Overview
By creating an account, signing an order form, clicking “I agree”, accessing the Services, or using the Services, you agree to these Legal Policies on behalf of the organisation you represent. If you do not have authority to bind that organisation, you must not accept these Legal Policies or use the Services on its behalf.
These Legal Policies are standard online terms for the Kobby.ai Platform. They do not replace customer-specific legal advice. Customers remain responsible for configuring and using the Platform in compliance with the laws that apply to their business, industry, employees, customers, communications, recordings, records, workflows and AI-enabled use cases.
Terms & Conditions
1. Parties and acceptance
These Terms & Conditions (“Terms”) are between [Legal Entity Name], a company registered in the Netherlands with KvK number [KvK number] and VAT/BTW number [VAT number], having its registered office at Johan Huizingalaan 763A, 1066 VH Amsterdam, Netherlands (“Kobby”, “we”, “us”) and the business or organisation using the Services (“Customer”, “you”). These Terms apply together with any order form, subscription page, statement of work, invoice, or agreed online plan.
These Terms include the Data Processing Agreement / AVV, Technical and Organisational Measures, Sub-processor List, International Transfer Terms, AI Addendum, Call Recording Addendum, Privacy Policy, Refund Policy, and any additional policies referenced on this page.
2. Platform description
Kobby.ai is a conversational operations platform for business process management. Depending on the subscription, configuration, integrations and enabled features, the Platform may include:
- CRM features for contacts, customers, leads, opportunities, pipelines, tasks and communications;
- ERP and operations features for workflows, processes, internal records, projects, inventory, orders, service operations and reporting;
- AI-assisted chat, search, classification, summarisation, drafting, recommendations, workflow automation and analytics;
- communication features such as email, messaging, chat, telephony integrations, call logging, call recording, transcription and call summaries;
- integrations with third-party systems selected by Customer or made available by Kobby;
- dashboards, audit logs, access management, exports, notifications and administrative controls.
Kobby may add, modify or discontinue features from time to time. Feature availability may depend on plan, region, configuration, applicable law, customer instructions and third-party service availability.
3. Accounts, authorised users and security
Customer is responsible for all activity under its accounts and for ensuring that only authorised users access the Platform. Customer must maintain accurate account information, protect credentials, enable appropriate security controls, and promptly notify Kobby of suspected unauthorised access. Customer is responsible for assigning appropriate roles and permissions to its users, limiting access to Customer Data on a need-to-know basis, and ensuring that users comply with these Terms and Customer’s internal policies.
4. Customer Data and responsibility for use
“Customer Data” means data, content, records, communications, audio, transcripts, files, metadata, prompts, outputs, instructions, configurations and other materials submitted to, generated in or processed through the Platform by or on behalf of Customer.
Customer retains all rights in Customer Data. Kobby may process Customer Data only to provide, secure, support, maintain and improve the Services as permitted by these Terms, the DPA/AVV, the customer’s documented instructions and applicable law.
Customer is responsible for determining whether and how to use the Platform, including the purposes and legal basis for processing Customer Data, the configuration of retention rules, user access rights, call-recording settings, AI features, workflows, integrations, exports, and internal use of Platform outputs.
5. Acceptable use
Customer must not use the Services to:
- violate applicable law or third-party rights;
- record communications without legally required notice, consent, authorisation or other lawful basis;
- conduct unlawful surveillance, hidden employee monitoring, unlawful profiling or discriminatory decision-making;
- send spam, phishing messages, malware or unlawful communications;
- attempt to gain unauthorised access to the Platform, third-party systems or other customers’ data;
- interfere with the security, integrity, availability or performance of the Platform;
- use AI outputs as the sole basis for decisions producing legal or similarly significant effects on individuals (Article 22 GDPR) unless expressly agreed and lawfully implemented with appropriate safeguards;
- engage in any AI practice prohibited under Article 5 of the AI Act, including but not limited to subliminal manipulation, exploitation of vulnerabilities, social scoring, untargeted scraping of facial images, emotion recognition in the workplace or in educational institutions, biometric categorisation inferring sensitive attributes, or real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes;
- use the Platform for high-risk, prohibited, regulated or safety-critical use cases without written approval from Kobby and a separate risk and compliance assessment.
6. AI features and outputs
AI features may generate transcripts, summaries, classifications, recommendations, drafts, insights or other outputs. AI outputs may be incomplete, inaccurate, outdated, biased or unsuitable for a particular purpose. Customer is responsible for reviewing outputs before relying on them and for ensuring that human oversight is applied where required. Kobby does not provide legal, financial, tax, medical, employment or professional advice. AI outputs are assistive and must not be treated as professional advice or as final decisions about individuals.
7. AI literacy
Pursuant to Article 4 of the AI Act, each party must take measures to ensure a sufficient level of AI literacy of its staff and other persons dealing with the operation and use of AI systems on its behalf, taking into account their technical knowledge, experience, education and training, and the context in which the AI systems are to be used. Kobby maintains an internal AI-literacy programme for personnel involved in the development and operation of the Platform. Customer is responsible for the AI literacy of its own users.
8. Customer compliance obligations
Customer is responsible for compliance with laws applicable to its use of the Platform, including data protection, employment, consumer protection, communications, call-recording, electronic-messaging, sector-specific, bookkeeping, records-retention and AI-governance laws. Where Customer records calls, monitors employees, processes employee data, uses AI for HR, performance, productivity, compliance or decision-support purposes, or processes sensitive data, Customer is responsible for lawful-basis assessments, privacy notices, employee notices, DPIAs, works-council involvement where applicable, retention policies, data-subject-rights procedures and human-oversight controls.
9. Third-party services and integrations
The Platform may interoperate with third-party services, including hosting, databases, payment processors, messaging providers, telephony providers, email services, AI model APIs, customer-selected integrations and other external systems. Kobby is not responsible for third-party products that Customer enables or uses outside the Platform. Where Kobby uses third-party providers to process Customer Personal Data on Kobby’s behalf, those providers are handled as sub-processors under the DPA/AVV. Where Customer independently enables a third-party integration, Customer is responsible for assessing and authorising that integration.
