1. Introduction
GREYDOLL Technology ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI voice assistant services.
Company Details:
- Company Name: GREYDOLL Technology
- Address: Bernadottelaan 22, 3527GB Utrecht, Netherlands
- KVK: 98789934
- Email: [email protected]
This policy complies with the General Data Protection Regulation (GDPR) and the EU AI Act.
2. Our Two Roles: Website Visitors vs. Voice Product Users
GREYDOLL acts in two different capacities depending on how you interact with us, and different rules apply to each:
As a Website Visitor
- When you browse this website, submit our contact or careers form, or use interactive tools such as the revenue calculator, GREYDOLL is the Data Controller for that information.
As an End-Customer of a GREYDOLL Client
- When you interact with an AI voice agent deployed by one of our business Clients (for example, to book a table or place an order), the business you contacted is the Data Controller, and GREYDOLL acts only as its Data Processor, handling your data solely on that business's instructions. Requests regarding that data (access, deletion, etc.) should be directed to the business you contacted; GREYDOLL will assist that business in fulfilling such requests as required under our Data Processing Agreement.
3. Data We Collect
Personal Information
- Contact details (Name, Email, Phone Number) when you inquire or sign up.
- Voice data and call recordings processed by our AI to fulfill your requests.
- Billing information through our secure payment processors.
- Technical data (IP address, browser type) for service optimization.
Website & Enquiry Data
- Name, email address, phone number, and company name submitted via our contact or careers form.
- Information you voluntarily provide when applying for a role with us, including your CV/resume and cover letter where submitted.
- Usage data generated when you use interactive tools on our website, such as the revenue calculator.
We process this website data on the basis of your consent (where you submit a form), to take steps prior to entering into a contract with you, or our legitimate interest in responding to enquiries and operating our website.
4. Data Processor Status & Compliance
For the purposes of the GDPR, the Client (User) is the 'Data Controller' and GREYDOLL is the 'Data Processor.' GREYDOLL processes end-customer data (voice, names, phone numbers) solely based on the Client's instructions to fulfill orders and bookings.
AI Transparency (EU AI Act)
In accordance with Article 50 of the EU AI Act, all end-users (callers) must be explicitly notified at the beginning of the interaction that they are communicating with an Artificial Intelligence system. The Client is responsible for ensuring the AI agent's greeting includes this mandatory disclosure.
Call Recording (NL Telecommunicatiewet)
Under the Dutch Telecommunications Act, the Client is solely responsible for obtaining necessary consent or providing notice to callers for recording and transcription.
5. Sub-Processors
The Client grants general authorization to GREYDOLL to engage the following sub-processors for service delivery:
Approved Sub-Processors
- Retell AI / Twilio: Voice processing and Telephony infrastructure.
- Railway / Supabase: Hosting, Server environments, and Database management.
- Mollie / Wise: Payment processing and Payout distribution.
- OpenAI / Anthropic: Large Language Model (LLM) intelligence.
6. International Data Transfers
To provide our advanced AI services, your data may be processed using US-based AI engines. We ensure that these transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to maintain a level of protection equivalent to the GDPR.
7. Data Security & Retention
We implement encryption (TLS/SSL) and other technical measures to protect personal data against unauthorized access.
Upon termination of service, GREYDOLL will retain Client data for a maximum of 30 days to allow for data export requests. After this, data is permanently deleted, except for financial records which are retained for 7 years as required by Dutch tax law.
We notify the User of any confirmed personal data breach within 48 hours to assist in fulfilling their 72-hour reporting obligation to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Website enquiry and careers form data is retained for up to 24 months from your last contact with us, or until you ask us to delete it, whichever comes first, unless a longer period is required to establish, exercise, or defend legal claims.
8. Your Data Protection Rights
If GREYDOLL is the Data Controller for your information (see 'Our Two Roles' above), you have the right, subject to applicable law, to:
You May
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure of your data.
- Restrict or object to certain processing.
- Request a copy of your data in a portable format.
- Withdraw consent at any time, where processing is based on consent.
To exercise these rights, contact us at [email protected]. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
If GREYDOLL is only the Data Processor for your information, please direct your request to the business you interacted with; we will support that business in responding to you as required by our Data Processing Agreement.
9. Children's Privacy
Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will post the updated version on this page with a revised 'Last updated' date. Material changes will be communicated to Clients directly where required.
