GDPR

Usizy is committed to ensuring the protection of personal data and compliance with the GDPR.

Since 2016, Usizy Labs S.L. has established a dedicated General Data Protection Regulation (GDPR) compliance team to continuously improve our processes, documentation, and technological solutions to ensure alignment with European data protection requirements.

This document provides key information on how Usizy processes personal data, the technical and organizational safeguards implemented, and the measures in place to support our customers’ own GDPR compliance obligations.

1. Roles and Data Processing Agreement (DPA)

All contracts entered into with Usizy include a Data Processing Agreement (DPA) as an appendix. This agreement governs the processing of personal data performed by Usizy on behalf of the Customer

Under the GDPR framework:

  • The Customer acts as the Data Controller, meaning it determines the purposes and means of the processing of personal data. The Customer decides what data is collected, for what purpose, and how it is used. The GDPR assigns the Controller a number of obligations and accountability duties regarding that processing.

  • Usizy Labs S.L. acts as the Data Processor, meaning it processes personal data solely on behalf of and under the documented instructions of the Customer, as necessary to provide the contracted services.

The DPA defines the subject matter, duration, nature, and purpose of the processing, the categories of data subjects and data involved, and the obligations and rights of both parties.

While the execution of a DPA is a legal requirement, it also provides a mutual framework of trust and accountability, ensuring that both parties meet the highest standards of data protection and regulatory compliance.

2. Scope of processing activities

Usizy processes personal data strictly for the purposes of operating, maintaining, and improving Smart Assistant and related analytics or dashboard services.

Processing activities may include:

  • Receiving, transmitting, and storing customer conversation data,
  • Generating analytics and usage reports,
  • Handling support requests,
  • Ensuring platform security and performance,
  • Maintaining backups and infrastructure monitoring.

3. Categories of data subjects

Usizy processes personal data relating to the following categories of data subjects:

  • End-users / consumers interacting with the Smart Assistant on the Customer’s websites or channels.
  • Customer employees or representatives (e.g., administrators, managers, advisors, agents) who access the Usizy dashboard.
  • Usizy employees involved in maintenance, support, or service delivery activities (with limited and controlled access).

4. Categories of personal data processed

Usizy collects and processes only the personal data strictly necessary for the proper operation of its services, in accordance with the principles of data minimization and purpose limitation.

Depending on the configuration of the service and the customer’s integration, the following categories of data may be processed:

  • Identification data: name, email address, or phone number (only if transmitted by the customer or end user).
  • Conversation data: content of messages exchanged through the Smart Assistant, timestamps, duration, and satisfaction feedback.
  • Technical and connection data: IP address, browser type, device type, operating system, language, and session identifiers, used for security and analytics.
  • Usage and preference data: product views, clicked recommendations, user choices, and configuration parameters for service optimization.
  • Profile and sizing data (for personalization):
    • age, height, weight;
    • body measurements such as chest, waist, hips, inseam, foot length, foot width, or similar parameters;
  • Image data (for virtual try-on functionality): user-uploaded or customer-provided photographs or body outlines used exclusively for visual simulation of product fit.

All data collected for sizing or virtual try-on purposes is processed solely to provide personalized recommendations and simulations. These data are not used for biometric identification or authentication and are deleted or anonymized once no longer required for the intended purpose.

Usizy does not collect or store sensitive personal data (as defined in Article 9 of the GDPR).

5. Purposes of processing

Usizy processes personal data solely to deliver, operate, secure, and improve the contracted services on behalf of the Controller. Processing is limited to the following purposes:

  1. Service delivery (core functionality)

    • Enable conversational assistance (chat/messaging), product Q&A, guided discovery, and checkout support.
    • Operate recommendation logic for products and content relevant to the user’s session and preferences.

  2. Size recommendation (profile & measurements)

    • Use age, height, weight, and non-biometric human body measurements (e.g., chest, waist, hips, inseam, foot length, foot width) to calculate size and fit recommendations per product and per user profile.
    • Store user sizing profiles (when enabled) to improve subsequent recommendations for that profile.

  3. Virtual try-on (user-provided images)

    • Process user-uploaded images exclusively to generate visual simulations of product fit on the user (virtual try-on).
    • Images are processed only for rendering the simulation and related quality checks; they are not used for biometric identification or authentication.