10. Subscription, fees and payment
Fees, billing cycles, usage limits, overage charges, plan features, taxes and payment terms are specified in the applicable order form, online checkout, subscription plan, invoice or written agreement. Unless otherwise stated, fees are exclusive of taxes and are payable in advance. Kobby may suspend access for overdue payments, payment failures, security risks, legal risks, breach of these Terms or use of the Services that may harm the Platform, Kobby, other customers or third parties.
11. Service levels, support and availability
Kobby will use commercially reasonable efforts to provide the Services reliably. However, the Services may be unavailable due to maintenance, updates, third-party failures, internet disruptions, force majeure, security incidents or circumstances outside Kobby’s reasonable control. Specific service levels apply only if agreed in an order form or service-level agreement.
12. Intellectual property
Kobby owns the Platform, software, systems, designs, documentation, algorithms, models, workflows, know-how and other technology used to provide the Services. Customer owns Customer Data. Subject to these Terms, Kobby grants Customer a limited, non-exclusive, non-transferable right to access and use the Services during the subscription term. Customer grants Kobby the rights necessary to process Customer Data to provide, secure, maintain, troubleshoot and support the Services, and as otherwise permitted by the DPA/AVV and these Terms.
13. Confidentiality
Each party may receive confidential information from the other. The receiving party must protect that information using at least reasonable safeguards, use it only for purposes of the relationship and not disclose it except to personnel, affiliates, advisors, contractors and providers who need access and are bound by confidentiality obligations.
14. Warranties and disclaimers
The Services are provided “as is” and “as available” except where expressly agreed otherwise. Kobby does not warrant that the Services will be uninterrupted, error-free, secure against every threat, or that AI outputs will be accurate, complete or suitable for Customer’s specific use case.
15. Liability
To the maximum extent permitted by law, Kobby is not liable for indirect, incidental, special, consequential, exemplary or punitive damages, or for loss of profits, revenues, goodwill, business opportunities or data, except where such limitation is not permitted by law. Any liability cap, exclusions and carve-outs apply as set out in the applicable order form or written agreement. Nothing in these Terms excludes liability that cannot be excluded under applicable law, including liability for intentional misconduct, gross negligence, death or personal injury caused by negligence, or fraud, where such exclusion is prohibited.
16. Term, termination and deletion
These Terms apply for as long as Customer uses the Services. Either party may terminate according to the applicable order form or subscription terms. Upon termination, Customer’s access may end and Kobby will make Customer Data available for export or delete it according to the DPA/AVV, retention settings and applicable law.
17. Changes to these Terms
Kobby may update these Terms from time to time. If changes are material, Kobby will provide at least 30 days’ advance notice through the Platform, by email or by website notice. Continued use after the effective date constitutes acceptance of the updated Terms, unless applicable law requires a different mechanism.
18. Governing law and venue
Unless an order form states otherwise, these Terms are governed by the laws of the Netherlands, without regard to conflict-of-law rules. The competent courts of Amsterdam, the Netherlands, have exclusive jurisdiction, unless mandatory law (including consumer-protection law under Articles 17–19 of Regulation (EU) 1215/2012 or Article 6 of Regulation (EC) 593/2008) requires another venue or the application of another law.
Privacy Policy
This Privacy Policy explains how Kobby collects, uses, discloses, stores and protects personal data when you visit our website, contact us, create an account, use the Platform, receive support or otherwise interact with us. It is provided in compliance with Articles 12, 13 and 14 GDPR and equivalent provisions of the UK GDPR and Swiss FADP.
1. Controller identity and contact details
The controller responsible for personal data processed for Kobby’s own purposes is:
- Legal entity: [Legal Entity Name, e.g. Kobby B.V.]
- Registered office: Johan Huizingalaan 763A, 1066 VH Amsterdam, Netherlands
- Chamber of Commerce (KvK) number: [KvK number]
- VAT (BTW) number: [VAT number]
- Privacy contact: privacy@kobby.ai
For Customer Personal Data processed through the Platform on behalf of a business Customer, the Customer is the controller and Kobby acts as processor. Data subjects whose data has been entered into the Platform by a Customer (for example employees, suppliers, callers or contacts of that Customer) should direct privacy enquiries primarily to the relevant Customer; Kobby will forward such requests where required.
2. Privacy Contact / Data Protection Officer
Kobby has appointed an internal Privacy Contact responsible for monitoring compliance with this Privacy Policy and applicable data-protection law and for handling data-subject requests addressed to Kobby:
- Email: privacy@kobby.ai
- Postal: Privacy Contact, [Legal Entity Name], Johan Huizingalaan 763A, 1066 VH Amsterdam, Netherlands
Kobby has assessed its obligation to designate a Data Protection Officer under Article 37(1) GDPR. As at the “Last updated” date, Kobby’s core activities do not, in Kobby’s assessment, consist of (i) regular and systematic monitoring of data subjects on a large scale or (ii) large-scale processing of special categories of data, and Kobby therefore does not currently designate a statutory DPO. Kobby reviews this assessment periodically and will designate a DPO and notify the competent supervisory authority if the criteria are met.
3. Categories of personal data we process as controller
- Account data: name, business email, business phone, organisation, role, authentication identifiers, account settings and preferences.
- Billing data: billing address, tax identifiers, invoice details, payment status, payment-provider references and transaction history. Card details are processed directly by Stripe and are not stored by Kobby.
- Communications data: content of emails, support tickets, chat messages with our team, meeting notes, call notes and feedback you send to us.
- Website and Platform usage data: IP address, device type, operating system, browser type and version, language preference, pages or screens viewed, timestamps, referring URL, server logs, error diagnostics and security-relevant events such as login attempts.
- Marketing data: preferences, event registrations, newsletter subscriptions, campaign interactions and unsubscribe history.
