Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data in connection with the operation of the website recelia.app, the dashboard application and the services provided to our customers (Tenants) is:

Timon Filipovic, sole trader
trading as “Recelia”
In der Breite 54
79224 Umkirch
Germany
Email: kontakt@recelia.app
Phone: +49 163 4427640

Dual role. Recelia is the controller for the account, contract and billing data of its customers (Tenants) and for data received directly via the marketing website. For the personal data of a Tenant’s end customers (i.e. the customers of the salon, practice, etc.) received via the chat widget, WhatsApp, SMS or voice and processed by our AI, the respective Tenant is the controller. In this respect, Recelia acts as a processor under Art. 28 GDPR on the basis of a Data Processing Agreement (DPA) concluded with the Tenant.

Recelia is not obliged to appoint a data protection officer under § 38(1) sentence 1 of the German Federal Data Protection Act (BDSG), as it does not currently permanently employ at least 20 people in the automated processing of personal data. When introducing the medical verticals (processing of health data on a larger scale), we will reassess the obligation to appoint one under § 38(1) sentence 2 BDSG and carry out a data protection impact assessment under Art. 35 GDPR for the processing of health data and voice recordings. For data protection questions, you can reach us at kontakt@recelia.app.

Competent German supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Königstraße 10a, 70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de

For our main market Croatia:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb
www.azop.hr

You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority of your habitual residence, place of work or the place of the alleged infringement.

• Provision of the website and server logs. IP address, date and time, user agent, referrer, requested URL. Purpose: technical provision, stability, abuse prevention. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation). These logs arise at our infrastructure providers (hosting: Vercel, database: Supabase) and are processed there within their standard retention. Recelia does not operate its own permanent log store; no systematic analysis or profiling takes place.
• Contact. Name, email, content of the message. Purpose: handling the enquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) or (f) GDPR (legitimate interest in communication).
• Account management and authentication. Name, email, password hash, business data, role. Purpose: provision of the platform, performance of the contract. Legal basis: Art. 6(1)(b) GDPR.
• Provision of the AI service to Tenants’ end customers (chat widget, WhatsApp, SMS, voice in future). Name, phone number, appointment history, conversation content, for voice additionally call transcripts and, where applicable, audio recordings. Purpose: handling customer enquiries, booking appointments, sending confirmations and reminders, escalation to staff. In this respect, Recelia acts as a processor on behalf of the respective Tenant; the legal basis towards the end customer lies with the Tenant (usually Art. 6(1)(b), (f) or (a) GDPR).
• Email notifications. Email address, content of the notification. Purpose: sending confirmations, reminders, system emails. Legal basis: Art. 6(1)(b) GDPR or processing on behalf of the Tenant.
• Error monitoring. Error stacks, browser and device information, where applicable IP address. Purpose: ensuring stability. Legal basis: Art. 6(1)(f) GDPR. Monitoring is configured in the EU region, personal data is minimised.
• Billing (planned). Name, billing address, VAT ID, payment data. Purpose: performance of the contract, invoicing, statutory retention. Legal basis: Art. 6(1)(b) and (c) GDPR. This processing only arises once payment processing is active.

With the planned medical verticals (clinics, veterinarians, physiotherapy, dentists), health data may arise in the course of appointment bookings, FAQ answers or voice conversations. This is processed exclusively on behalf of the respective Tenant. The legal basis lies with the Tenant, usually Art. 9(2)(a) GDPR (explicit consent) or Art. 9(2)(h) GDPR in conjunction with § 22 BDSG. Before activating a medical vertical, the Tenant is obliged to ensure a valid legal basis and to comprehensively inform its end customers. Before use in medical verticals, Recelia carries out a data protection impact assessment under Art. 35 GDPR.