  4. Account, support, and incident handling

    • Provide customer and technical support, diagnose issues, respond to tickets, and communicate service notices.
    • Manage user/workspace configurations and administrative actions requested by the Controller.

  5. Security, integrity, and continuity of service

    • Detect/prevent abuse or fraud, protect accounts and sessions, monitor infrastructure, maintain backups, and ensure availability and disaster recovery.

  6. Analytics, quality, and product improvement

    • Produce aggregated or anonymized usage metrics (e.g., performance, conversion, feature adoption) to maintain and enhance accuracy, speed, and reliability of the services.

  7. Compliance and record-keeping

    • Fulfil legal, regulatory, and contractual obligations (e.g., audit trails, invoicing, tax, and statutory retention).

  8. Communications related to the service

    • Send operational messages (e.g., status, security, or policy updates). Marketing communications, if any, are performed only under the Controller’s instructions and applicable legal basis (e.g., consent or legitimate interest with opt-out).

Exclusions and limitations

  • Usizy does not use sizing data or user images for biometric identification or authentication, nor to infer sensitive attributes.
  • Usizy does not sell personal data or use it for unrelated purposes outside the Controller’s instructions.
  • Any research or service improvement relying on personal data is performed using aggregated and/or anonymized data wherever possible.

6. Data retention

Personal data is retained for a maximum of four (4) years, unless a longer period is required by law or contract.

After this period:

  • Operational access is permanently removed.
  • Data is retained only for dispute or compliance purposes, accessible exclusively by a restricted legal team.

7. Anonymization and deletion

Once the retention period expires, all personal identifiers are deleted, and the remaining records are anonymized.

Anonymized information cannot identify an individual, directly or indirectly, and therefore is no longer considered personal data under the GDPR.

8. Data storage and hosting

All production data is hosted on:

  • Conversations: The data is hosted in Ireland (EU), in accordance with the Data Processing Agreement established with our hosting provider, Amazon Web Services (AWS).

  • Emails content: For email delivery and transactional email services, the data is hosted in Germany and Belgium (EU), in accordance with the Data Processing Agreement established with our hosting provider, Mailjet SAS.

  • Channels: For Social Networks and Messaging Apps (Facebook, Messenger, WhatsApp, Apple Messages for Business), the data is hosted in Ireland (EU), in accordance with the Data Processing Agreement established with our hosting provider, Amazon Web Services (AWS).

The Customer (Data Controller) is solely responsible for selecting and enabling the communication channels to be used with the Usizy platform. Consequently, the choice of third-party providers (e.g., Meta Platforms for Facebook or WhatsApp) and the resulting data hosting locations are determined by the Customer’s configuration and subject to the respective third-party privacy conditions.

Data never leaves the European Economic Area (EEA) without adequate safeguards in accordance with Chapter V of the GDPR.

Encryption and data protection measures

Usizy applies encryption and pseudonymization as core security measures to protect all personal data processed under the Agreement:

  • Data at rest is encrypted using strong industry standards (e.g., AES-256 or equivalent) within AWS-managed environments. Encryption is applied to all databases, file systems, and backups containing personal data. Encryption keys are managed through AWS Key Management Service (KMS) with strict access control and rotation policies.

  • Data in transit is encrypted using TLS (Transport Layer Security) for all network communications between clients, servers, and APIs. Usizy enforces HTTPS and secure connection protocols by default across all environments.

  • Access control and identity management: Encryption keys and credentials are accessible only to authorized personnel based on role-based permissions. Multi-factor authentication (MFA) is required for administrative access to production systems.

  • Backups and disaster recovery: Backups are encrypted, replicated securely within the AWS EU (Ireland) region, and periodically tested to ensure integrity and recoverability.

  • Pseudonymization and data minimization: Where possible, identifiers are pseudonymized to separate direct personal identifiers from operational data. Analytical datasets are anonymized before aggregation or reporting.

These measures ensure the confidentiality, integrity, and availability of personal data throughout its lifecycle within the Usizy platform.

9. Access to personal data

Access to personal data processed by Usizy is strictly restricted and managed according to the principles of confidentiality, integrity, and least privilege.

