Viking Online Privacy Policy

This Privacy Policy explains how Viking Online Services Gromosław Czerski (“Viking Online”, “we”, “our”, “us”) collects, uses, processes, stores, and protects personal information in connection with our services, including our AI Receptionist, automation systems, consulting services, CRM systems, websites, and digital products.

We are committed to complying with the General Data Protection Regulation (GDPR), UK GDPR, Polish privacy law, and applicable global privacy regulations including CCPA where relevant.

If you do not agree with this Policy, you must not use our services.

1. Data Controller & Contact Details

Data Controller:

Viking Online Services Gromosław Czerski

Olimpów 62

39-124 Iwierzyce

Poland

NIP: 8181741223

EUVAT ID: PL8181741223

Under GDPR, Viking Online acts as:

Data Controller for our website visitors, marketing, billing, and internal operations.

Data Processor for Client Data processed through our AI systems, CRM integrations, phone systems, and automations.

2. Information We Collect

We collect personal information in the following categories.

2.1 Information Provided Directly by Clients

Business contact details

Email addresses

Phone numbers

Address and billing details

Payment information (processed by Stripe, never stored by us)

Onboarding information

Company scripts, FAQs, tone of voice, policies

Call handling instructions

CRM access tokens or API keys (encrypted where possible)

2.2 Information Captured by the AI Receptionist

As part of the AI Receptionist or conversational AI services, we may process:

Caller phone numbers

Call metadata (duration, timestamps, call direction)

Call recordings (if enabled by the client)

Call transcripts and summaries

Message history (SMS, WhatsApp, emails)

Appointment details

Customer notes and lead information

Website form submissions

Clients are responsible for obtaining legally required caller consent for recording or processing.

2.3 Information Collected Automatically

When using our website or CRM environments:

IP addresses

Browser type

Device information

Cookies

Usage analytics

Referrer URLs

Time spent on pages

2.4 Third-Party Integrations

We may process or transfer information through:

GoHighLevel (CRM, calendar, email, SMS)

Twilio (SMS, calls, A2P, call logs)

Stripe (payments)

Zapier or n8n (automations)

OpenAI or similar LLM providers (AI processing)

Google Workspace (email, calendar)

Notion (documentation)

Cloudflare (security & CDN)

AWS/Google Cloud (cloud hosting depending on AI model routing)

These tools may store or transmit data depending on their architecture.

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

Contractual necessity – to deliver services to clients.

Legitimate interest – improving services, fraud prevention, analytics.

Legal obligation – tax, accounting, regulatory.

Consent – for call recording (client responsibility), cookies, marketing.

4. How We Use the Data

We use personal data to:

Provide and maintain the AI Receptionist

Process call flows, transcriptions, and automation

Route calls and messages

Process appointments

Deliver CRM integrations

Send system notifications

Improve AI performance

Conduct diagnostics, debugging, or support

Process payments and billing

Detect fraud or misuse

Comply with legal requirements

We do not:

Sell personal data

Use personal data for training general AI models (only ephemeral processing)

Share personal data with third parties unless required for service delivery

5. AI Processing

Our AI systems process caller interactions, messages, and instructions to generate responses.

We do not train models using client data unless explicitly permitted.

Data may be temporarily processed by:

OpenAI

Other LLM APIs

Internal AI pipelines

These providers act as sub-processors.

Clients must ensure any information provided to the AI does not violate:

GDPR

Local data protection laws

Confidentiality obligations

Professional ethics (law/medical/accounting)

6. Data Sharing & Sub-processors

We may share data with:

CRM providers (GoHighLevel, Clio, Pipedrive, HubSpot, Salesforce)

Communication carriers (Twilio, Plivo, Telnyx)

Cloud hosting providers (AWS, Google Cloud)

Payment processors (Stripe)

Automation tools (Zapier, n8n)

Analytics tools (GA4, Cloudflare)

Email service providers

All sub-processors are required to comply with data protection laws.

We do not share personal data with advertisers or unrelated third parties.

7. Data Retention

We retain data only as long as necessary for:

Contractual obligations

Legal compliance

Improving our services

Client instructions

Standard retention:

Call transcripts: up to 12 months unless the client requests deletion sooner

Call recordings: retained based on client settings

CRM data: stored according to client configuration

Billing records: 6 years per accounting law

AI logs: typically 30–90 days

Clients may request custom retention schedules.

8. International Data Transfers

Data may be processed in:

Poland

EU/EEA

United States

United Kingdom

When data leaves the EU, we implement:

Standard Contractual Clauses (SCCs)

Data Processing Agreements

Adequacy decisions where applicable

9. Data Security

We implement:

SSL/TLS encryption

Token-based authentication

Access restrictions

Encrypted API keys

Internal security protocols

Routine audits

Limited access to staff

However, no system is 100% secure.

By using our services, the Client acknowledges inherent risks.

10. Call Recording Compliance

If call recording is enabled:

The Client is responsible for notifying callers when required by law.

Viking Online provides infrastructure but does not provide legal advice.

The Client must comply with local regulations (including two-party consent jurisdictions).

11. Children’s Data

We do not knowingly collect data from children under 16.

Clients must ensure their use cases comply with child privacy laws.

12. Data Subject Rights (GDPR)

Individuals have the right to:

Access personal data

Correct inaccuracies

Request deletion (“right to be forgotten”)

Restrict processing

Object to processing

Data portability

Withdraw consent

Requests must be submitted via email.

We may request identity verification before fulfilling requests.

13. CCPA Rights (If Applicable)

California residents may request:

Disclosure of collected data

Deletion of data

Opt-out of data sharing

Non-discrimination in service delivery

14. Client Responsibilities

Clients must:

Provide lawful data

Obtain caller consent for recording

Configure compliant call flows

Avoid instructing the AI to engage in restricted topics

Comply with GDPR/TCPA/A2P rules

Ensure their customers are informed about AI use where required

Viking Online is not responsible for the Client’s legal compliance.

15. Automated Decision Making

The AI Receptionist may:

Route calls

Qualify leads

Generate responses

Book appointments

Send follow-up messages

These operations are automated and based on client-defined rules.

Clients must ensure this use is compliant with their jurisdiction.

16. Updates to This Policy

We may update this Privacy Policy at any time.

Updates become effective upon posting.

Continued use constitutes acceptance of the updates.

17. Contact for Privacy Matters

To request deletion, access, or correction of personal data:

Email: [email protected]

Address: Viking Online Services Gromosław Czerski, Olimpów 62, 39-124 Iwierzyce, Poland.

18. Acceptance

By using the AI Receptionist, website, CRM systems, or any Viking Online service, the Client acknowledges:

This Privacy Policy

The Terms & Conditions

Full responsibility for their own compliance

That AI and automation may process personal data on their behalf