Skip to content

Legal

Privacy Policy

Last updated: 31 March 2026

1. Data controller

oHallo is operated by oHallo ApS, a company registered in Denmark.

When we say "oHallo", "we", "us", or "our" in this policy, we mean oHallo ApS.

oHallo ApS has not appointed a Data Protection Officer as we do not meet the threshold under GDPR Article 37. For privacy-related enquiries, contact us via our contact form.

2. What this policy covers

This policy explains how we process personal data in two contexts:

  • The oHallo website (ohallo.eu) —when you visit our marketing site, read documentation, or contact us.
  • The oHallo platform (app.ohallo.eu and auth.ohallo.eu) —when you use oHallo as a customer to manage conversations, or when your end-customers interact with the platform through email, chat, WhatsApp, or voice.

3. Website visitors

What we collect

When you visit ohallo.eu, we collect only what your browser sends by default: your IP address, browser type, and the pages you visit. This data is processed by our hosting infrastructure to serve the website and is not stored in any analytics system.

We do not use cookies. We do not use analytics services. We do not track you across sessions or across websites. There are no third-party tracking scripts on ohallo.eu. All resources including fonts are served from our own infrastructure.

Contact form and email

If you contact us via email or a contact form, we store your name, email address, and message content to respond to your enquiry. We process this data on the basis of our legitimate interest in responding to business enquiries (Article 6(1)(f) GDPR). We retain this data for as long as the business relationship is active.

4. Roles under GDPR

When a company uses the oHallo platform to handle communication with their clients:

  • The company is the data controller for the personal data of their end-customers (contacts, conversation content, attachments, account information). The company determines why and how that data is processed.
  • oHallo is the data processor acting on behalf of the company. We process end-customer data solely to provide the service the company has contracted us for.
  • oHallo is the data controller for the personal data of platform users (the people who log into the oHallo dashboard). We determine how user account data is processed.

We enter into a Data Processing Agreement (DPA) with each customer. The DPA governs how we process end-customer data on the customer's behalf. Your use of the platform is also subject to our Terms of Service.

5. Platform users

When you create an account on the oHallo platform, we collect and process the following personal data:

Data

Purpose

Legal basis

Email address

Account identification, login, notifications

Contract performance

Full name

Display in dashboard, conversation attribution

Contract performance

Role and permissions

Access control within the platform

Contract performance

Last login timestamp

Security monitoring, account activity

Legitimate interest

Profile image (optional)

Display in dashboard

Consent

When you log in, your email address and password (or SSO credentials) are processed by our identity provider to verify your identity. oHallo never stores your password.

6. End-customer data (processed on behalf of customers)

When end-customers communicate with a customer via oHallo (through email, chat, WhatsApp, or voice), we process the following data on behalf of the customer:

Data

Purpose

Contact details (name, email, phone number)

Identify the contact across conversations and channels

Company information (name, address, VAT number)

Associate contacts with business accounts

Message content (email body, chat messages, subject lines)

Process and respond to enquiries

Attachments (files sent by the contact)

Extract relevant information to resolve the enquiry

Conversation metadata (timestamps, status, language)

Manage conversation lifecycle and quality

Phone numbers and call records (voice channel)

Route and manage voice calls

This data is processed solely to provide the conversation resolution service. The customer's own privacy policy governs how they collect and use their end-customers' data. If you are an end-customer with questions about how your data is used, contact the company you communicated with.

7. AI processing and automated decision-making

oHallo uses artificial intelligence to read, understand, and respond to customer messages. This means that conversation content (messages, attachments, and data retrieved from the customer's business systems) is sent to large language model providers for processing. All processing takes place within the European Union. We contractually require that providers do not use customer or end-customer data to train their models.

What the AI decides

For each inbound message, the AI autonomously determines what the message is about, which business systems to query, and how to compose a reply. These decisions are made without human involvement unless one of the safeguards described below is triggered.

Safeguards

Every AI-generated reply passes through a validation pipeline before it reaches the end-customer. The reply is checked for factual accuracy against the source data retrieved from the company's systems and for compliance with the company's configured policies. If validation fails, the system attempts to correct and revalidate the reply. If correction also fails, the reply is not sent and the conversation is escalated to a human for review.

