Our GDPR Commitments
AI in customer operations can involve sensitive information, complex data flows and decisions that affect people. This page explains the privacy and governance principles we apply, subject to the documented scope of each engagement.
Our Core Commitments
Why This Matters in Contact Centres
Contact-centre recordings and notes often contain personal data, and may include information about health, vulnerability or financial circumstances. AI-assisted routing, scoring and summarisation therefore need careful purpose, access, retention and oversight controls.
In our experience, the most common GDPR risks in contact centre AI deployments include:
- Call recordings processed or stored on US-based servers without adequate safeguards
- AI systems trained on customer interaction data without appropriate legal basis
- Automated routing and scoring decisions with no audit trail or explainability
- Unstructured call notes containing special category data (health, financial difficulty) not handled separately
- Retention periods for call data not enforced systematically, creating regulatory exposure
We assess relevant risks and recommend proportionate controls as part of our Operations & Efficiency Audit. Formal legal advice remains the client's responsibility.
Your Responsibilities as Data Controller
Where SereneAI processes personal data on behalf of your organisation, you remain the data controller under UK GDPR. This means you retain responsibility for:
- Establishing the legal basis for processing customer interaction data
- Maintaining your own privacy notices and informing customers of automated processing
- Handling subject access requests from your customers
- Ensuring retention policies are enforced consistently across all systems
We will support you in all of these areas as part of our engagement, but legal responsibility remains with your organisation as controller.
Sub-Processors
Where our solutions involve third-party technology providers acting as sub-processors, we will document these in the Data Processing Agreement provided at the start of your engagement. We will notify you of any material changes to sub-processors that may affect your data.
Data Breach Notification
In the event of a personal data breach affecting data we process on your behalf, we will notify the relevant controller without undue delay and provide available information needed for the controller's assessment. The controller is responsible for deciding whether notification to the ICO or affected people is required, including the controller's applicable 72-hour reporting period.
Questions About Our GDPR Approach
If you have questions about how we handle data โ either in connection with our website or in relation to a potential or existing engagement โ please contact us directly.
GDPR & Data Enquiries
SereneAI Ltd
Blackpool, England
Company No. 16646814
Email: daniel.turner@sereneai.co.uk
We aim to respond to all data-related enquiries within 5 working days.