We do not knowingly collect special categories of personal data within the meaning of Article 9 GDPR for our own controller purposes.
4. Sources of personal data
- Directly from you, when you register an account, contact us, fill in a form, attend an event or interact with the Platform or website.
- Automatically, when you interact with our website or Platform, through server logs and security telemetry described in section 11 below.
- From your employer or organisation, if a colleague or administrator creates an account or invites you to a Customer workspace.
- From third parties, such as payment processors, public business registers, professional networks, event organisers or referral partners, where lawful and proportionate.
5. Purposes and legal bases of processing
We process personal data for the following purposes and on the following legal bases under Article 6 GDPR. Where we rely on legitimate interests, we have carried out a balancing test, the outcome of which is available on request via privacy@kobby.ai.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Creating and administering accounts, providing the Platform and customer support | Account, communications, usage | Performance of a contract — Art. 6(1)(b) GDPR |
| Billing, invoicing, payment processing and accounting | Account, billing | Contract — Art. 6(1)(b); legal obligation (tax/accounting law) — Art. 6(1)(c) |
| Securing the Platform, preventing fraud and abuse, debugging and incident response | Usage, account, communications | Legitimate interests in a secure service — Art. 6(1)(f); legal obligation — Art. 6(1)(c) where applicable |
| Product analytics, service reliability and improvement (aggregated/pseudonymised where feasible) | Usage | Legitimate interests — Art. 6(1)(f) |
| Service messages (security notices, billing notices, material changes to terms) | Account, billing | Contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) |
| Direct marketing to existing business customers about similar Kobby products (opt-out at any time) | Account, marketing | Legitimate interests — Art. 6(1)(f), within the soft opt-in permitted by national implementations of ePrivacy |
| Direct marketing to prospects and newsletter subscriptions | Marketing | Consent — Art. 6(1)(a); withdrawable at any time |
| Handling legal claims, regulatory requests and enforcing terms | All categories as relevant | Legal obligation — Art. 6(1)(c); legitimate interests — Art. 6(1)(f) |
| Corporate transactions (merger, acquisition, due diligence) | All categories as relevant, minimised and under confidentiality | Legitimate interests — Art. 6(1)(f) |
We do not use personal data processed under our controller role for automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR. AI features inside the Platform are used by Customers as controllers; their use of those features is governed by the AI Processing Addendum.
6. Recipients and categories of recipients
- Internal personnel of Kobby and its affiliates, bound by confidentiality.
- Sub-processors providing infrastructure, hosting, database, email, payment, AI model and communications services. The current list and locations are published in the Sub-processor List on this page.
- Professional advisors (legal, accounting, auditors, insurers), bound by professional confidentiality.
- Payment providers (Stripe and equivalent), acting as independent controllers for payment data.
- Competent authorities, courts and regulators where required by law.
- Parties to a corporate transaction under appropriate confidentiality safeguards.
- The relevant Customer, where a request or incident concerns Customer Personal Data processed by Kobby as processor.
We do not sell personal data and do not share it for cross-context behavioural advertising.
7. International transfers
Some of our sub-processors are established outside the European Economic Area, including in the United States and other jurisdictions. Where personal data is transferred outside the EEA, the United Kingdom or Switzerland to a country that does not benefit from a European Commission adequacy decision, we rely on one or more of the following transfer mechanisms under Chapter V GDPR:
- the European Commission Standard Contractual Clauses (Decision (EU) 2021/914), with the appropriate module, supplemented by the UK International Data Transfer Addendum and the Swiss adaptations where applicable;
- the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), where the U.S. recipient is certified for the relevant data categories;
- adequacy decisions under Article 45 GDPR where applicable;
- the derogations in Article 49 GDPR, only in limited and exceptional cases.
We carry out transfer impact assessments where required and implement supplementary technical, organisational and contractual measures such as encryption in transit, encryption at rest where feasible, access restrictions and provider due diligence. You can obtain a copy of the relevant transfer mechanism or further information by writing to privacy@kobby.ai.
8. Retention
We retain personal data only for as long as necessary for the purposes set out in section 5, after which it is deleted or anonymised. The following retention periods apply to data processed under Kobby’s controller role; Customer Personal Data retention is configured by the Customer under the DPA/AVV.
| Data category | Retention period |
|---|---|
| Account data of active customers | Duration of the subscription |
| Account data after account closure | Up to 90 days for export and reactivation, then deletion, unless a longer period is required by law |
| Billing and tax records | 7 years from the end of the financial year (Article 52 of the Dutch General State Taxes Act and equivalent obligations) |
| Support communications and tickets | Up to 3 years after closure of the ticket, for quality, training and dispute purposes |
| Security and authentication logs | Up to 12 months, longer only where required for an active investigation |
| Server and application access logs | Up to 90 days in active systems; aggregated metrics may be retained longer |
| Marketing data (active subscribers) | Until the subscriber objects or withdraws consent |
| Marketing data after unsubscribe | Suppression list retained indefinitely to honour the opt-out (minimum data needed, typically a hashed email) |
| Contract and legal correspondence | Up to the applicable statutory limitation period (in the Netherlands, generally up to 20 years for legal claims, typically 5 years under Article 3:307 BW) |
| Backups | Rotated according to standard backup cycles (typically up to 35 days), after which deleted data is removed from backups |
Where the law requires a shorter retention period for a specific category, that shorter period prevails.
9. Your rights
To the extent that the GDPR or equivalent law applies to the processing of your personal data, you have the following rights, subject to the conditions and limits set out in the GDPR:
- the right of access (Article 15);
- the right to rectification (Article 16);
- the right to erasure (“right to be forgotten”) (Article 17);
- the right to restriction of processing (Article 18);
- the right to data portability (Article 20), for processing based on consent or contract and carried out by automated means;
- the right to object to processing based on legitimate interests, including profiling (Article 21), and an absolute right to object to processing for direct-marketing purposes at any time;
- the right to withdraw consent at any time, where processing is based on consent (Article 7(3)), without affecting the lawfulness of processing carried out before withdrawal;
- the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Article 22). As stated in section 5, we do not carry out such processing under our controller role.
