Privacy Policy — Showroom Voice Addendum
Version 1.0 — Draft, [Effective Date]
This addendum supplements the showroom.fm Privacy Policy (the "Main Policy") with respect to the WhatsApp-based service operated under the brand "Showroom Voice", accessible at voice.showroom.fm and via our WhatsApp Business number (provided to you during onboarding). It applies in addition to, and not in place of, the Main Policy. Where the Main Policy and this addendum address the same topic, this addendum is more specific and prevails for the Voice service.
1. Controller
The controller is the same as in the Main Policy:
Innsides Interiors UG (haftungsbeschränkt) Lübecker Straße 26 10559 Berlin, Germany Phone: +49 (0)30 22908290 Email: showroom@showroom.fm
2. Scope of This Addendum
This addendum applies to data processing activities specifically connected with Showroom Voice:
- The onboarding form at
voice.showroom.fm - Messages, voice notes, photos, and videos sent to or received from our WhatsApp Business number
- Service profile, team, and project content collected through guided WhatsApp interviews
- Email verification triggered by Voice onboarding
It does not change any processing described in the Main Policy.
3. Data Processed via Voice
When you use Showroom Voice, we may process the following categories of personal data:
a) Onboarding data — your name, professional role, language preference, business email, the company and showroom you select or register, and your acceptance of these terms.
b) WhatsApp identifier data — your WhatsApp phone number, received from Meta when you message our number. We store the phone number as a salted SHA-256 hash; only the last 4 digits are kept in plain text for support purposes. We do not store the full plain-text phone number.
c) Voice notes (audio) — audio files you send via WhatsApp. Audio is sent to Mistral AI for transcription and is deleted immediately after transcription. We do not retain the audio file in any form. Only the resulting text transcript is kept.
d) Text messages, photos, and videos — the text content of messages you send and any media files attached. Photos and videos are stored together with the product they describe.
e) Extracted structured data — information our AI extracts from your voice notes and text messages (e.g. product name, brand, category, price, description, dimensions; for service-profile interviews: service categories, team member details, project details).
f) Service profile content — what you tell us about your services, team, and projects via the SERVICES, TEAM, PROJEKT, and PROJEKTLISTE WhatsApp commands.
g) Operational data — timestamps of messages, message identifiers from Meta, the language detected in each message, and an audit log of bot actions (commands sent, products added, products removed).
4. Purposes and Legal Bases
| Processing activity | Purpose | Legal basis |
|---|---|---|
| Onboarding (account creation, showroom assignment) | Performance of the use contract | Art. 6 (1) b GDPR |
| Receiving WhatsApp messages and replying via the bot | Performance of the use contract | Art. 6 (1) b GDPR |
| Transcribing voice notes via Mistral Voxtral | Performance of the use contract | Art. 6 (1) b GDPR |
| Extracting structured data via Mistral Medium 3 | Performance of the use contract | Art. 6 (1) b GDPR |
| Email verification of each user's email address | Performance of the use contract; legitimate interest in preventing fraudulent listings | Art. 6 (1) b and f GDPR |
| Storage of phone hash for matching incoming messages to your account | Performance of the use contract | Art. 6 (1) b GDPR |
| Audit log of bot actions | Legitimate interest in service integrity and abuse prevention | Art. 6 (1) f GDPR |
5. Processors
The following service providers process Voice data on our behalf under data processing agreements pursuant to Art. 28 GDPR. Where transfers to a third country are involved, they are protected by EU Standard Contractual Clauses (SCCs).
a) Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland — operates the WhatsApp Business Platform / Cloud API. Receives all messages you send to our WhatsApp number and delivers our replies. Privacy policy: https://www.whatsapp.com/legal/business-policy
b) Mistral AI SAS, 15 rue des Halles, 75001 Paris, France — provides Voxtral (speech-to-text) and Mistral Medium 3 (LLM extraction). Operates within the EU. Mistral's API terms specify that data processed through the API is not used to train models. Privacy policy: https://mistral.ai/privacy-policy
c) Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany — provides server hosting for the Voice bot and onboarding page. EU-based.
d) Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992 — provides the PostgreSQL database where Voice records (companies, showrooms, users, products, services, projects) are stored. The project is hosted in Supabase's eu-central-1 (Frankfurt) region. [VERIFY: confirm region in Supabase dashboard before publishing] Where data transit reaches Supabase's non-EU infrastructure, it is protected by SCCs. Privacy policy: https://supabase.com/privacy
e) Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — sends the email verification message during onboarding. Transfers to the USA are protected by SCCs. Privacy policy: https://resend.com/legal/privacy-policy
f) Stripe Payments Europe Ltd. — see Main Policy. Used when a Voice dealer subscribes to a paid tier.
6. Retention
| Data | Retention |
|---|---|
| Audio voice notes | Deleted immediately after transcription |
| Transcripts and extracted product/service data | For the duration of the use contract; longer where retention is legally required (e.g. tax / commercial-law retention under HGB and AO) |
| Phone number hash and last 4 digits | For the duration of the use contract |
| Onboarding tokens | 24 hours; deleted after redemption or expiry |
| Email verification tokens | 48 hours; deleted after redemption or expiry |
| Bot audit log | 12 months |
| Voice and bot message log | 12 months for support and abuse prevention; can be deleted earlier on request |
On termination of the use contract, data is deleted within 30 days, except where we are legally required to retain it.
7. Automated Processing and Your Rights
Showroom Voice uses automated systems (Mistral Voxtral and Mistral Medium 3) to transcribe your voice notes and extract structured product, service, team, and project data. The output is shown to you in WhatsApp for confirmation before it is published. The automated processing supports your inventory entry — it does not produce a decision with legal or similarly significant effects on you within the meaning of Art. 22 GDPR.
You may at any time request human review of any extracted record by contacting showroom@showroom.fm. We will review and correct on request.
8. What We Do Not Do
To make our handling of voice and message data clearly bounded:
- We do not create biometric voiceprints or any other biometric profile from your audio.
- We do not sell or rent your data to anyone.
- We do not use your WhatsApp data for advertising or for purposes beyond operating Voice and the showroom.fm platform.
- We do not keep your voice recordings after transcription. The audio is deleted; only the transcript remains.
9. International Transfers
The majority of Voice processing happens within the EU (Mistral in France, Hetzner in Germany, Supabase EU region). Two international transfers exist:
- Meta processes WhatsApp message data partially outside the EU. EU Standard Contractual Clauses are in place. Meta operates the messaging channel itself; this transfer is unavoidable if you choose to use WhatsApp.
- Resend is operated from the USA. EU Standard Contractual Clauses are in place.
- Supabase has US infrastructure in addition to its EU regions. The Voice project is hosted in the EU; some operational telemetry may transit US systems. SCCs apply.
10. Your Rights
You have the rights set out in section 9 of the Main Policy (access, rectification, erasure, restriction, portability, objection). To exercise them with respect to Voice data, please contact showroom@showroom.fm.
You may at any time disconnect your WhatsApp number from the service by sending the command DISCONNECT to our bot, or by contacting us. Disconnection severs the link between your phone number and your account. Stored content (products, services, projects) remains until contract termination unless you specifically request its deletion.
11. Changes to This Addendum
We may update this addendum to reflect changes in our processing or in applicable law. Material changes will be communicated by email, and through the bot, at least four weeks before they take effect, in line with the change procedure in our Terms.
12. Contact and Right to Lodge a Complaint
For all questions about Voice data processing:
Innsides Interiors UG (haftungsbeschränkt) Lübecker Straße 26, 10559 Berlin, Germany showroom@showroom.fm
You also have the right to lodge a complaint with:
Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59–61, 10555 Berlin, Germany https://www.datenschutz-berlin.de/