Beyond reply validation, the platform provides additional safeguards that the company can configure:

  • Approval gates —the company can require human approval before specific actions are taken, such as submitting an order or issuing a credit above a certain value. When an approval gate is triggered, the AI pauses and waits for a human decision before proceeding.
  • Escalation rules —the company can define conditions under which a conversation is automatically transferred to a human, such as when a credit check is declined or a complaint is detected.
  • Quality safeguards —the platform continuously monitors the quality of AI-handled conversations. If quality drops below acceptable levels on a specific topic or process, the system automatically pauses AI handling for that area and routes conversations to humans until the issue is resolved.

Human oversight

The company's team has full visibility into every conversation and can take over from the AI at any point. When a human takes over, the AI stops responding and the human communicates directly with the end-customer. The human can release the conversation back to AI handling when they are done.

Every decision the AI makes —which systems were queried, what data was retrieved, how the reply was composed, and whether validation passed —is logged and visible in the company's dashboard. This provides a complete audit trail for every conversation.

Your rights regarding automated decisions

If you are an end-customer and you received an AI-generated response, you have the right to request human review of that response. To do so, contact the company you communicated with. The company can review the full reasoning trail and respond to you directly.

8. Sub-processors

We use third-party services to operate parts of the platform, including infrastructure hosting, email delivery, and user authentication. All sub-processors are bound by data processing agreements and process data exclusively within the European Union.

A current list of sub-processors is available on request via our contact form.

9. International data transfers

The oHallo platform is hosted in the European Union. All data storage (database, object storage, caching) and all data processing (including AI/LLM processing) takes place in EU data centres in Frankfurt and Falkenstein, Germany.

No personal data is transferred outside the European Economic Area.

10. Data retention

Data type

Retention period

Platform user accounts

Until the account is deleted or the subscription is terminated

Conversation data and messages

Duration of the subscription, then deleted within 90 days of termination

Attachments and documents

Same as conversation data

Contact and account records

Same as conversation data

Billing and invoice data

7 years (Danish bookkeeping law, Bogføringsloven)

Server logs

30 days

Contact form submissions

Until the enquiry is resolved or 2 years, whichever is shorter

When data is deleted, it is permanently removed from all active systems. Backups containing deleted data are overwritten within their normal rotation cycle (maximum 30 days).

11. Data security

We implement the following technical and organisational measures to protect personal data:

  • Encryption in transit —all data transmitted between systems uses TLS 1.2 or higher.
  • Encryption at rest —databases and object storage use AES-256 encryption.
  • Data isolation —all data is logically isolated per customer. Every database query, cache key, and storage path is scoped to a single customer. No cross-customer data access is possible at any layer.
  • Secrets management —credentials and API keys are stored in a dedicated secrets manager, never in application code or databases.
  • Authentication —platform users authenticate via a dedicated identity provider with support for SSO and multi-factor authentication. Passwords are never stored by oHallo.
  • API key security —API keys are stored as SHA-256 hashes. The full key is shown once at creation and never stored or retrievable.
  • Access control —role-based access control restricts what each user can see and do within the platform.
  • Infrastructure —the platform is hosted in EU data centres in Frankfurt and Falkenstein, Germany. All processing, including AI processing, takes place within the European Union.
  • Monitoring —infrastructure and application metrics are monitored continuously. Anomalies trigger automated alerts.

12. Your rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access —you can request a copy of the personal data we hold about you.
  • Right to rectification —you can ask us to correct inaccurate personal data.
  • Right to erasure —you can ask us to delete your personal data, subject to legal retention obligations.
  • Right to restriction —you can ask us to restrict processing of your personal data in certain circumstances.
  • Right to data portability —you can request your personal data in a structured, machine-readable format.
  • Right to object —you can object to processing based on legitimate interest.
  • Right to withdraw consent —where processing is based on your consent (such as an optional profile image), you can withdraw that consent at any time.
  • Right regarding automated decisions —you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where automated processing applies, you can request human review as described in section 7.

To exercise any of these rights, reach us via our contact form. We will respond within 30 days.

If you are an end-customer: your data is processed by oHallo on behalf of the customer (the company you communicated with). To exercise your rights, contact that company directly. If the company asks us to delete or export your data, we will do so promptly.

You have the right to lodge a complaint with a supervisory authority. For Denmark, this is the Danish Data Protection Agency (Datatilsynet), datatilsynet.dk.

13. Children

oHallo is a business-to-business platform. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, reach us via our contact form and we will delete it promptly.

14. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. If changes are significant, we will notify platform users via email.

15. Contact

For any questions about this privacy policy or how we process your data:

Contact us via ohallo.eu/contact.