You may exercise these rights by writing to privacy@kobby.ai. We will respond within one month, extendable by a further two months for complex or numerous requests in accordance with Article 12(3) GDPR. We may ask for reasonable information to verify your identity. We do not charge for handling requests unless they are manifestly unfounded or excessive within the meaning of Article 12(5).
10. Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, in accordance with Article 32 GDPR. These measures are described in the Technical and Organisational Measures section and include encryption in transit, encryption at rest for personal data stores, role-based access control, multi-factor authentication for administrative access, logging and monitoring, vulnerability management, backups and incident response procedures.
11. Children
The Platform and our website are intended for business use and are not directed to children under the age of 16. We do not knowingly collect personal data from children for our own controller purposes. If you believe a child has provided us with personal data, please contact privacy@kobby.ai and we will take appropriate steps to delete it.
12. Automated decision-making and profiling
As stated in section 5, when acting as controller Kobby does not carry out automated decision-making producing legal or similarly significant effects on data subjects within the meaning of Article 22 GDPR. Customers who use AI features inside the Platform are themselves controllers for those purposes and are responsible for assessing and lawfully implementing any such processing, as set out in the AI Processing Addendum.
13. Data not collected directly from the data subject
Where we receive personal data about you from someone other than yourself (for example, a colleague who invites you to a Customer workspace, or a public business register), we comply with Article 14 GDPR by informing you of the source, the categories of data, the purposes and the other information set out in this Privacy Policy at the first reasonable opportunity, ordinarily through this Privacy Policy and the welcome message you receive when first interacting with the Platform.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The current version, with its “Last updated” date, is always available at kobby.ai/legal.html. For material changes affecting how we process your personal data, we will give reasonable advance notice through the Platform, by email or by website notice before the changes take effect. Previous versions are available on request.
Storage & Tracking Technologies Disclosure
This disclosure explains how the Kobby website and Platform store information on your device and how we comply with Article 5(3) of Directive 2002/58/EC (the “ePrivacy Directive”), as implemented in the Netherlands by Article 11.7a of the Telecommunicatiewet, and with Article 13 GDPR.
1. Technologies we do not use
- first- or third-party analytics cookies (e.g. Google Analytics, Plausible, Matomo cookie variants);
- advertising or retargeting cookies or pixels (e.g. Meta Pixel, LinkedIn Insight Tag, Google Ads);
- social-media share or login cookies;
- session-replay or heatmap tools that store identifiers on your device;
- device-fingerprinting techniques;
- web beacons or tracking pixels in our marketing emails for individual-level open or click tracking.
2. Technologies we do use, and why they are exempt from the consent requirement
A small set of technical mechanisms are necessary for the Platform to function. Each is described below together with the legal basis on which we rely under Article 5(3) ePrivacy and Article 6 GDPR. Authentication tokens are issued only after you log into the Platform with your credentials and are present only on the signed-in dashboard — not on the public website.
| Mechanism | Purpose | Storage location | Duration | Why no consent is required |
|---|---|---|---|---|
| Authentication token (JWT) | Lets the Platform recognise that subsequent requests come from your authenticated session, without re-prompting for your password on every action. Used solely on signed-in pages of the dashboard. | Browser in-memory storage for the duration of the active tab; cleared when the tab is closed or when you log out. | Up to the configured session lifetime (typically a few hours), then expires. | “Strictly necessary for the provision of an information society service explicitly requested by the user” within the meaning of Article 5(3) ePrivacy and EDPB Guidelines 2/2023. Authentication of a user who has chosen to log in is the textbook example of this exemption. |
| Refresh token (where used) | Allows the JWT to be renewed silently while you remain actively logged in, without forcing repeated logins. | Browser in-memory storage. | Same as above. | Same as above; an integral part of the authentication mechanism. |
| CSRF / state tokens (where applicable) | Short-lived security tokens used during login and certain state-changing actions to prevent cross-site request forgery. | Browser in-memory storage. | Single request lifecycle. | Strictly necessary for the security of the requested service. |
| Server-side session record | Allows Kobby to invalidate sessions on logout, password change or security events. | Kobby’s backend (no client-side storage). | Active session, plus a short audit window. | Processed under Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) (security). Not within the scope of Art. 5(3) ePrivacy as no information is stored on your device. |
3. Information collected without storage on your device
Even though we do not store anything on your device for tracking purposes, your browser necessarily transmits some information to our servers every time you load a page:
- IP address, processed for routing, security, abuse prevention and aggregated geographic statistics. IP addresses are stored in server logs for up to 90 days and may be truncated or pseudonymised where feasible.
- User-agent string (browser, version, operating system), processed for compatibility, security and aggregate diagnostics.
- Request metadata (URL requested, response code, timestamp, referrer header), processed for service operation and security.
These are not stored on your device and so do not fall within Article 5(3) ePrivacy. They are personal data under the GDPR and are processed on the legal bases set out in section 5 of the Privacy Policy.
4. Email communications
We do not embed individual-level tracking pixels in our marketing or transactional emails. Email service providers may collect standard deliverability metadata (delivery status, bounces, spam reports) which we use for the integrity of our mailing system, not to profile individual recipients.
5. Changes to this disclosure
If we introduce any cookie or comparable storage technology in the future that requires consent under Article 5(3) ePrivacy, we will deploy a compliant consent banner that meets EDPB and AP guidance (genuine, granular, freely given consent with an equally prominent “reject all” option) before the technology is activated, and update this disclosure accordingly.
Refund Policy
1. Scope
This Refund Policy applies to paid subscriptions and paid services purchased from Kobby, unless an order form, invoice or separate written agreement states otherwise. The Platform is offered for business use; the EU consumer right of withdrawal under Directive 2011/83/EU does not apply between businesses, but Kobby grants the voluntary refund period below.
