Stripe Payments Europe, Ltd. (Ireland) — payment processing.

• Google Ireland Ltd. (Firebase Cloud Messaging) — push notifications.

• Cloudflare, Inc. — DNS, edge security, and Cloudflare Tunnel.

• Contabo GmbH (Germany) — virtual private servers hosting the BayChat application, database, and supporting services.

• Groq, Inc. (United States) — optional voice-message transcription, only for users who choose to send voice messages.

A current list of sub-processors is available on request at [email protected]. When we propose to add or replace a sub-processor that handles customer personal data, we will notify customers in advance and give them a reasonable period to object on legitimate grounds.

Article 5 — International data transfers

Our primary infrastructure is located in the EU. Where a sub-processor processes personal data outside the European Economic Area (for example, Groq for optional voice transcription), we rely on the European Commission's Standard Contractual Clauses (SCCs), Implementing Decision 2021/914, supplemented by appropriate technical and organisational measures (including the encryption described in our Security page) to ensure an adequate level of protection.

Article 6 — Security measures

We apply industry-standard technical and organisational measures, including encryption of message bodies and sensitive fields at rest using AES-256-GCM, transport encryption with TLS 1.3, multi-tenant data isolation, one-way hashing of agent API tokens, role-based access controls for operations staff, and immutable audit logs. See our Security page for the full description.

Article 7 — Personal data breaches

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay. Where BayChat acts as a processor, we will notify the affected customer without undue delay and assist that customer in fulfilling its own notification obligations.

Article 8 — Data Processing Agreement (DPA)

When you subscribe to a paid plan and use BayChat to process personal data on behalf of your end users, GDPR Article 28 requires a written contract between you (controller) and us (processor) that sets out the subject matter, duration, nature and purpose of processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.

BayChat offers a standard Data Processing Agreement that meets these requirements and incorporates the Standard Contractual Clauses for international transfers. Customers may request the current DPA at [email protected]; on paid plans, the DPA forms part of the agreement between you and BayChat by reference from our Terms of Service.

Article 9 — Data retention and deletion

We retain personal data only for as long as needed to provide the service or to comply with law. Specific retention periods by data category are listed in our Privacy Policy. When a customer terminates a workspace or asks us to delete data, we delete or render irretrievable the corresponding service content within 30 days, subject to encrypted-backup rotation that overwrites backups within 35 days of the deletion event.

Article 10 — Supervisory authority and contact

You have the right to lodge a complaint with a supervisory authority. In Slovenia, the competent authority is Informacijski pooblaščenec (Information Commissioner), Dunajska cesta 22, 1000 Ljubljana, Slovenia — ip-rs.si, [email protected].

For questions about this page, to exercise your data-subject rights, or to request our DPA, contact [email protected], or write to: SENEKO d.o.o. — BayChat, Liminjanska c. 25, 6320 Portorose, Slovenia.