Privacy Policy

Updated · 8 July 2026

This policy explains how we process personal data on this website and in the Nuntio service, in accordance with Regulation (EU) 2016/679 (GDPR) and other applicable law. The underlying rule is simple: we process data only to provide the service and protect your information, never for unrelated purposes. Because the service operates over WhatsApp through Meta's WhatsApp Business Platform, this policy also sets out the consent and opt-out rules governing those messages.

On this page
  1. 1Controller, dual role and contact
  2. 2Dual role: controller and processor
  3. 3Our commitment
  4. 4Data we process on the website
  5. 5Data processed in the Nuntio service
  6. 6Source of the data
  7. 7Consent and WhatsApp messaging
  8. 8Purposes and legal bases
  9. 9Data minimization
  10. 10Recipients and sub-processors
  11. 11International transfers
  12. 12Security
  13. 13Retention
  14. 14Your GDPR rights and how to exercise them
  15. 15US / California residents
  16. 16Data-breach notification
  17. 17Minors and automated decisions
  18. 18Changes to this policy

1. Controller, dual role and contact#

The controller of this website and of the customer account is Nuntio Technologies Limited, a company registered in Ireland under number 810417, with its registered office at The Black Church, St. Mary's Place, Dublin 7, D07 P4AX (Ireland).

We have designated a privacy contact point to handle any matter relating to your data and the exercise of your rights. Privacy contact: support@nuntio.ai · Tel.: +353 1 969 2059 / +353 1 233 7942.

We are not required to appoint a Data Protection Officer (DPO); nevertheless, the contact above centralizes all privacy matters.

2. Dual role: controller and processor#

Nuntio acts in two distinct capacities depending on the data involved, and this determines our obligations:

  • Controller — with respect to the data of visitors to this website and of the customer account that contracts Nuntio (registration, billing and service-administration data). In these cases we decide the purposes and means of processing, and this policy governs them in full.
  • Processor (Art. 28 GDPR) — with respect to the data of the end customers of the businesses that contract Nuntio. Here the business is the controller: it decides what data is processed and for what purpose, and Nuntio acts on its documented instructions under the data processing agreement (DPA) that forms part of the contract.

In short: when you browse the website or manage your account, Nuntio is the controller; when a business uses Nuntio to serve its own customers, the business is the controller and Nuntio is its processor.

3. Our commitment#

The principle that governs Nuntio regarding the data of the businesses that use it and their customers is simple and admits no nuance:

  • We don't read it.
  • We don't sell it.
  • We don't train on it.
  • We don't share it.

Access to customer data is limited to what is strictly necessary to operate and support the service, always under confidentiality obligations. We do not use customer data to train artificial-intelligence models, nor do we transfer it to third parties for commercial purposes.

4. Data we process on the website#

As controller of the site, we process a minimal set of data when you visit it:

  • Browsing preferences stored on your device (chosen sector and light/dark theme). They never leave your browser.
  • Minimal technical data inherent to the visit (e.g. hosting-provider logs for security and service stability).
  • The data you provide if you write to us (your email address and the content of your message).
  • Page-usage measurement, with your consent, using Google Analytics 4 (Google Ireland Limited) — aggregated usage only, and off unless you accept it. See our Cookie Policy.

For the full detail of what we store on your device and how to clear it, see our Cookie Policy.

5. Data processed in the Nuntio service#

If your business contracts Nuntio, the service processes the data needed to operate: conversations from the connected channels (mainly WhatsApp through Meta's WhatsApp Business Platform), catalog, calendar, contacts and, if you connect it, accounting information. The service is organized around an orchestrator (Nexus) and a set of specialized Agents that carry out the tasks.

With respect to this end-customer data of the business, Nuntio acts as a processor under the contract and the data processing agreement (Art. 28 GDPR) signed on contracting. The business is the controller of that data and of the lawfulness of its processing, including the information it provides to those customers (Arts. 13 and 14 GDPR).

Additionally, as controller, we process the customer account data: contact person, access credentials, billing data and service-usage logs. Billing is carried out in euros (EUR).

6. Source of the data#

As controller, most of the data is provided directly by you (contact form, registration and account administration) or is generated automatically when using the website and the service (technical and usage logs).

As processor, we do not obtain end-customer data from those customers directly; rather, it is provided to us by the controller business or generated through the conversations and the tools the business chooses to connect. The obligation to inform those individuals (Arts. 13 and 14 GDPR) lies with the controller business.

7. Consent and WhatsApp messaging#

WhatsApp messaging is governed by a clear principle: before sending proactive messages to a contact, there must be that person's explicit and affirmative consent (opt-in). That consent must be obtained independently of any other acceptance of terms and conditions; it is not deemed granted by the mere fact of accepting other terms, by pre-ticked boxes, or by silence or inaction (Art. 7 GDPR).

The business that contracts Nuntio is responsible for obtaining, recording and being able to demonstrate the consent of its own contacts before initiating communications with them, as well as for complying with the policies of the WhatsApp Business Platform and Meta's business messaging.

Consent may be withdrawn at any time, as easily as it was given, without affecting the lawfulness of processing based on it before withdrawal. Any recipient can opt out by replying «BAJA» or «STOP». On receiving that request, proactive messages to that WhatsApp number stop and the preference is recorded to be respected going forward.

8. Purposes and legal bases#

  • Handling your inquiries — performance of pre-contractual measures / legitimate interest.
  • Providing the contracted service and managing the customer account — performance of the contract.
  • Processing the business's end-customer data — on behalf of the controller business, on its instructions (Art. 28 GDPR).
  • Complying with legal obligations (e.g. billing and accounting) — legal obligation.
  • Maintaining security and preventing fraud or abuse of the service — legitimate interest.
  • Improving the site with aggregated metrics — legitimate interest.
  • Sending commercial communications, only if you consent — consent (revocable at any time).

