Data Privacy When Using arminCX: What You Need to Know You want to use arminCX to automatically handle most of your customer inquiries. However, this also involves processing personal data , i.e. data that relates to an individual, such as name, email, order number, or the content of a chat message. That’s why you should know what needs to be considered from a GDPR perspective , and how your privacy policy needs to be updated. Who is responsible for data privacy? When you use arminCX, you are the so-called data controller . This means: y ou decide why and how your customers’ data is processed. As the provider, we supply the technology, but we only process data on your behalf . This is called “data processing on behalf of a controller” . That’s why you need a Data Processing Agreement (DPA) . You can find it here: 🔗 View and download our Data Processing Agreement here What do we do as a provider? As the data processor , we ensure that: data is only processed based on your instructions, data is stored and transmitted securely, our employees are bound by confidentiality obligations, you are notified in the event of a data breach (e.g. a cyberattack). What data is processed? This depends on how you use our system . Typically, this includes: Communication texts (e.g. chat, email) Name, email address, order number, etc. technical data such as IP address or timestamp This data is processed so that the AI can provide meaningful responses. On what legal basis may the data be processed? Under the GDPR, every data processing activity requires a so-called legal basis . You have two options: 1. Performance of a contract (Art. 6(1)(b) GDPR) → when someone has a question about their order 2. Legitimate interest (Art. 6(1)(f) GDPR) → when you want to improve customer service without a direct contractual relationship. Important: You must weigh whether your interests outweigh the rights of your customers. What about “automated processing”? Our AI answers inquiries partially automatically . However, it does not make decisions with legal consequences, for example, whether someone receives a refund or not. Such decisions are still made by your team . Therefore, this is not a fully automated decision within the meaning of Art. 22 GDPR. Sample text for privacy notices Note on the use of this sample text: This text is a general drafting aid and does not replace individual legal advice. Please check whether the text fits your specific use of arminCX and amend or adapt it as necessary, regarding the features used, types of data, and legal bases. If in doubt, consult your data protection officer or legal advisor to ensure your privacy notice is complete and legally compliant. Automated Customer Communication with AI We use an AI-based system to automatically answer customer inquiries (e.g. questions about orders, returns, or delivery times). Data is processed for the performance of a contract (e.g. for questions about your order) or based on our legitimate interest in providing fast and efficient customer support.Responses are partially automated, but not entirely without human involvement . Decisions with legal effect are not made automatically. Processing is carried out via our technical service provider chatarmin.com GmbH, based in Austria, with whom we have concluded a Data Processing Agreement (Art. 28 GDPR). The following data is processed: Text messages (e.g. chat, email) Name, contact details, order number (if provided by you) technical data (e.g. IP address, timestamp) Data is only stored for as long as necessary to process the inquiry or as required by law. _______ What do you need to consider as an arminCX customer? 🔗 Update your privacy notice (fulfill information obligations) 🔗 Download and store our Data Processing Agreement internally 🔗 Only process data when you have a legal basis 🔗 Document how you use the AI system (e.g. for data protection documentation) 🔗 Check whether a Data Protection Impact Assessment is necessary , e.g. if large volumes of data are processed or the risks are high (more information available upon request)