Terms and Conditions

Last updated: March 23, 2026

1. General Information

These Terms and Conditions govern the use of the Rezervatio.AI platform, a SaaS (Software as a Service) solution that provides an artificial intelligence-powered voice assistant for managing telephone reservations and appointments.

The platform is operated by Rezervatio (hereinafter referred to as the "Company", "we" or "Rezervatio"), headquartered in Romania. Contact email: office@rezervatio.ai.

By creating an account or using our services, you accept these terms in their entirety.

2. Definitions

Platform — the Rezervatio.AI web application, including the dashboard, the AI voice agent, and all associated functionalities.
User — any natural or legal person who creates an account on the platform.
End Customer — a person who calls the User's business and interacts with the AI agent.
Subscription — the service plan chosen by the User (Starter, Professional or Business).
AI Agent — the artificial intelligence-powered voice assistant that handles telephone calls.

3. Account Creation

To use Rezervatio.AI, you must:

Be at least 18 years of age or have full legal capacity
Provide accurate and complete information upon registration
Maintain the confidentiality of your access credentials
Immediately notify us of any unauthorized use of your account

You are responsible for all activities conducted under your account.

Minimum Age and Voice Service

The Rezervatio.AI platform is intended exclusively for professional users (B2B) aged at least 18. Regarding End Customers who interact with the AI voice agent (persons calling the restaurant/salon):

The service is not intended for persons under 16 years of age pursuant to Art. 8 GDPR
The User (business) is responsible for informing End Customers about data processing, including age restrictions
Rezervatio does not intentionally collect data from minors. If we learn that we have processed data of a minor without parental consent, we will delete it without delay

4. Services Offered

Rezervatio.AI offers the following services:

AI voice agent that answers your business phone calls
Automated reservation management (creation, modification, cancellation)
Reservation and configuration management dashboard
Email notifications for new reservations and cancellations
Usage reports and statistics

5. Plans and Payments

5.1 Available Plans

Plan	Price	Features
Starter	€69/month (€55/month annually)	24/7 AI voice agent, 250 min/month, unlimited zones, dashboard, calendar, email notifications
Professional	€119/month (€95/month annually)	Everything in Starter + 400 min/month, custom messages, statistics and export, multi-language, SMS, Google Calendar
Business	€199/month (€159/month annually)	Everything in Professional + 800 min/month, custom voice, WhatsApp bot, dedicated AI number, priority support

5.2 Billing

Billing is monthly, in advance
Prices are displayed in EUR and do not include VAT where applicable
Payments are processed through Stripe, a PCI DSS certified payment processor
Unused minutes do not roll over to the following month

5.3 Trial Period

We offer a 14-day free trial period with no obligation to enter a credit card. At the end of the trial period, your account will be switched to the chosen plan or deactivated.

5.4 Overage Minutes

If you exceed the minutes included in your plan, additional minutes will be billed at a rate of €0.25/minute for all plans.

6. User Obligations

The User agrees to:

Use the platform exclusively for lawful purposes in compliance with these terms
Not abuse the service (fraudulent calls, spam, illegal content)
Inform End Customers that the call is handled by an AI assistant, in accordance with applicable legislation
Comply with GDPR legislation regarding End Customer data collected through the platform
Not attempt unauthorized access to other accounts or platform systems

7. Disclaimer of Warranties

The Rezervatio.AI platform is provided "as is" and "as available", without any warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Specifically, Rezervatio does not guarantee:

That the AI agent will correctly understand and process 100% of phone requests
Uninterrupted service availability
Compatibility with all telephone systems or telecommunications operators
That results or data provided will always be complete or accurate

The User acknowledges that artificial intelligence technology has inherent limitations and that it is the User's responsibility to verify reservations and data processed through the platform.

8. Limitation of Liability

Rezervatio is not liable for:

Direct or indirect financial losses resulting from AI agent errors in understanding or processing requests
Lost reservations due to temporary service unavailability, telecommunications networks, or third-party providers
The content of conversations between the AI agent and End Customers
Improper use of the platform by the User or their organization members
Damages caused by force majeure

In any event, Rezervatio's total liability to the User shall not exceed the amount paid by the User in the 3 (three) months preceding the event giving rise to the claim. This limitation does not apply to: (a) intentional breach of confidentiality obligations, (b) intellectual property infringement, or (c) legal obligations that cannot be limited under applicable law.

SLA (Service Level Agreement)

Uptime definition: The percentage of time during which the platform's essential services (authentication, dashboard, voice agent API, call processing) are operational and accessible. Excludes planned maintenance (announced at least 24 hours in advance, scheduled between 02:00–06:00 EET).

