GDPR Compliance

Vocero is a European company based in Spain. We are fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Data protection is not an afterthought — it is built into every aspect of our platform.

When you use Vocero for your business, you act as the Data Controller for your customers' personal data. Vocero acts as the Data Processor, processing data on your behalf according to your instructions and our Data Processing Agreement (DPA).

We process personal data under the following legal bases:

• Contract performance — to provide the Service you have subscribed to
• Legitimate interest — for security, fraud prevention, and service improvement
• Consent — for optional analytics and marketing communications
• Legal obligation — for tax, accounting, and regulatory compliance

All customer data is stored and processed within the European Union. Our primary infrastructure providers maintain EU-based data centres, ensuring your data never leaves the EU without adequate safeguards.

We use the following sub-processors, all with appropriate data protection measures:

• Supabase (EU) — Database and authentication
• Vercel (EU edge) — Application hosting
• Anthropic (with EU DPA) — AI model provider
• Stripe (EU) — Payment processing
• Twilio (with EU DPA) — WhatsApp messaging

We support all GDPR data subject rights and provide tools in the dashboard for you to manage your customers' data requests. For your own account data, you can exercise your rights by contacting privacy@vocero.io.

Conversation data is retained for the duration of your subscription plus 30 days. After account deletion, all associated data is permanently erased within 90 days. You can export your data at any time from the dashboard.

In the event of a personal data breach, we will notify affected Data Controllers within 72 hours as required by Article 33 of the GDPR.

Our Data Protection Officer can be reached at dpo@vocero.io.