← Back to Recepte

GDPR Compliance

Last updated: 23 March 2026

Recepte is built with privacy by design. Here's exactly how we handle data under GDPR.

Our Role

Scenario	Recepte's Role
Processing your business data	Data Controller
Processing your clients' data on your behalf	Data Processor

Legal Basis for Processing

Data Type	Legal Basis
Business owner account data	Contract performance (Art. 6(1)(b))
Client call/WhatsApp data	Legitimate interest (Art. 6(1)(f))
Marketing to your clients	Your instruction as data controller
Analytics & cookies	Legitimate interest (Art. 6(1)(f))

Data Location

All personal data is stored in the EU.

• Primary: Google Cloud — europe-west1 (Belgium)
• Firebase Firestore — europe-west1
• Backups: Google Cloud Storage — EU multi-region

No personal data is transferred to the US or any non-EEA country without Standard Contractual Clauses (SCCs) in place.

Sub-Processors

Service	Purpose	Location	DPA
Google Cloud / Firebase	Storage, compute	EU	Yes
Anthropic (Claude)	AI language model	US (SCCs)	Yes
Meta / WhatsApp	Messaging	EU/US (SCCs)	Yes
Stripe	Payments	EU	Yes
Deepgram	Speech-to-text	US (SCCs)	Yes
Cartesia	Text-to-speech	US (SCCs)	Yes
Cloudflare	CDN, hosting	EU edge	Yes

Data Subject Rights

We support all GDPR rights. Response time: within 30 days.

• Right of Access — We provide a full data export in JSON format
• Right to Rectification — Correct any data via WhatsApp or email
• Right to Erasure — Full deletion within 72 hours of request
• Right to Data Portability — Export all data in machine-readable format
• Right to Object — Opt out of any processing at any time
• Right to Restrict Processing — Pause all processing while we investigate

Data Breach Notification

In the event of a personal data breach:

• We notify the relevant supervisory authority within 72 hours
• We notify affected data subjects without undue delay if there is high risk
• We document all breaches in our internal breach register

Data Protection Officer

For any GDPR-related queries:

Email: [email protected]

Your Obligations as a Business Owner

As the data controller for your clients' data, you should:

• Inform clients that an AI handles calls (add a notice to your website/voicemail)
• Have a privacy policy covering your use of Recepte
• Forward any client data requests to us if they relate to Recepte
• Ensure marketing messages comply with your local regulations

Data Processing Agreement

A DPA is included in our Terms of Service and applies automatically to all accounts. For a standalone DPA, email [email protected].