Target: 99.5% monthly uptime.

Credits for non-compliance:

Uptime between 99.0% and 99.5% — credit of 5% of the monthly subscription
Uptime between 95.0% and 99.0% — credit of 15% of the monthly subscription
Uptime below 95.0% — credit of 30% of the monthly subscription

Credits are applied to the next invoice and may not exceed 30% of the monthly subscription. Credit requests must be submitted within 15 days of the end of the affected month to office@rezervatio.ai.

9. Indemnification

The User agrees to indemnify, defend, and hold harmless Rezervatio, its employees, directors, and partners from any claims, damages, losses, and costs (including reasonable attorney fees) arising from or related to:

Use of the platform in violation of these Terms
The User's violation of any applicable law or regulation, including GDPR
Content of custom messages, promotions, or instructions configured by the User in the AI agent
Claims by third parties (including End Customers) resulting from the User's activities through the platform

This indemnification obligation survives termination of the contract.

10. Intellectual Property

All intellectual property rights in the platform, code, design, brand, and technology belong exclusively to Rezervatio.AI. Users are not permitted to copy, modify, distribute, or reverse engineer any component of the platform.

11. Suspension and Termination

You may cancel your subscription at any time from the dashboard. Cancellation takes effect at the end of the current billing period.
We reserve the right to suspend or terminate accounts that violate these terms, without prior notice.
Upon termination, your data will be deleted in accordance with our data retention policy (30 days).

12. Amendments to the Terms

We reserve the right to modify these terms. Significant changes will be communicated by email at least 30 days before taking effect. Continued use of the service after this period constitutes acceptance of the new terms.

13. Custom Content and AI Agent Instructions

The User is solely responsible for the content of special instructions, welcome messages, promotional messages, and any other customizations provided to the AI agent.

Rezervatio does not verify, approve, or assume responsibility for content provided by the User. The User warrants that all instructions and custom messages:

a) Comply with the General Data Protection Regulation (GDPR) and applicable legislation;
b) Do not contain requests to collect sensitive data (medical data, ethnic origin, political or religious beliefs, sexual orientation, biometric or genetic data);
c) Do not infringe on third-party rights and do not contain discriminatory, defamatory, or illegal content;
d) Do not instruct the AI agent to provide false or misleading information.

Rezervatio reserves the right to disable instructions that violate these conditions, without prior notice. The AI agent is programmed to automatically ignore instructions that contravene applicable legislation.

The User agrees to indemnify Rezervatio for any damages resulting from non-compliance with these conditions.

14. Entire Agreement

These Terms, together with the Privacy Policy, Cookie Policy, and Data Processing Agreement (DPA), constitute the entire agreement between the User and Rezervatio regarding the use of the platform. These documents supersede any prior understandings, promises, negotiations, or communications, written or verbal, relating to the subject matter of these Terms.

Clauses relating to intellectual property, indemnification, limitation of liability, and confidentiality survive termination of the contract.

15. Severability

If any provision of these Terms is declared void or unenforceable by a competent court, the remaining provisions shall remain in full force and effect. The affected provision shall be replaced by a valid provision that most closely reflects the original intent of the parties.

16. Governing Law

These terms are governed by the laws of Romania. Any disputes shall be resolved by the competent courts of Romania.

17. Contact

For questions about these terms:

Company: Rezervatio
Email: office@rezervatio.ai
Website: www.rezervatio.ai

Privacy Policy

Last updated: March 23, 2026

This policy describes how Rezervatio.AI collects, uses, stores, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679).

1. Data Controller

Controller: Rezervatio

Contact email: office@rezervatio.ai

Website: www.rezervatio.ai

2. What Data We Collect

2.1 User Data (business owners)

Category	Data	Purpose
Account	First name, last name, email, password (encrypted)	Authentication and communication
Business	Name, address, phone, email, business domain	AI agent configuration
Configuration	Schedule, zones, tables, agent preferences	Service operation
Billing	Billing data (processed by Stripe)	Payments and invoicing

2.2 End Customer Data (callers)

Category	Data	Purpose
Reservation	Name, phone, email (optional)	Creating and managing the reservation
Preferences	Allergies, special occasions, number of guests	Personalizing the experience
Voice call	Voice processed in real-time (not stored as audio), conversation transcript	Processing the reservation request, service improvement
Call metadata	Caller phone number, duration, date/time	Billing, statistics, support

Important regarding voice data: The end customer's voice is processed in real-time (streaming) by the AI agent via ElevenLabs for speech recognition (Speech-to-Text) and voice response generation (Text-to-Speech). Rezervatio's servers do not store audio or full transcripts — only a text summary of the conversation is retained, automatically deleted after 30 days. Audio and the full transcript are temporarily stored by ElevenLabs (sub-processor) on their servers, with automatic deletion after 30 days, in accordance with the configured retention settings and the DPA in place.