Restaurant Data Protection Agreement
Article X to the GREYDOLL Restaurant Agreement
X.1 — DEFINITIONS
"Consumer Data" means all data relating to end consumers who interact with the GREYDOLL platform, including but not limited to: telephone numbers in raw or hashed form, loyalty wallet balances, visit history across venues, WhatsApp consent records, dining preferences, location signals, and cross-venue behavioural patterns. Consumer Data is distinct from Booking Data defined in Article X.3.
X.2 — DATA CONTROLLER
The parties acknowledge that GREYDOLL Technologies B.V. (KVK 85799934) is the sole Data Controller with respect to all Consumer Data under Regulation (EU) 2016/679 (GDPR). Restaurant Operator acts as Data Processor only with respect to the limited Booking Data specified in Article X.3, and solely for the purpose of fulfilling individual reservations.
X.3 — MINIMUM NECESSARY DATA
GREYDOLL shall provide Restaurant Operator only with the following data elements required to fulfil individual bookings:
- Guest first name only;
- Party size;
- Booking date and time;
- Dietary requirements and special requests relevant to service;
- Visit count at Restaurant Operator's own venue (aggregate count only — no cross-venue data, no contact details).
Restaurant Operator shall receive no other Consumer Data. GREYDOLL shall implement technical controls to enforce this limitation.
X.4 — PROHIBITED USES
Restaurant Operator shall not, directly or indirectly:
- Attempt to obtain, derive, reconstruct, or infer any Consumer Data beyond Booking Data provided under Article X.3;
- Contact, market to, or communicate with any consumer using data received through the GREYDOLL platform for any purpose other than the immediate service context of a confirmed booking;
- Store telephone numbers, email addresses, or other personal contact details of consumers unless independently and lawfully obtained through means wholly unrelated to the GREYDOLL platform;
- Share, sell, license, or transfer Consumer Data or Booking Data to any third party;
- Use any data received through the GREYDOLL platform for profiling, automated decision-making, or any purpose other than fulfilling the specific confirmed booking for which the data was provided.
X.5 — DATA DELETION ON TERMINATION
Upon termination or expiry of this Agreement for any reason:
- Restaurant Operator shall permanently and irreversibly delete all Consumer Data and Booking Data received through the GREYDOLL platform within thirty (30) calendar days of the termination date;
- Restaurant Operator shall provide written confirmation of deletion to GREYDOLL at [email protected] within thirty-five (35) calendar days;
- GREYDOLL shall anonymise all booking records linked to Restaurant Operator's venue within ninety (90) days, subject to applicable legal retention obligations under Dutch and EU law.
X.6 — SECURITY
Restaurant Operator shall implement appropriate technical and organisational measures to protect Booking Data received under Article X.3 against unauthorised access, disclosure, alteration, or loss, in accordance with Article 32 GDPR. At minimum, access to booking records shall be restricted to staff directly involved in service delivery.
X.7 — DATA SUBJECT RIGHTS
Upon receipt of any request from a consumer exercising rights under GDPR Chapter III (including rights of access, rectification, erasure, portability, or restriction), Restaurant Operator shall immediately — and in any event within forty-eight (48) hours — forward such request to GREYDOLL at [email protected]. Restaurant Operator shall not independently respond to, process, or refuse any such request relating to Consumer Data or Booking Data originating from the GREYDOLL platform.
X.8 — BREACH NOTIFICATION
Restaurant Operator shall notify GREYDOLL without undue delay, and in any event within twenty-four (24) hours, upon becoming aware of any actual or suspected personal data breach involving Consumer Data or Booking Data, by email to: [email protected]. Notification shall include a description of the nature of the breach, categories of data affected, and any remedial steps taken.
X.9 — AUDIT RIGHTS
GREYDOLL reserves the right to audit Restaurant Operator's compliance with this Article X upon written notice of not less than five (5) business days. Restaurant Operator shall provide reasonable cooperation, access to relevant systems, records, and personnel. Costs of audit shall be borne by GREYDOLL unless material non-compliance is found, in which case costs shall be borne by Restaurant Operator.
X.10 — CONSUMER-FACING PRIVACY COMMITMENT
Restaurant Operator acknowledges that GREYDOLL's consumer privacy policy states that end consumers' telephone numbers and personal profiles are never shared with restaurant operators. Restaurant Operator agrees not to take any action that would cause GREYDOLL to be in breach of this commitment.