  • Only authorized personnel of Usizy may access personal data, and solely for the purposes necessary to perform their contractual duties.
  • Access rights are granted individually based on roles and reviewed periodically.
  • All access is authenticated (multi-factor authentication), logged, and monitored.
  • Usizy employees and contractors are bound by confidentiality and data protection agreements.
  • Any access outside the standard operational scope requires prior authorization and is automatically logged for audit purposes.

These measures ensure that personal data is accessed only by duly authorized persons and exclusively within the limits required to deliver and maintain the contracted services.

10. Access to the Data

Access to data within the Usizy platform is strictly controlled according to the user’s role and level of authorization. The persons having access to the Data are the following:

1. Customer users

Each customer organization defines and manages its own internal user accounts within the Usizy platform. User permissions are structured through role-based profiles, each with distinct access rights:

Manager

  • Has full access to the Usizy Solution and all data associated with their organization.
  • Can:
    • View and export all stored data (performance indicators, KPIs, conversation logs, recommendations, etc.).
    • Add, modify, or remove users.
    • Configure account-wide settings such as GDPR consent options, engagement rules, assistant behavior, and chat interface customization.
    • Manage integrations, channels, and connections with other services (APIs, data feeds, etc.).

Analyst

  • Has restricted administrative access limited to the scope of their assigned group or business unit.
  • Can:
    • View reports, dashboards, and conversation histories limited to their team’s data.
    • Review performance and KPIs for their segment but cannot access global account settings.

Agent (Human Operator)

  • Has operational access to manage user interactions that are escalated from the Smart Assistant to a human conversation.
  • Can:
    • Access ongoing and historical conversation data of users they interact with.
    • View limited user information (e.g., name, email, chat history) necessary to continue the conversation.
    • Escalate or close conversations and record manual follow-ups.
    • Cannot access administrative settings or data from unrelated users or teams.
2. Usizy support and technical personnel

Certain authorized Usizy employees may access customer data strictly for technical or support purposes, including:

  • Diagnosing or resolving incidents reported by the Customer.
  • Performing maintenance, debugging, or updates to the platform.
  • Verifying integrity or performance of the services.

All such accesses:

  • Are limited in scope and duration.
  • Require prior authorization, monitoring, and logging.
  • Are covered by confidentiality obligations under GDPR-compliant internal policies and contracts.

11. Data subject rights

In accordance with GDPR, individuals have the following rights:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

As Usizy acts as Data Processor, individuals must address such requests directly to the Customer (Data Controller). Usizy will assist the Data Controller in fulfilling these requests within the legally mandated timeframes.

12. Privacy by Design and by Default

The Usizy platform is built in accordance with Article 25 of the GDPR (“Data protection by design and by default”).

This means that privacy and security are integrated from the earliest stages of development and continuously improved. Examples include:

  • Pseudonymization and minimization of stored personal data,
  • Secure defaults for all new features,
  • Internal review of new functionalities for data protection impact.

13. Security measures

Usizy maintains a comprehensive Information Security Policy covering:

  • Encryption of data both in transit and at rest;
  • Secure authentication and role-based access control;
  • Network segmentation, firewalls, and intrusion detection;
  • Continuous monitoring, logging, and offsite backups;
  • Regular security audits and penetration testing.

If Usizy becomes aware of a personal data breach, we will notify the Data Controller without undue delay, provide relevant details, and assist with any required communication to supervisory authorities or affected data subjects.

14. International data transfers

Should any transfer outside the EEA be required, Usizy will implement one of the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission;
  • Adequacy decisions confirming an equivalent level of protection;
  • Binding Corporate Rules where applicable.

No transfer will occur without prior written notice to the Data Controller.

15. Audits and compliance cooperation

Usizy cooperates with its customers and supervisory authorities in demonstrating compliance. Upon reasonable notice, and within the limits of confidentiality and security, the Data Controller may request audit information or reports verifying compliance with the GDPR and the terms of the DPA.

16. Contact for data protection matters

For all inquiries regarding data protection, GDPR compliance, or to report a potential security issue, please contact:

Data Protection Officer (DPO)

  • dp@usizy.com
  • Usizy Labs S.L., calle Siete Picos, 20, Madrid, Spain
Usizy & OpenAI →