Skip to main content
SereneAI
  • Services
  • Life@Me
  • How We Work
  • About
  • Contact
Book a Call
Services Life@Me How We Work About Contact
โ† Back to home

Our GDPR Commitments

SereneAI Ltd ยท Company No. 16646814 ยท Last updated: 10 July 2026

AI in customer operations can involve sensitive information, complex data flows and decisions that affect people. This page explains the privacy and governance principles we apply, subject to the documented scope of each engagement.

Our Core Commitments

๐Ÿ‡ฌ๐Ÿ‡ง
Documented Hosting and Data Residency
Hosting regions, data flows, retention and subprocessors are selected and documented for each deployment. Where UK-only processing is required, it must be verified in the technical configuration and reflected in the contract.
๐Ÿ”’
Data Minimisation by Default
We design every solution to collect only the data that is strictly necessary for the stated purpose. We do not build systems that harvest more data than needed โ€” even if more data would improve performance.
๐Ÿ“‹
Proportionate Auditability
Where a solution supports automated recommendations or actions, we design appropriate logs for prompts, outputs, routing and human interventions so authorised teams can review what happened.
๐Ÿ‘๏ธ
Explainability and Human Oversight
We define what users need to understand, challenge and override. High-impact or sensitive decisions require accountable human oversight rather than relying on an unexplained model output.
๐Ÿ“
Data Processing Agreements
Where SereneAI processes personal data on a client's behalf, the parties will put an appropriate Data Processing Agreement in place covering instructions, security, retention, subprocessors and controller rights.
๐Ÿ—‘๏ธ
Retention and Deletion by Design
Retention and deletion requirements are defined during design. We provide proportionate deletion or export capabilities while recognising that some records may need to be retained for legal or contractual reasons.

Why This Matters in Contact Centres

Contact-centre recordings and notes often contain personal data, and may include information about health, vulnerability or financial circumstances. AI-assisted routing, scoring and summarisation therefore need careful purpose, access, retention and oversight controls.

In our experience, the most common GDPR risks in contact centre AI deployments include:

  • Call recordings processed or stored on US-based servers without adequate safeguards
  • AI systems trained on customer interaction data without appropriate legal basis
  • Automated routing and scoring decisions with no audit trail or explainability
  • Unstructured call notes containing special category data (health, financial difficulty) not handled separately
  • Retention periods for call data not enforced systematically, creating regulatory exposure

We assess relevant risks and recommend proportionate controls as part of our Operations & Efficiency Audit. Formal legal advice remains the client's responsibility.

Your Responsibilities as Data Controller

Where SereneAI processes personal data on behalf of your organisation, you remain the data controller under UK GDPR. This means you retain responsibility for:

  • Establishing the legal basis for processing customer interaction data
  • Maintaining your own privacy notices and informing customers of automated processing
  • Handling subject access requests from your customers
  • Ensuring retention policies are enforced consistently across all systems

We will support you in all of these areas as part of our engagement, but legal responsibility remains with your organisation as controller.

Sub-Processors

Where our solutions involve third-party technology providers acting as sub-processors, we will document these in the Data Processing Agreement provided at the start of your engagement. We will notify you of any material changes to sub-processors that may affect your data.

Data Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify the relevant controller without undue delay and provide available information needed for the controller's assessment. The controller is responsible for deciding whether notification to the ICO or affected people is required, including the controller's applicable 72-hour reporting period.

Questions About Our GDPR Approach

If you have questions about how we handle data โ€” either in connection with our website or in relation to a potential or existing engagement โ€” please contact us directly.

GDPR & Data Enquiries

SereneAI Ltd

Blackpool, England

Company No. 16646814

Email: daniel.turner@sereneai.co.uk

We aim to respond to all data-related enquiries within 5 working days.

Read our full Privacy Policy โ†’

SereneAI
Life@Me Founder's Journey Privacy Policy GDPR Contact LinkedIn
ยฉ SereneAI Ltd ยท Co. No. 16646814 ยท Blackpool, UK