3. Legal Basis for Processing

Performance of a contract (Art. 6(1)(b) GDPR) — for providing services to Users
Legitimate interest (Art. 6(1)(f) GDPR) — for service improvement and fraud prevention
Consent (Art. 6(1)(a) GDPR) — for marketing communications (optional)
Legal obligation (Art. 6(1)(c) GDPR) — for tax and accounting compliance

4. How We Use the Data

Providing and improving the AI reservation service
Essential communications related to your account and the service
Technical support and issue resolution
Aggregated analysis for platform improvement (without personally identifiable data)
Legal and tax compliance

5. Data Sharing

We do not sell or rent your data. We share data only with:

Provider	Purpose	Location
Hetzner	Server hosting	Germany (EU)
Cloudflare	CDN, security, tunnel	EU/Global
ElevenLabs	AI voice processing	EU/USA
Stripe	Payment processing	EU
Brevo (Sendinblue)	Transactional emails	EU

All providers are GDPR compliant or have standard contractual clauses (SCCs) for international transfers.

6. Data Retention

Data Type	Retention Period
User account	As long as the account is active + 30 days after deletion
Reservations	12 months from the reservation date
Conversation summaries	30 days (on our servers). Full transcripts + audio stored by ElevenLabs: 30 days.
Billing data	10 years (legal obligation)
Technical logs	30 days

7. Your Rights (GDPR)

You have the following rights under the GDPR:

Right of access — you may request a copy of your data
Right to rectification — you may correct inaccurate data
Right to erasure ("right to be forgotten") — you may request the deletion of your data
Right to data portability — you may receive your data in a structured format (JSON/CSV)
Right to restriction of processing — you may limit how we process your data
Right to object — you may object to the processing of your data in certain situations
Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact: privacy@rezervatio.ai

We will respond within a maximum of 30 days of receiving your request.

8. Data Security

We implement technical and organizational measures to protect your data:

Encryption in transit (TLS/HTTPS) on all connections
Password encryption with modern algorithms (bcrypt)
Role-based access (RLS — Row Level Security) at the database level
Firewall and DDoS protection via Cloudflare
Encrypted daily backups
Servers located in the European Union (Hetzner, Germany)
Two-factor authentication available

9. Security Incidents (Art. 33-34 GDPR)

In the event of a personal data security breach:

We will notify the National Supervisory Authority (ANSPDCP) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights
We will inform affected Users (in our capacity as data processor) without undue delay and within a maximum of 48 hours of becoming aware of the breach, providing: the nature of the incident, the categories of data affected, the measures taken, and recommendations for the User, so they can notify their End Customers in accordance with Art. 34 GDPR
If the breach is likely to result in a high risk to individuals' rights, we will directly inform the affected data subjects
We will document each incident, the measures taken, and the outcomes in our internal incident register

10. Contact

Data protection contact: privacy@rezervatio.ai
General contact: office@rezervatio.ai
Supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
ANSPDCP website: www.dataprotection.ro

Cookie Policy

Last updated: March 23, 2026

1. What Are Cookies?

Cookies are small text files stored on your device by your browser. They allow websites to retain information between visits.

2. What We Use

Rezervatio.AI uses exclusively browser local storage (localStorage), not traditional HTTP cookies. This means that:

We do not send cookies via HTTP headers
Data remains only on your device
We do not use tracking or advertising cookies
We do not use analytics services (Google Analytics, Facebook Pixel, etc.)

3. What We Store in localStorage

Key	Purpose	Type	Duration
`rz-theme`	Theme preference (light/dark)	Essential	Permanent
`rz-cookies`	Your cookie consent	Essential	Permanent
`rz-active-org`	Active organization selected in dashboard	Functional	Permanent
`rz-dash-grid-swap`	Dashboard layout preference (panel order)	Functional	Permanent
`rz_onboarding_draft`	Restaurant configuration draft (autosave)	Functional	Until completion
`rz_onboarding_salon_draft`	Salon configuration draft (autosave)	Functional	Until completion
`sb-*-auth-token`	Supabase authentication token (JWT)	Essential	Session (1 hour, auto-refreshed)

4. Third-Party Services

The following external services may set their own cookies:

Service	Purpose	Privacy Policy
Cloudflare	Security, CDN and DDoS protection (may set `__cf_bm` cookie)	cloudflare.com/privacypolicy
Stripe	Payment processing — only on the payment page (may set own cookies)	stripe.com/privacy

5. How You Can Control Cookies

Via our banner: On your first visit, you can choose "Accept" or "Essential only"
Via your browser: You can delete localStorage from your browser settings (Developer Tools > Application > Local Storage)
Full deactivation: You can disable JavaScript in your browser, but the site will not function correctly

6. Contact

For questions about cookies: office@rezervatio.ai

GDPR Compliance

Last updated: March 23, 2026

1. Our Commitment

Rezervatio.AI fully complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679). Protecting the personal data of our users and their end customers is a fundamental priority.

2. GDPR Roles

Role	Entity	Explanation
Data controller	The business (User)	Determines what data is collected from its customers
Data processor	Rezervatio.AI	Processes data on behalf of the User
Sub-processor	ElevenLabs (AI voice), Telnyx (telephony), Hetzner (cloud hosting), Cloudflare (CDN/security), Brevo (transactional email), Stripe (payments)	Third-party services used by the platform, with DPA/SCC in place

3. Data Processing Agreement (DPA)

By using Rezervatio.AI, the User and Rezervatio automatically enter into a Data Processing Agreement in accordance with Art. 28 GDPR. The full text of the DPA is available in the "DPA" section of this page.

The agreement covers:

The subject matter and duration of processing
The nature and purpose of processing
The types of personal data processed
The categories of data subjects
Obligations and rights of the controller and processor
Technical and organizational security measures
Incident notification procedure
Authorized sub-processor list
Data return and deletion
Audit rights

For a customized bilateral DPA: privacy@rezervatio.ai

4. Technical and Organizational Measures (Art. 32 GDPR)

Servers in the European Union — Hetzner, Germany; PostgreSQL database with encryption
End-to-end encryption — TLS 1.3 for all data transfers; mandatory HTTPS
Multi-tenant isolation — Row Level Security (RLS) at the database level; each organization can only see its own data
Encrypted passwords — bcrypt with adequate cost factor; no plaintext passwords stored
Secure authentication — JWT with PKCE flow; short-lived tokens (1 hour)
Perimeter protection — Cloudflare WAF + DDoS protection; Cloudflare Tunnel (no public ports); fail2ban; SSH with Ed25519 keys only
Daily backups — automated pg_dump at 02:00, encrypted, 7-day retention
Data minimization — no audio or full transcripts stored on our servers; only text summaries stored (deleted after 30 days); audio and transcripts temporarily stored by ElevenLabs (30 days, automatic deletion); logs after 30 days
Restricted access — principle of least privilege; Docker ports bound to localhost only
Audit and monitoring — logging of sensitive actions; service monitoring

5. Data Subject Rights (Art. 15-22 GDPR)

We fully respect the rights granted by GDPR:

Right of access (Art. 15) — request a copy of all stored personal data
Right to rectification (Art. 16) — correct inaccurate data
Right to erasure (Art. 17) — request the deletion of data ("right to be forgotten")
Right to data portability (Art. 20) — receive data in structured format (JSON/CSV)
Right to restriction of processing (Art. 18) — limit how data is processed
Right to object (Art. 21) — object to processing in certain situations
Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

How to Exercise Your Rights

Users: Directly from the dashboard (export data, delete account) or by emailing privacy@rezervatio.ai
End Customers: By contacting the business (the controller) or, subsidiarily, at privacy@rezervatio.ai
Response time: Maximum 30 calendar days, extendable by 60 days in complex cases

6. Data Protection Impact Assessment (DPIA)

Given that Rezervatio processes voice data through AI, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR, covering:

Real-time voice processing by the AI agent
Large-scale processing of End Customer contact data (name, phone number)
Use of sub-processors outside the EEA

The DPIA conclusions confirm that residual risks are adequately mitigated by the measures implemented. The DPIA is available upon request to authorized Users.

7. EU AI Act Compliance (Regulation EU 2024/1689)

The Rezervatio.AI voice agent is classified as a limited-risk AI system under the AI Act. We comply with the transparency obligation (Art. 50) by:

Clearly informing End Customers at the beginning of each call that they are interacting with an AI system
Technical documentation of the agent's functionalities
Ensuring human oversight — the User can intervene at any time and manually manage reservations from the dashboard

8. International Transfers

Data is stored predominantly in the EU (Hetzner, Germany). For transfers to the USA, we rely on:

Adequacy decision for the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795 of 10.07.2023)
Standard Contractual Clauses (SCCs) approved under Commission Decision (EU) 2021/914, as a fallback mechanism
Supplementary measures: encryption in transit and at rest, data minimization, transfer impact assessments

9. Data Protection Officer

DPO Contact: privacy@rezervatio.ai
General contact: office@rezervatio.ai
Supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
ANSPDCP address: B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest
ANSPDCP website: www.dataprotection.ro

10. Updates

This page will be updated periodically. The date of the last update is displayed at the top of the document. Significant changes will be communicated by email to registered Users.