Insofar as Recelia conducts telephone conversations with Tenants’ end customers via the planned voice channel, the following also applies:

• Before recording and transcription begin, an audible announcement is played informing that this is an AI assistant, that the conversation is recorded and transcribed, for what purpose this happens and that consent is voluntary. Anyone who does not consent is forwarded to a human employee or an alternative channel.
• Processing only takes place after explicit consent (Art. 6(1)(a) GDPR, for health data additionally Art. 9(2)(a) GDPR). Consent can be withdrawn at any time with effect for the future.
• Background: § 201 of the German Criminal Code (StGB) makes the recording of the non-publicly spoken word without consent a punishable offence. Active confirmation is required; a mere notice is not sufficient.

Recelia uses AI systems that interact with natural persons. In accordance with Art. 50 of Regulation (EU) 2024/1689 (EU AI Act), which applies from 2 August 2026, we already make it clear that the interaction takes place with an AI: the chat widget shows the notice “This is an AI assistant”; for WhatsApp and SMS, the first response points out the AI nature; for voice, the notice is given at the start of the conversation by announcement. Synthetically generated audio content (AI voice) is marked as AI-generated.

Automated decision-making (Art. 22 GDPR). The AI books appointments, answers FAQs and sends confirmations. As a rule, this produces no legal effect and does not similarly significantly affect the data subject, since an appointment booking can be cancelled at any time. In addition, the AI escalates to a human employee of the Tenant in case of uncertainty. You have the right at any time to request human handling of your enquiry.

We use carefully selected service providers who support us as processors under Art. 28 GDPR. Data processing agreements and, where relevant, the EU Standard Contractual Clauses (SCC) have been concluded with all of them.

For the voice channel, additional speech recognition (speech-to-text) services are used via the orchestrator (Vapi). The specific selection is finalised before the voice launch and added here. Contracts under Art. 28 GDPR exist with all processors.

Insofar as data is transferred to the USA or other third countries, this is based either on the European Commission’s adequacy decision of 10 July 2023 (EU-US Data Privacy Framework, Implementing Decision (EU) 2023/1795), insofar as the recipient is currently on the DPF list, or on the Standard Contractual Clauses under Implementing Decision (EU) 2021/914, supplemented by appropriate additional measures (encryption, data minimisation).

Note: The DPF is the subject of pending proceedings before the CJEU (Case C-703/25 P, Latombe). For all US transfers, Recelia has agreed the Standard Contractual Clauses in parallel with the DPF, so that the transfers remain safeguarded in the event of any invalidity of the DPF. The current DPF list is available at www.dataprivacyframework.gov.

• Server log files: within the retention of our hosting and infrastructure providers (Vercel, Supabase); no own permanent log store.
• Account and billing data: term of the contract plus statutory retention periods (up to 10 years under the German Fiscal Code (AO) and Commercial Code (HGB)).
• Conversation content (chat, WhatsApp, SMS): as instructed by the Tenant, then deletion or anonymisation.
• Voice audio and transcripts: as instructed by the Tenant, with a limited storage period.
• Contact enquiries: until resolved.

You have the right to:

• access (Art. 15 GDPR)
• rectification (Art. 16 GDPR)
• erasure (Art. 17 GDPR)
• restriction of processing (Art. 18 GDPR)
• data portability (Art. 20 GDPR)
• object (Art. 21 GDPR)
• withdraw a consent given, with effect for the future (Art. 7(3) GDPR)
• lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, contact kontakt@recelia.app. If you are an end customer of a Tenant (salon, practice, etc.), please address your request primarily to the respective Tenant. We forward requests without delay and support the Tenant in fulfilling its obligations.

On recelia.app we currently use exclusively technically necessary cookies and local storage, in particular for the login session and the functional cookie NEXT_LOCALE to store the selected language. These are strictly necessary under § 25(2) no. 2 TDDDG, so consent is not required. We do not use tracking, analytics or marketing cookies and no third-party pixels. Should this change, we will obtain your consent in advance via a consent banner.

Transmission is encrypted (TLS). Data in the database is stored encrypted. Access to Tenant data is isolated at the database level by row-level security.

We adapt this privacy policy when functions, subprocessors or the legal situation change. The respective current version published at recelia.app/privacy is authoritative.