GDPR & data rights
Rumbe AI supports GDPR-aligned data-rights workflows through structured personal-data handling, PII-aware records, and deletion patterns that can help facilitate data access, correction, export, scrubbing, and erasure requests.
Access, correction, deletion, export, and transfer controls.
Roles and Instructions
The customer will commonly act as controller for customer-support data, while Vovance Inc. may act as processor or service provider for Rumbe AI under the applicable contract. Actual roles depend on the processing context and must be confirmed in the Data Processing Addendum.
Right of Access
A supported access workflow should locate personal data associated with a verified individual across identity records, conversations, tickets, attachments, agent notes, exports, and relevant integrations.
Identity verification is necessary before releasing personal information.
Correction
Authorized users can correct inaccurate identity or support records where the customer’s policy and legal obligations permit. Changes should be logged when they affect sensitive or material data.
Deletion and Erasure
Rumbe’s soft-delete patterns can mark records for removal and support staged scrubbing. A complete erasure workflow should consider:
- —Customer and agent identity records
- —Messages and tickets
- —Attachments and object storage
- —Knowledge content containing personal data
- —Audit-log exceptions
- —Exports and generated reports
- —Backups and restoration windows
- —Connected providers and subprocessors
- —Legal holds and statutory retention
Data Export and Portability
Export requests should be authorized, logged, limited to the verified requester’s data, and delivered securely. Export formats and portability scope depend on the data type and contractual service.
Data Minimization and Purpose Limitation
Customers should collect only what is required for support, avoid placing unnecessary sensitive information in prompts, and restrict uploaded knowledge to approved content. Prompt instructions and agent procedures should discourage users from sharing excessive personal data.
Retention
Retention periods should reflect business need, legal obligations, support SLAs, dispute periods, and customer instructions. Shorter retention reduces exposure, while audit or legal requirements may require specific records to be preserved.
International Transfers
Where personal data moves across jurisdictions, the parties may need an approved transfer mechanism, subprocessor disclosures, and supplementary safeguards. Hosting and provider locations should be confirmed for the selected deployment.
Request Process
Data-rights requests should be directed through the customer’s published privacy process or the designated Vovance Inc. contact where Vovance is responsible. Requests must be verified, tracked, and completed within the applicable legal timeline.
Frequently asked questions
Does Rumbe support deletion requests?+
The architecture includes soft-delete and PII-aware patterns that can support scrubbing and erasure workflows.
Are audit logs always deleted with the customer record?+
Not necessarily. Certain logs may need restricted retention for security or legal purposes. The applicable DPA and retention policy should define treatment.
Can customers choose retention periods?+
Customer-controlled retention may be supported depending on the plan and deployment. Exact options should be confirmed contractually.
Who responds to a data subject request?+
Usually the controller receives and directs the request. Vovance Inc. may assist as processor according to the DPA and customer instructions.
Evaluate Rumbe AI for your environment.
Vovance Inc. can discuss Rumbe AI’s architecture, controls, deployment assumptions, and contractual options for your use case.