Privacy Policy
Wisell SL (in formation)
1. Identity of the Data Controller
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), we inform you that your data will be processed by:
| Company name | Wisell SL (in formation) |
| Tax ID (CIF) | [PENDING — registration in progress] |
| Registered address | Calle de Fúcar, 18, 3C, Madrid, 28014, Spain |
| Contact email | privacidad@wisell.ai |
| Website | https://wisell.ai |
Wisell SL is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. For any questions regarding the processing of your personal data, please contact us directly at privacidad@wisell.ai.
2. Dual Role: Controller and Processor
Wisell operates in two distinct roles depending on the type of data processed:
a) As Data Controller: Wisell determines the purposes and means of processing personal data of business clients (hereinafter "Merchants") who subscribe to the Wisell platform, including contact details, billing information and account configuration.
b) As Data Processor: Wisell acts exclusively on the instructions of the Merchants who have contracted its services, processing personal data of those Merchants' end customers (consumers who interact with the AI assistant integrated into online stores). In this case, the Merchant is the Data Controller for their end customers' data, and Wisell acts as their technology provider. This relationship is formalised through the Data Processing Agreement (DPA) available at wisell.ai/dpa.
3. Data We Process and Purposes
3.1 Merchant Data (Wisell as Controller)
When a business registers with Wisell and subscribes to the service, we process the following data:
| Data category | Purpose | Legal basis |
|---|---|---|
| Registration data: name, email address, password (hash) | Account creation and management | Contract performance (Art. 6.1.b GDPR) |
| Business data: trading name, address, tax ID, e-commerce platform | Service provision and assistant configuration | Contract performance (Art. 6.1.b GDPR) |
| Billing data: payment method, billing address | Monthly service billing | Contract performance + Legal obligation (Art. 6.1.b and 6.1.c GDPR) |
| Usage data: assistant configuration, portal activity logs | Technical support, service improvement and error detection | Legitimate interests (Art. 6.1.f GDPR) — see section 4 |
| Communications with the Wisell team: emails, support messages | Customer support and commercial follow-up | Contract performance (Art. 6.1.b GDPR) |
| Marketing communications: updates, product news | Sending commercial communications | Consent (Art. 6.1.a GDPR) — may be withdrawn at any time |
3.2 Merchants' End Customer Data (Wisell as Processor)
When consumers interact with the AI assistant integrated into Merchants' online stores, Wisell processes this data solely and exclusively on the instruction of the corresponding Merchant:
| Data category | Example use |
|---|---|
| Identification data: first name, last name | Personalisation of the conversation and order process |
| Contact data: email address, phone number | Order confirmation, shipment tracking |
| Shipping data: full postal address | Order management and shipping calculation |
| Identity document (NIF/NIE, Spanish market only when required) | Invoice issuance if requested by the customer |
| Conversation history: messages exchanged with the assistant | Conversation continuity and quality analysis |
| Session data: products viewed, shopping cart | Recommendations and cart recovery |
Important note for end consumers: If you are a consumer who has interacted with an AI assistant on an online store, that store (Merchant) is the Data Controller for your personal data. To exercise your rights of access, rectification, erasure or others, please contact the store directly. Wisell processes that data solely as the Merchant's technology provider.
Merchants using the Wisell platform are contractually required to inform their end customers about the use of third-party AI technology (Wisell) in managing their conversations, either in their own Privacy Policy or via a notice at the point of data collection. Wisell provides Merchants with guidance documentation and template texts to facilitate this.
4. Legal Basis for Processing
| Purpose | Legal basis | GDPR article |
|---|---|---|
| Performance of the service contract with Merchants | Contract performance | Art. 6.1.b |
| Management of tax and accounting obligations | Legal obligation | Art. 6.1.c |
| Platform improvement and security, fraud prevention, technical support | Legitimate interests: ensuring operational stability, platform security and detection of fraudulent use; data is processed to the minimum extent necessary and does not override the rights of data subjects | Art. 6.1.f |
| Sending commercial communications to Merchants | Consent | Art. 6.1.a |
| Use of analytical and preference cookies | Consent | Art. 6.1.a |
| Processing of end customers' data (as Processor) | Controller's (Merchant's) instruction | Art. 28 GDPR |
Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
5. Data Retention
We retain your data only for as long as necessary to fulfil the purposes for which it was collected, and in any case complying with the applicable minimum legal retention periods:
| Data type | Retention period | Criterion |
|---|---|---|
| Merchant account data | Duration of contract + 5 years | Accounting obligation and contractual limitation period |
| Billing data | 6 years from invoice date | Commercial and tax obligations |
| End customer conversations | 12 months from the conversation | Service management and complaints resolution |
| Technical system activity logs | 6 months | Security, fraud detection and technical support |
| Security audit records | 5 years | Legal compliance, accountability (Art. 5.2 GDPR) and legal defence |
| GDPR consent records | 3 years from consent | Proof of lawfulness of processing (Art. 7.1 GDPR) |
| Payment data (card data) | Not stored | Payment data is processed directly by Stripe and does not remain in Wisell's systems |
Upon expiry of the indicated periods, data will be deleted or irreversibly anonymised.
6. Artificial Intelligence: Processing, Training and Limitations
6.1 Use of artificial intelligence
Wisell's service uses large language models to generate automatic responses on behalf of Merchants. These models are provided by third parties (see section 7).