2. Trial and refund eligibility
If a paid subscription includes a trial or refund period, the applicable terms will be stated during checkout or in the order form. Unless otherwise stated, a customer may request a refund within 14 days of the first paid subscription purchase, provided the customer has not previously received a refund and has not materially used custom development, implementation, or usage-based services.
3. Non-refundable items
- custom development, consulting, onboarding, migration, integration, training or implementation services;
- usage-based charges, AI usage, call minutes, messaging charges, storage overages or third-party pass-through fees;
- subscription periods already used, unless required by law or agreed in writing;
- refund requests made after the stated refund period;
- accounts suspended or terminated for breach of the Terms or unlawful use.
4. How to request a refund
Contact support@kobby.ai with your account email, organisation name, invoice or subscription ID, purchase date and reason for the request. We may request additional information to verify eligibility.
5. Processing
Approved refunds are normally issued to the original payment method. Processing times depend on the payment provider. Cancellation of a subscription stops future billing but does not automatically entitle the customer to a refund for past charges.
Data Processing Agreement / AVV
1. Definitions
Customer Personal Data means personal data contained in Customer Data that Kobby processes on behalf of Customer. Controller, processor, data subject, personal data, processing and personal data breach have the meanings given in applicable data-protection law.
2. Roles
Customer is the controller of Customer Personal Data, unless Customer acts as processor for another controller, in which case Kobby acts as Customer’s sub-processor. Kobby processes Customer Personal Data as processor only on Customer’s documented instructions, including these Terms, the order form, Customer’s configuration and Customer’s use of the Platform. Kobby is an independent controller for account, billing, security, website, legal and business-contact data processed for Kobby’s own purposes.
3. Subject matter, duration, nature and purpose
The subject matter, duration, nature, purposes, types of data and categories of data subjects are set out in the Processing Annex below. Kobby will process Customer Personal Data for the duration of the Services and any post-termination deletion or export period.
4. Customer instructions
Kobby will process Customer Personal Data only on documented instructions from Customer, unless required by Union or Member State law to which Kobby is subject. If Kobby believes an instruction infringes applicable data-protection law, Kobby will inform Customer unless prohibited by law.
5. Customer obligations
- having a valid legal basis for processing Customer Personal Data;
- providing privacy notices and transparency information to data subjects;
- obtaining legally required consent, authorisation or approval for call recording and communications monitoring;
- handling data-subject requests and regulatory communications;
- setting retention rules and access permissions;
- assessing DPIA requirements and works-council or employee-consultation requirements where applicable;
- ensuring that Customer’s use of AI outputs and Platform analytics is lawful.
6. Confidentiality
Kobby will ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
7. Security
Kobby will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data, as described in the TOMs section. Customer acknowledges that security measures may evolve over time, provided they do not materially reduce the overall level of protection.
8. Sub-processors
Customer grants Kobby general authorisation to engage sub-processors listed in the Sub-processor List or otherwise notified to Customer. Kobby will impose data-protection obligations on sub-processors that are substantially equivalent to those in this DPA, including confidentiality, security, deletion and transfer obligations.
Kobby will provide at least 30 days’ prior notice of any new or replacement sub-processor through the Platform, by email or on this page. Customer may object on reasonable data-protection grounds within that notice period. If the parties cannot resolve an objection, Customer may terminate the affected Services for convenience according to the Terms or order form, with a pro-rata refund of pre-paid fees for the unused period.
9. International transfers
Where Customer Personal Data is transferred outside the EEA, UK, Switzerland or another relevant protected jurisdiction, Kobby will use appropriate transfer mechanisms as described in the International Transfer Terms.
10. Assistance
Taking into account the nature of processing and the information available to Kobby, Kobby will reasonably assist Customer with data-subject requests, DPIAs, prior consultation, security obligations, breach assessment, deletion, export and other obligations under applicable data-protection law.
11. Personal data breaches
Kobby will notify Customer without undue delay, and in any event within 48 hours of becoming aware, of a personal data breach affecting Customer Personal Data. The notice will include the information reasonably necessary for Customer to assess its notification obligations under Articles 33 and 34 GDPR, including the nature of the incident, affected data categories and approximate number of data subjects and records, likely consequences, mitigation measures taken or proposed, and a contact point for follow-up. Where the full information is not available within 48 hours, Kobby will provide an initial notification and supplement it as the investigation progresses.
12. Return and deletion
At the end of the Services, Kobby will return or delete Customer Personal Data according to Customer’s instructions, the Platform’s export/deletion functionality, the order form and applicable law. Unless a longer period is agreed in writing or required by law, deletion from active systems will be completed within 30 days of termination. Deletion from backups will occur according to standard backup cycles (typically up to 35 days), during which backup data remains encrypted, access-restricted and is not restored to active processing except where necessary for disaster recovery, legal compliance or security.
13. Audits and information
Kobby will make available the information reasonably necessary to demonstrate compliance with this DPA, including security documentation, sub-processor information, certifications, third-party audit summaries, questionnaires and contractual evidence. Customer may request an on-site audit no more than once per year (and more frequently in case of a documented incident or regulator request), upon reasonable prior notice, subject to confidentiality, security restrictions and limitations to protect other customers, systems or sensitive security information. Audits may be carried out through an independent, mutually acceptable third-party auditor where appropriate.
14. Order of precedence
If there is a conflict between this DPA and the other Terms, this DPA controls for the processing of Customer Personal Data as processor. Mandatory Standard Contractual Clauses control over conflicting terms for restricted international transfers.
