BuddyBeam

AI Governance

Last updated: April 12, 2026

1. GUIDING PRINCIPLES

At BuddyBeam, we are committed to the responsible development and deployment of artificial intelligence technologies. This document describes our principles, practices, and commitments regarding AI governance for BuddyBeam Avatars.

Transparency

  • Users always know they are interacting with a digital avatar powered by artificial intelligence
  • The avatar is clearly presented as an AI assistant, not a real person
  • We provide clear information about the service's capabilities and limitations

Privacy and Data Protection

  • We comply with the General Data Protection Regulation (GDPR) and Spanish legislation
  • All data is stored on servers located in the European Union
  • We implement encryption in transit (TLS) and at rest for all information

Responsible Use

  • Our technology is designed exclusively to enhance website visitor experience and business operations
  • We actively prohibit any use that could result in discrimination or harm
  • The avatar complements, never replaces, professional human attention

2. DATA AND STORAGE

What data we process

Data typeDescriptionRetention
ConversationsVoice interactions between users and the avatar during an active sessionTemporary — automatically deleted when the session ends or times out. Retained only to provide conversational context within the active session
Client dataInformation about services, products, and configuration preferences provided by the clientFor the duration of the contract
Website contentInformation extracted from the client's website to enrich the avatar's knowledgeFor the duration of the contract
Contact requestsInformation submitted through the contact form (name, email, company, phone, message)Encrypted at rest with AES-256-GCM. Retained for the purpose of responding to inquiries

How we protect data

  • Encryption in transit: All communications use HTTPS/TLS protocol
  • Encryption at rest: Stored data is encrypted on our servers using AES-256-GCM
  • Restricted access: Only authorized personnel can access the systems
  • EU servers: All infrastructure is located in the European Union

What we do NOT do with data

  • We do not train models: Conversation data is NOT used to train or improve artificial intelligence models
  • We do not share with third parties: Data is NOT sold, transferred, or shared with third parties, except when strictly necessary for service provision or by legal obligation
  • We do not create commercial profiles: We do not use data for advertising or targeted marketing
  • We do not store conversations: Voice interactions are processed in real time and are not persisted beyond the active session

3. SHARED RESPONSIBILITY

BuddyBeam's Responsibilities (BuddyBeam S.L.)

  • Develop and maintain the technology securely and responsibly
  • Implement technical and organizational security measures
  • Comply with data protection regulations as data processor
  • Provide management and control tools to the client
  • Notify security incidents as established in the contract

Client's Responsibilities

  • Act as data controller for their website visitors' data
  • Inform website visitors about the use of AI technology on their site
  • Obtain necessary consents when applicable
  • Provide truthful and updated information about their services
  • Define the limits and scope of the avatar's service

4. SERVICE LIMITATIONS

What BuddyBeam Avatars is NOT

Our AI avatar is designed to assist, inform, and enhance website interactions. In no case does it constitute or replace:

  • Medical, health, or emergency services
  • Therapeutic or psychological care
  • Legal or financial advice
  • Health or security monitoring systems
  • Human staff for critical situations

Nature of AI

  • The service uses generative artificial intelligence
  • Responses are generated in real time and may contain inaccuracies
  • The system is designed to redirect to human support when it detects situations beyond its scope

5. OVERSIGHT AND CONTROL

Human oversight

  • Clients can configure, limit, and deactivate the avatar at any time from their dashboard
  • Escalation protocols exist for situations requiring human attention
  • The administration dashboard allows configuring the service and reviewing usage metrics

Content moderation

  • We implement filters to prevent inappropriate or harmful content
  • The system is designed to reject requests that violate our usage policies
  • We actively monitor to detect and prevent misuse

6. REGULATORY COMPLIANCE

EU Artificial Intelligence Act

BuddyBeam Avatars is designed to comply with EU Regulation 2024/1689 (AI Act). Our service, when used as intended, does not constitute a high-risk AI system. We implement transparency obligations including clear disclosure that users are interacting with an AI system.

GDPR and LOPDGDD

We comply with:

  • Regulation (EU) 2016/679 (GDPR)
  • Organic Law 3/2018 on Data Protection (LOPDGDD)
  • Privacy by design and by default principles

7. CONTINUOUS IMPROVEMENT

We commit to:

  • Periodically review and update our governance policies
  • Stay current with regulatory advances in AI matters
  • Incorporate industry best practices
  • Listen to client and user feedback to improve our processes

8. CONTACT

For AI governance inquiries:

BUDDYBEAM, S.L.
Email: dpo@buddybeam.app
Address: Carrer del Pare Palau, N.º 5, Izquierda, Entresuelo 3, 43001 – Tarragona, Spain