GDPR Compliance

CallNex BV, headquartered in Brussels, Belgium, is fully subject to the EU General Data Protection Regulation (GDPR, Regulation 2016/679) as a data controller established within the European Union. We take GDPR compliance seriously and have implemented technical, organisational, and procedural measures to fulfil our obligations.

This page provides an overview of how CallNex approaches GDPR compliance. For full details on what data we collect and why, see our Privacy Policy.

CallNex operates in two distinct GDPR roles:

• Data Controller: CallNex BV is the controller for data relating to our own customers (account holders, billing contacts). We determine the purposes and means of processing this data.
• Data Processor: When our customers use CallNex to make AI calls to their own contacts (prospects, leads, clients), CallNex acts as a processor on their behalf. Customers are the controllers for the personal data of their own contacts.

We have appropriate Data Processing Agreements (DPAs) in place with all sub-processors. Customers who require a DPA with CallNex as processor may request one at support@callnex.nl.

We document and apply a valid legal basis for every processing activity, in accordance with GDPR Article 6:

• Contract performance (Art. 6(1)(b)): core service delivery, billing, and account management
• Legal obligation (Art. 6(1)(c)): accounting records (Belgian law requires 7-year retention), tax compliance, responding to lawful authority requests
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, platform performance analytics
• Consent (Art. 6(1)(a)): optional marketing communications — consent is freely given, specific, and withdrawable at any time

We have implemented processes to respond to all data subject rights within the mandatory 30-day deadline:

• Right of access (Art. 15): export your full account data via account settings or email us
• Right to rectification (Art. 16): edit profile data directly in-platform; other corrections by email request
• Right to erasure (Art. 17): submit a deletion request — we delete all personal data within 30 days, except where retention is legally required
• Right to restriction (Art. 18): we will flag and restrict processing of your data pending resolution of any dispute
• Right to data portability (Art. 20): receive account and call data in CSV/JSON format upon request
• Right to object (Art. 21): object to processing based on legitimate interests at any time

To exercise any right, email support@callnex.nl with the subject line 'GDPR Rights Request'.

We collect only the data that is strictly necessary for the purposes described in our Privacy Policy (data minimisation principle, GDPR Art. 5(1)(c)). We do not repurpose personal data beyond what was originally collected for, and we do not use customer call recordings to train any third-party AI models (purpose limitation principle, GDPR Art. 5(1)(b)).

We apply a retention schedule aligned with GDPR's storage limitation principle (Art. 5(1)(e)):

• Account and profile data: deleted 30 days after account closure
• Call recordings and AI transcripts: 90-day default, configurable per campaign
• Billing and invoice records: 7 years (Belgian accounting law — Koninklijk Besluit)
• Security and server logs: 30 days
• Support communications: 2 years after ticket closure

Automated deletion jobs run nightly to enforce retention limits. Customers can configure shorter retention windows for their campaigns in account settings.

We have implemented the following safeguards in accordance with GDPR Article 32:

• TLS 1.3 encryption for all data in transit between users, the platform, and sub-processors
• AES-256 encryption for call recordings and sensitive data at rest
• Role-based access control (RBAC): employees and contractors access only the minimum data required for their role
• Multi-factor authentication (MFA) required for all CallNex staff accessing production systems
• Regular internal security reviews and vulnerability assessments
• Incident response plan with GDPR breach notification procedures (72-hour notification obligation to GBA)

For a detailed overview of our security measures, see our Security page.

All personal data is stored on EU-based servers. We maintain a current list of sub-processors and notify customers of any new sub-processor at least 30 days before use.

Our current sub-processors are:

• Stripe Payments Europe Ltd (Dublin, Ireland): payment processing — covered by EU-US Data Privacy Framework
• Cloud infrastructure provider: EU data centres — processes data under Data Processing Agreement with EU SCCs

No personal data is transferred to countries outside the EEA without adequate safeguards (Standard Contractual Clauses or equivalent).

As a small-to-medium processor primarily handling B2B data, CallNex is not currently required to appoint a mandatory DPO under GDPR Article 37. However, we have designated an internal data protection contact who oversees compliance:

Data Protection Contact: support@callnex.nl (subject: 'Data Protection')

The competent supervisory authority for CallNex BV is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit — GBA):

• Website: www.gegevensbeschermingsautoriteit.be
• Address: Drukpersstraat 35, 1000 Brussels, Belgium
• Phone: +32 2 274 48 00
• Email: contact@apd-gba.be

If you believe your rights have been violated, you have the right to lodge a complaint with the GBA at any time.

We apply privacy by design principles when developing new features: privacy impact is assessed before build, not after. New data processing activities are reviewed against our data inventory, and we default to the most privacy-preserving configuration available (e.g., shorter retention periods are the platform default).