6.2 Model training
Wisell does not use Merchants' data or Merchants' end customers' data to train its own artificial intelligence models.
The AI providers used by Wisell (Anthropic PBC and OpenAI LLC) deliver the service under enterprise API terms which, according to the information and contractual commitments provided by those providers from time to time, establish that data processed through the API is not used to train their models in production.
6.3 Automatic recommendations and profiling
The AI assistant generates personalised product recommendations based on products viewed, conversation history and preferences expressed by the user during the session, with the purpose of improving the shopping experience and facilitating the discovery of relevant products. This process constitutes profiling within the meaning of Article 4.4 of the GDPR, but does not produce significant legal effects or binding automated decisions within the meaning of Article 22 of the GDPR. Recommendations are purely advisory and do not materially affect any right of the data subject.
6.4 Accuracy of AI-generated responses
Responses generated by artificial intelligence systems may contain errors or inaccuracies. Users should verify information that is relevant to commercial or contractual decisions. Wisell does not guarantee the absolute accuracy of the assistant's responses.
7. Recipients and Data Processors
7.1 Data Processors (Sub-processors)
The full and updated list is available at wisell.ai/subprocessors.
| Provider | Function | Data location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, main database | European Union (eu-south-2, Spain) |
| Supabase Inc. | Authentication management and file storage | European Union (Ireland) |
| Anthropic PBC | AI engine (Claude) — enterprise API | United States |
| OpenAI LLC | AI engine (GPT-4.1) — enterprise API | United States |
| Mistral AI SAS | AI engine (fallback) | France (European Union) |
| Resend Inc. | Transactional email delivery | United States |
| Stripe Inc. | Payment processing | United States / European Union |
| Meta Platforms Ireland Ltd. | WhatsApp Business API (messaging channel) | European Union / United States |
7.2 International Data Transfers
| Provider | Destination | Transfer mechanism (GDPR Chapter V) |
|---|---|---|
| Amazon Web Services | Spain (EU) | No transfer — data in the EU |
| Supabase Inc. | Ireland (EU) | No transfer — data in the EU |
| Anthropic PBC | United States | Standard Contractual Clauses (SCC) |
| OpenAI LLC | United States | Standard Contractual Clauses (SCC) |
| Resend Inc. | United States | Standard Contractual Clauses (SCC) |
| Stripe Inc. | United States / EU | Standard Contractual Clauses (SCC) |
| Meta Platforms Ireland | Ireland (EU) / USA | Standard Contractual Clauses (SCC) |
| Mistral AI SAS | France (EU) | No international transfer — EU company |
You may request additional information about the specific safeguards applied by emailing privacidad@wisell.ai.
8. Your Rights
Under Articles 15 to 22 of the GDPR, you have the right to:
- Access (Art. 15 GDPR): Know whether Wisell processes your data and obtain a copy.
- Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten") (Art. 17 GDPR): Request deletion of your data when it is no longer necessary for the purpose for which it was collected.
- Restriction of processing (Art. 18 GDPR): Request that processing be restricted to certain purposes.
- Data portability (Art. 20 GDPR): Receive your data in a structured, commonly used and machine-readable format.
- Objection (Art. 21 GDPR): Object to the processing of your data, including profiling for direct marketing purposes.
- Not to be subject to solely automated decisions with significant effects (Art. 22 GDPR): At the date of this policy, Wisell does not make decisions with legal effects based solely on automated processing.
How to exercise your rights: Send a written request to privacidad@wisell.ai stating your full name and the right you wish to exercise. Wisell will respond within a maximum of one month.
9. Security Measures
Wisell applies appropriate technical and organisational measures in accordance with Article 32 of the GDPR, including: TLS 1.2+ encryption in transit and at rest, role-based access control with the principle of least privilege, infrastructure hosted in AWS EU (Spain), and audit logging.
In the event of a notifiable personal data breach under Article 33 of the GDPR, Wisell will notify the Spanish Data Protection Authority (AEPD) within the legally prescribed timeframe and, where applicable, notify affected individuals in accordance with Article 34 of the GDPR.
10. Data Processing Agreement (DPA)
If you are a Merchant using Wisell, the full Data Processing Agreement (DPA) pursuant to Article 28 GDPR is available at wisell.ai/dpa.
11. Cookie Policy
For detailed information about cookies, see our Cookie Policy at wisell.ai/en/cookies.
| Category | Necessary | Require consent |
|---|---|---|
| Strictly necessary cookies | Yes | No |
| Analytics cookies | No | Yes |
| Preference cookies | No | Yes |
| Marketing cookies | Not currently applicable | — |
12. Minors
Wisell's services are directed exclusively at businesses and professionals (B2B) and are not intended for anyone under 18 years of age.
13. Changes to this Policy
Changes will be published at wisell.ai/en/privacy. For material changes, registered Merchants will be notified by email at least 30 days in advance.
14. Complaints and Redress
a) Spanish Data Protection Authority (AEPD): www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid — Tel. +34 901 100 099
b) Judicial action before the competent courts.
We encourage you to contact Wisell at privacidad@wisell.ai first to resolve any issues directly.
*Wisell SL (in formation) — Tax ID [PENDING] — Calle de Fúcar, 18, 3C, 28014 Madrid, Spain — privacidad@wisell.ai*