Processing Description Annex
| Item | Description |
|---|---|
| Subject matter | Provision, hosting, support, maintenance, security, integration, communication, AI processing, automation, reporting and administration of the Kobby.ai Platform. |
| Duration | The term of the customer subscription or order, plus any legally required or contractually agreed retention, export, deletion, backup or transition period. |
| Nature of processing | Collection, receipt, transmission, hosting, storage, indexing, retrieval, display, search, analysis, transformation, transcription, summarisation, classification, automation, enrichment, export, logging, deletion and support access. |
| Purposes | Enabling Customer to manage business operations, CRM, ERP, communications, workflows, tasks, records, reports, integrations, AI-assisted features and related business processes. |
| Data subjects | Customer users, employees, contractors, customers, prospects, leads, suppliers, partners, callers, message recipients, business contacts, support contacts and other individuals included in Customer Data. |
| Personal data categories | Names, roles, emails, phone numbers, organisation details, account details, CRM records, ERP records, communications, messages, call recordings, voice data, transcripts, summaries, metadata, tasks, notes, files, attachments, activity logs, usage logs, prompts, AI outputs, integration data and business records. |
| Special category or sensitive data | The Platform is not designed to require special category data, but such data may be included by Customer or data subjects in calls, messages, records, files or transcripts. Customer is responsible for determining whether sensitive data may be processed and for applying appropriate safeguards. |
| Frequency | Continuous or as initiated by Customer, Customer users, integrations, workflows, communications, AI features or support requests. |
Technical and Organisational Measures (TOMs)
Kobby maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful processing, in accordance with Article 32 GDPR. Measures may vary depending on plan, configuration, region, customer instructions and feature set.
| Control area | Measures |
|---|---|
| Governance | Internal security responsibilities, confidentiality obligations, access-approval processes, personnel awareness, vendor review and incident escalation procedures. |
| Access control | Role-based access control, least privilege, unique user accounts, administrative access restrictions, support access controls, session management and access review processes. |
| Authentication | Password controls, secure authentication mechanisms, mandatory multi-factor authentication for administrative and privileged access, credential protection and account recovery safeguards. |
| Encryption and transmission | Encryption in transit using TLS 1.2 or higher (or equivalent secure protocols such as SSH). Encryption at rest for all personal data stores using industry-standard algorithms. |
| Tenant separation | Logical separation of customer environments, access restrictions, customer-specific permissions and controls designed to prevent unauthorised cross-customer access. |
| Logging and monitoring | System logs, security logs, access logs, administrative logs, export logs, AI processing logs, deletion logs and alerting where appropriate. |
| Backups and resilience | Encrypted backups, disaster-recovery procedures, availability controls, backup access restrictions and periodic restoration testing. |
| Vulnerability management | Patch management, dependency monitoring, security testing, vulnerability review, remediation processes and secure development practices. |
| Data minimisation | Configuration options for retention, deletion, access restrictions, call-recording controls and minimisation of data sent to third-party AI providers where feasible. |
| Deletion | Customer-configurable deletion, account-termination deletion, backup deletion cycles, sub-processor deletion instructions and deletion logs where available. |
| Incident response | Incident triage, containment, investigation, remediation, customer notification, evidence preservation and post-incident review procedures. |
| AI-specific controls | Provider selection, approved AI-provider routing, prompt and output handling controls, no unauthorised model training, traceability of AI processing and human review expectations. |
Sub-processor List
Kobby uses selected sub-processors to provide, secure, support and improve the Platform. Not all sub-processors are used for every customer or every feature. Actual use depends on configuration, region, enabled integrations, plan, customer instructions and product availability. Kobby will maintain an up-to-date list and provide at least 30 days’ notice of material changes as set out in the DPA/AVV.
| Sub-processor | Purpose | Data categories | Processing location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, compute and related services where enabled | Customer Data, account data, logs, files, system metadata | EU (Frankfurt / Ireland) by default; other regions only where explicitly configured |
| MongoDB Atlas | Database hosting and management where enabled | Application data, CRM/ERP records, metadata, logs | EU (Frankfurt / Ireland) by default |
| Contabo | Hosting servers and infrastructure where enabled | Application data, call recordings, transcripts, metadata, logs | Germany (Nuremberg / Munich) |
| Stripe | Payment processing, subscription billing and invoicing | Billing data, transaction data, account identifiers | Ireland (EU); United States (transfers under SCCs / DPF) |
| Google Workspace / Gmail | Email, business communications, support communications and administrative messaging | Business contact data, communications, support data | EU regions; United States (transfers under SCCs / DPF) |
| Namecheap / PrivateEmail | Email hosting and domain-related communications where enabled | Business contact data, communications, support data | United States (transfers under SCCs) |
| OpenAI | AI model API for text generation, analysis, summarisation, classification, drafting and other AI features where enabled. No training on Customer Personal Data. | Prompts, messages, transcripts, summaries, metadata, selected Customer Data | EU regions where offered; otherwise United States (transfers under SCCs / DPF) |
| Anthropic | AI model API for text generation, analysis, summarisation, classification, drafting and other AI features where enabled. No training on Customer Personal Data. | Prompts, messages, transcripts, summaries, metadata, selected Customer Data | EU regions where offered; otherwise United States (transfers under SCCs / DPF) |
| Google Gemini / Google Cloud AI | AI model API and AI infrastructure where enabled. No training on Customer Personal Data. | Prompts, messages, transcripts, summaries, metadata, selected Customer Data | EU regions where offered; otherwise United States (transfers under SCCs / DPF) |
| 360dialog / WhatsApp Business API providers | Messaging integrations, WhatsApp communication routing and related services where enabled | Contact details, message content, message metadata | EU (Germany / Ireland); Meta processing under SCCs as applicable |
| Customer-selected integrations | Integrations enabled by Customer, such as email, telephony, calendar, accounting, messaging, analytics, storage, CRM, ERP or automation systems | Data selected or transmitted by Customer through the integration | Depends on the integration provider; Customer is responsible for assessing transfer mechanisms |
International Transfer Terms
These International Transfer Terms apply where Customer Personal Data is transferred from the European Economic Area, United Kingdom, Switzerland or another protected jurisdiction to a country that does not benefit from an adequacy decision or equivalent lawful transfer basis.
