← Back to home

Our GDPR Commitments

SereneAI Ltd · Company No. 16646814 · Last updated: 9 April 2026

We built SereneAI specifically because most AI vendors don't take GDPR seriously enough in contact centre environments. This page explains what we do differently — and what we commit to in every engagement.

Our Core Commitments

🇬🇧
100% UK-Hosted Infrastructure
All data processed through SereneAI solutions is stored and processed in the United Kingdom. We do not use US-based cloud providers, and customer interaction data never crosses UK borders.
🔒
Data Minimisation by Default
We design every solution to collect only the data that is strictly necessary for the stated purpose. We do not build systems that harvest more data than needed — even if more data would improve performance.
📋
Full Audit Logs on Every Decision
Every automated decision made by a SereneAI solution is logged and explainable. Your compliance team can review any routing decision, prompt used, or automated action at any time.
👁️
Explainability — Not Black Boxes
We do not deploy AI systems that cannot explain their outputs. Every solution we build is designed so that agents, supervisors, and compliance teams can understand and challenge automated decisions.
📝
Data Processing Agreements
For every client engagement, we provide a formal Data Processing Agreement (DPA) that sets out the scope of data processing, retention periods, sub-processors, and your rights as data controller.
🗑️
Right to Erasure — Built In
We build deletion capability into every solution from the start. If a customer exercises their right to erasure, you can fulfil that request across the SereneAI system without requiring manual intervention.

Why This Matters in Contact Centres

Contact centres are one of the highest-risk environments for GDPR compliance. Every call contains personal data. Call recordings, interaction notes, and routing decisions all carry compliance obligations — and most AI vendors either underestimate this risk or choose not to raise it.

In our experience, the most common GDPR risks in contact centre AI deployments include:

We identify and address all of these risks as part of our Operations & Efficiency Audit.

Your Responsibilities as Data Controller

Where SereneAI processes personal data on behalf of your organisation, you remain the data controller under UK GDPR. This means you retain responsibility for:

We will support you in all of these areas as part of our engagement, but legal responsibility remains with your organisation as controller.

Sub-Processors

Where our solutions involve third-party technology providers acting as sub-processors, we will document these in the Data Processing Agreement provided at the start of your engagement. We will notify you of any material changes to sub-processors that may affect your data.

Data Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay and within 72 hours of becoming aware, in line with UK GDPR Article 33. We will provide all information necessary for you to fulfil your own notification obligations to the ICO.

Questions About Our GDPR Approach

If you have questions about how we handle data — either in connection with our website or in relation to a potential or existing engagement — please contact us directly.

GDPR & Data Enquiries

SereneAI Ltd

Blackpool, England

Company No. 16646814

Email: daniel.turner@sereneai.co.uk

We aim to respond to all data-related enquiries within 5 working days.

Read our full Privacy Policy →