Where the basis is legitimate interest, we have balanced our interests against your rights and freedoms; you may request information about that balancing and object to the processing through the privacy contact.

9. Data minimization#

We process only data that is adequate, relevant and limited to what is necessary for each purpose (Art. 5 GDPR). We do not collect information we do not need, we avoid requesting sensitive data, and we limit internal access to what is strictly essential to operate and support the service.

Where a purpose can be achieved with aggregated or anonymized data, we choose that over processing identifiable data.

10. Recipients and sub-processors#

We do not sell personal data. We rely on providers that render services to us (sub-processors), always under data processing contracts that require them to process data only in accordance with our instructions and with security guarantees. Currently they are:

  • Vercel Inc. — hosting and infrastructure for the site and the service.
  • Meta Platforms — WhatsApp Business Platform (messages travel over WhatsApp under its terms).
  • Artificial-intelligence model providers — to process the service's tasks.
  • Tools the customer chooses to connect (e.g. Holded for accounting or Google Calendar).

When, as processor, we add or change a sub-processor affecting the processing of end-customer data, we will inform the controller business under the processing agreement, with sufficient notice for it to exercise its right to object.

11. International transfers#

We prioritize processing within the European Economic Area. Where a provider processes data outside the EEA, it will do so with appropriate safeguards under Chapter V of the GDPR (Arts. 44 et seq.): adequacy decisions of the European Commission (including the EU–US Data Privacy Framework where applicable) or, failing that, standard contractual clauses approved by the Commission, supplemented with additional measures where necessary.

You may request information about the safeguards applied to a specific transfer, and a copy of those safeguards, through the privacy contact.

12. Security#

We apply appropriate technical and organizational measures (Art. 32 GDPR) to protect data against unauthorized access, loss or alteration. Among others:

  • Encryption in transit (TLS/HTTPS) of communications with the site and the service.
  • Encryption at rest at the infrastructure-provider level.
  • Access control restricted to authorized administrators, under the principle of least privilege.
  • Two-factor authentication (2FA) on administrative access.
  • Logging of access and relevant activity to enable auditing and incident detection.
  • Confidentiality duties for all staff and minimization of the data processed.

It should be noted that end-to-end encryption is a feature of WhatsApp's message transport; we do not claim that data stored in the service is end-to-end encrypted, but rather protected by the measures described. We do not claim certifications (such as ISO 27001 or SOC 2) that we do not hold.

13. Retention#

We keep data for as long as the relationship that justifies its processing exists and, thereafter, blocked during the limitation periods for potential legal liabilities (e.g. accounting and tax obligations).

As processor, we keep the business's end-customer data for the term of the contract and, on its termination, return or delete it according to the controller business's instructions and as provided in the processing agreement.

Local preferences remain in your browser until you delete them.

14. Your GDPR rights and how to exercise them#

You may exercise your rights of access, rectification, erasure, objection, restriction of processing and portability, as well as withdraw your consent where it is the basis for processing, by writing to support@nuntio.ai. We will respond within a maximum of one month, extendable by a further two months in complex cases, of which we would inform you. Exercising these rights is free of charge.

If the data is processed by Nuntio as processor on behalf of a business (end-customer data), address your request to the controller business; Nuntio will provide it the assistance needed to handle it.

If you believe we have not processed your data correctly, you may lodge a complaint with the Data Protection Commission of Ireland (dataprotection.ie), the lead supervisory authority. If you reside in Spain, you may also turn to the Spanish Data Protection Agency (aepd.es).

15. US / California residents#

If you reside in California, the Consumer Privacy Act (CCPA), as amended by the CPRA, grants you certain rights over your personal data:

  • The right to know what personal data we collect, use and disclose.
  • The right to access your personal data and obtain a copy.
  • The right to request deletion of your personal data.
  • The right to correct inaccurate personal data.
  • The right to opt out of the sale or sharing of your personal data and to limit the use of sensitive personal information.
  • The right not to be discriminated against for exercising any of these rights.

We do not sell personal data or share it for cross-context behavioral advertising, and we have not done so in the past twelve months. You may exercise these rights, yourself or an authorized agent acting on your behalf, by writing to support@nuntio.ai; we will verify your identity before handling the request.

16. Data-breach notification#

We have procedures to detect and manage personal-data security breaches. When we act as controller and where appropriate, we will notify the breach to the competent supervisory authority without undue delay and, where feasible, within a maximum of 72 hours of becoming aware of it (Art. 33 GDPR), and inform affected individuals if there is a high risk to their rights and freedoms (Art. 34 GDPR).

When we act as processor, we will notify the controller business without undue delay of any breach affecting its end-customer data, so that it can meet its own notification obligations.

17. Minors and automated decisions#

This site and the service are aimed at businesses and are not intended for minors; in particular, they are not directed to children under 16 (the age of digital consent under Irish law). We do not knowingly collect data from minors; if we detect that we have processed a minor's data without an adequate basis, we will delete it.

We do not make decisions based solely on automated processing that produce legal effects on individuals or similarly significantly affect them (Art. 22 GDPR). The service's artificial intelligence assists with support and, in the face of reasonable doubt, is designed to hand the conversation over to a person at the business.

18. Changes to this policy#

We will post here any material change to this policy, indicating the date of last update. If the changes are substantial, we will endeavor to give notice by appropriate means before they take effect.