1. Transfer mechanisms
- European Commission Standard Contractual Clauses (Decision (EU) 2021/914);
- UK International Data Transfer Addendum or UK International Data Transfer Agreement where applicable;
- Swiss transfer adaptations where applicable;
- adequacy decisions by the European Commission or relevant authority;
- EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) where applicable and valid;
- derogations or other lawful transfer mechanisms where permitted by Article 49 GDPR.
2. Standard Contractual Clauses
Where Standard Contractual Clauses are required, the applicable module is selected according to the parties’ roles: Module Two (controller-to-processor) for Customer-to-Kobby transfers where Kobby is established outside the protected jurisdiction, and Module Three (processor-to-processor) for Kobby-to-sub-processor transfers. The SCCs are incorporated by reference to the extent required for lawful transfers and prevail over conflicting terms.
3. Transfer impact assessments and supplementary measures
Where required, Kobby will reasonably assist with transfer impact assessments by providing information about processing, locations, transfer mechanisms, sub-processors and safeguards. Supplementary measures may include encryption in transit, encryption at rest, access restrictions, data minimisation, provider due diligence, contractual commitments and logging.
4. Onward transfers
Sub-processors may make onward transfers only where permitted under their agreement with Kobby and subject to appropriate safeguards. Kobby maintains a sub-processor framework designed to ensure onward transfers remain lawful.
AI Processing Addendum
This AI Processing Addendum applies to AI-enabled features of the Platform, including AI chat, transcription, summarisation, classification, recommendations, drafting, search, workflow automation, analysis, insights and reporting. It is read together with the AI Act (Regulation (EU) 2024/1689).
1. Roles under the AI Act
Where Kobby develops AI functionality embedded in the Platform and places it on the market under its own brand, Kobby acts as a provider of an AI system within the meaning of Article 3(3) AI Act. Where Customer uses that functionality in the course of its own activity under its authority, Customer acts as a deployer within the meaning of Article 3(4). Customer may itself become a provider under Article 25 AI Act if it substantially modifies the system, puts it into service under its own name or trademark, or modifies the intended purpose into one that classifies the system as high-risk. Where the Platform integrates a general-purpose AI model from a third-party provider listed in the Sub-processor List, that third-party provider remains the provider of the underlying GPAI model.
2. Permitted AI use
Customer may use AI features to assist with business operations, CRM, ERP, workflow management, communications, documentation, support, analytics and productivity, subject to these Terms, applicable law and Customer’s internal policies.
3. Article 5 AI Act — prohibited practices
Customer must not use the Platform, and Kobby will not knowingly enable the Platform to be used, for any AI practice prohibited under Article 5 of the AI Act, including:
- subliminal techniques beyond a person’s consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting a person’s behaviour in a way that causes or is likely to cause significant harm;
- exploitation of vulnerabilities of a person or group due to age, disability or specific social or economic situation;
- social scoring of natural persons based on social behaviour or personal characteristics leading to detrimental or unfavourable treatment;
- risk assessments of natural persons to assess or predict the risk of committing a criminal offence based solely on profiling or personality traits;
- untargeted scraping of facial images from the internet or CCTV to build or expand facial-recognition databases;
- emotion recognition in the workplace and educational institutions, except for strictly medical or safety reasons;
- biometric categorisation systems that infer race, political opinions, trade-union membership, religious or philosophical beliefs, sex life or sexual orientation;
- real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, except in the narrow exceptions provided by the AI Act.
4. High-risk AI use cases
Customer must notify Kobby in writing before using the Platform for any use case classified as high-risk under Annex III of the AI Act, including biometrics; critical infrastructure; education and vocational training; employment, worker management and access to self-employment (including recruitment, performance evaluation, task allocation and promotion); access to essential private and public services and benefits (including creditworthiness, insurance pricing); law enforcement; migration, asylum and border control; and administration of justice and democratic processes. Such use is subject to a separate written assessment and to the additional safeguards required by Chapter III of the AI Act (risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity, post-market monitoring and conformity assessment), as allocated between Kobby and Customer based on their respective roles.
5. Customer responsibilities (Article 26 obligations of deployers)
- determining whether an AI use case is lawful, appropriate and proportionate;
- providing notices and obtaining consent or authorisation where required;
- ensuring effective human oversight of AI outputs before they are used for important business or individual-impacting decisions, by persons with the necessary competence, training and authority;
- assigning input data that is relevant and sufficiently representative for the intended purpose, where Customer controls the input;
- monitoring the operation of the AI system in line with Kobby’s instructions and informing Kobby of serious incidents or risks identified;
- conducting a fundamental rights impact assessment (FRIA) where required by Article 27 AI Act;
- complying with works-council, staff-council or employee-consultation duties before deploying AI systems in the workplace;
- ensuring that AI outputs are not used in a discriminatory, deceptive, unsafe, unlawful or unfair manner.
6. Article 50 transparency obligations
From 2 August 2026, the Platform implements the transparency requirements of Article 50 AI Act:
- natural persons interacting with an AI system (for example AI chat or voice agents) are informed that they are interacting with an AI system, unless that is obvious from the circumstances and context of use;
- synthetic audio, image, video or text content generated or manipulated by the Platform is, where required, marked as artificially generated or manipulated in a machine-readable format;
- where Customer uses AI to generate text published with the purpose of informing the public on matters of public interest, Customer must disclose that the text has been artificially generated, except for limited exceptions in the AI Act;
- where Customer deploys an emotion-recognition or biometric-categorisation system (outside the prohibitions in Article 5), Customer must inform the natural persons exposed to it.
7. No unauthorised model training
Kobby will not use Customer Personal Data — including audio, transcripts, prompts, outputs, embeddings, files, CRM/ERP records or metadata — to train general AI models, and contractually requires its AI sub-processors not to use Customer Personal Data to train their models, unless Customer expressly authorises it in writing and a valid legal basis and transparency requirements are satisfied.
8. AI provider routing
Kobby may route AI requests to approved AI providers listed as sub-processors. Routing may depend on availability, performance, configuration, geography, model capability, legal restrictions and customer settings. Customer may, where the Platform supports it, restrict routing to specific providers or regions.
9. Accuracy, review and traceability
AI outputs may be inaccurate. Customer must review AI outputs before relying on them. Where feasible, Kobby maintains traceability between AI outputs and the relevant input, such as the source message, call, transcript, record, workflow, prompt or integration event, and logs in accordance with the TOMs.
Call Recording Addendum
This Call Recording Addendum applies where Customer enables call recording, call logging, voice processing, speech-to-text, transcription, call summaries, voice analytics or AI analysis of calls through the Platform or connected telephony providers.
1. Customer responsibility for lawful recording
Customer is responsible for ensuring that every call recording is lawful. This includes determining and documenting the legal basis, providing required notices, obtaining consent or authorisation where required, handling objections, training employees, configuring non-recorded alternatives and complying with telecommunications, employment, criminal, consumer-protection and data-protection laws of all relevant jurisdictions.
2. Member-State variations
Call-recording rules vary significantly across EU Member States. Without limitation:
- Netherlands — Articles 139a–139c of the Dutch Criminal Code criminalise unlawful recording of private conversations; for B2B and call-centre contexts, AP guidance imposes strict transparency and retention requirements.
- Germany — § 201 StGB protects the confidentiality of the spoken word; in commercial practice, recording of telephone conversations typically requires the consent of all parties.
- France — CNIL guidance requires prior information and proportionate retention; recording for quality or training purposes must be limited and justified.
- Italy and Spain — Garante and AEPD impose specific transparency, retention and access-rights duties.
3. No recording before required notice or authorisation
Where applicable law requires consent, authorisation or prior notice before recording, Customer must configure the Platform and related telephony systems so that recording does not start until the required step is completed. In jurisdictions with stricter rules, including Germany, Customer must ensure that legally valid authorisation or consent is obtained before recording begins, unless a specific lawful exception applies.
4. Inbound calls
For inbound calls, Customer should ensure that callers receive a clear announcement before recording starts, explaining that the call may be recorded, transcribed, analysed using AI, stored and used for specified purposes such as documentation, quality assurance, customer support, compliance, training or workflow management. Where required, callers must be given a genuine choice or an alternative non-recorded channel.
5. Outbound calls
For outbound calls, Customer must ensure that the called party is informed before recording starts and that any required consent or authorisation is obtained. Recording should be technically blocked, delayed or discarded if the required notice or authorisation step fails, where such controls are available.
6. Internal and employee calls
If employee calls may be recorded or analysed, Customer must provide employee notices, internal policies, training, legal-basis assessments, retention rules and human-oversight rules. Where a works council, staff council, union or similar employee representative body has co-determination or consultation rights, Customer must complete the required process before enabling recording or monitoring features. Customer must also assess Article 5 AI Act limits on emotion recognition in the workplace.
7. Recording logs
Where technically available, Kobby will provide recording-related logs such as call ID, direction, user, timestamp, recording start/stop time, notice/consent configuration, recording status, transcript status, AI processing status, export events and deletion events. Customer is responsible for using these logs to demonstrate compliance.
8. AI processing of recordings
AI processing of calls must only be enabled where recording and subsequent processing are lawful. Customer must ensure that notices cover transcription, summarisation, AI analysis, retention, recipients and rights where required. Kobby will process recordings and transcripts according to Customer’s instructions and the DPA/AVV.
9. Retention and deletion
Customer is responsible for setting retention periods for recordings, transcripts, summaries, metadata and AI outputs. Kobby implements deletion according to Platform functionality, Customer instructions and applicable technical limitations, including backup deletion cycles described in the DPA.
GDPR Compliance
1. Controller and processor roles
Kobby acts as controller for personal data processed for its own business purposes and as processor for Customer Personal Data processed through the Platform on behalf of Customer. Customer remains responsible for determining purposes, legal bases, retention, access rules, notices, AI use cases, call-recording rules, employee-data processing and data-subject rights.
2. Customer-side GDPR documents
- privacy notices for customers, callers, employees, suppliers and other data subjects;
- lawful-basis assessments and legitimate-interest assessments;
- call-recording scripts and consent/authorisation records;
- Data Protection Impact Assessments for high-risk processing;
- records of processing activities;
- retention and deletion policies;
- data-subject-rights procedures;
- employee-monitoring and AI-use policies;
- works-council, staff-council, union or employee-representative agreements where required;
- AI governance and human-oversight documentation; fundamental-rights impact assessments where required.
3. Kobby-side GDPR controls
- DPA/AVV under Article 28 GDPR;
- Technical and Organisational Measures under Article 32 GDPR;
- sub-processor management with at least 30 days’ notice and contractual flow-down obligations;
- international transfer safeguards under Chapter V GDPR;
- incident-response and breach-notification procedures (within 48 hours to Customer);
- access, export and deletion procedures;
- support for DPIAs and data-subject rights;
- AI-processing safeguards and no-unauthorised-model-training commitment.
4. Data-subject requests
Where Kobby receives a request relating to Customer Personal Data, Kobby will refer the request to the relevant Customer and reasonably assist Customer with requests for access, deletion, correction, restriction, objection and portability, taking into account Platform functionality and the nature of processing.
5. Supervisory authority
The lead supervisory authority for Kobby is the Dutch Autoriteit Persoonsgegevens (AP). Data subjects also have the right to lodge a complaint with the supervisory authority of their country of residence, place of work or place of the alleged infringement.
Contact
For questions about these Legal Policies, please contact:
- Legal: legal@kobby.ai
- Privacy contact: privacy@kobby.ai
- Support: support@kobby.ai
- Postal address: [Legal Entity Name], Johan Huizingalaan 763A, 1066 VH Amsterdam, Netherlands
- KvK: [KvK number] · VAT/BTW: [VAT number]