Data Processing Agreement (DPA)

Last updated: April 2, 2026 | In accordance with Art. 28 GDPR (Regulation EU 2016/679)

This Data Processing Agreement ("DPA" or "Agreement") is entered into between:

Data Controller ("Controller"): The User of the Rezervatio.AI platform — the natural or legal person who has created an account and uses the platform services for their business.

Data Processor ("Processor"): Rezervatio SRL, a Romanian legal entity, operator of the Rezervatio.AI platform, registered in Romania, email: privacy@rezervatio.ai.

This DPA forms an integral part of the Terms and Conditions of Use of the Rezervatio.AI platform and takes effect on the date the Controller creates an account.

1. Definitions

Terms used in this DPA have the meanings conferred by Art. 4 GDPR:

"Personal data" — any information relating to an identified or identifiable natural person ("data subject")
"Processing" — any operation performed on personal data (collection, storage, use, transmission, deletion, etc.)
"Controller" — the entity that determines the purposes and means of personal data processing
"Processor" — the entity that processes personal data on behalf of the Controller
"Sub-processor" — any third party engaged by the Processor to carry out processing activities on behalf of the Controller
"Personal data breach" — a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data
"Data protection legislation" — GDPR (Regulation EU 2016/679), Romanian Law no. 190/2018, and any other applicable legislation

2. Subject Matter and Duration of Processing

2.1 Subject Matter

The Processor processes personal data on behalf of the Controller for the purpose of providing the Rezervatio.AI platform services, in accordance with the Terms and Conditions of Use.

2.2 Duration

Processing begins on the date the Controller creates an account and continues throughout the use of the services. Upon termination of the contract, the Processor shall delete or return data in accordance with Section 11 of this Agreement.

3. Nature and Purpose of Processing

Processing Activity	Purpose
Receiving and processing phone calls through the AI voice agent	Automated management of reservations and appointments
Voice recognition (Speech-to-Text) and voice response generation (Text-to-Speech)	Voice interaction with the Controller's End Customers
Storing and managing reservation data	Reservation records, modifications, cancellations, confirmations
Sending notifications via email and SMS	Confirmations, cancellations, modifications to End Customers
Generating reports and statistics	Dashboard with aggregated data for the Controller
Storing call transcripts	Technical support, debugging, service quality improvement

4. Categories of Personal Data Processed

Category	Specific Data	Source
Identification data	First name, last name	Verbal communication (call)
Contact data	Phone number (caller ID), email address (optional)	Telephony system + verbal communication
Reservation data	Date, time, number of guests, preferred zone, special requirements	Verbal communication (call)
Health data (sensitive)	Food allergies (only if voluntarily communicated by the Customer)	Verbal communication (call)
Voice data	Real-time voice (streaming, non-permanent), text transcript	Phone call
Call metadata	Call duration, date/time, session ID, caller number, called number	Telephony system

Sensitive data (Art. 9 GDPR): The platform may process health data (food allergies) only if voluntarily communicated by the End Customer during the call. The Controller is responsible for ensuring the legal basis for processing such data (typically, explicit consent of the data subject — Art. 9(2)(a) GDPR).

5. Categories of Data Subjects

End Customers — natural persons who contact the Controller's business by phone and interact with the AI voice agent
Persons whose reservations are created manually — if the Controller manually enters reservations into the platform

6. Processor Obligations

6.1 Documented Instructions

Process personal data only in accordance with the Controller's documented instructions, including with regard to transfers to third countries (unless required by EU or national law)
Immediately inform the Controller if, in its opinion, an instruction infringes GDPR or applicable national legislation

6.2 Confidentiality

Ensure that persons authorized to process data have committed to confidentiality or are subject to an adequate statutory obligation of confidentiality

6.3 Security (Art. 32 GDPR)

Implement appropriate technical and organizational measures, including:

Encryption of personal data in transit (TLS 1.3) and at rest
Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems
Ability to restore the availability and access to personal data in a timely manner in the event of an incident (daily backups, 7-day retention)
A process for regularly testing and assessing the effectiveness of technical and organizational measures (at least annually)
Row Level Security (RLS) for data isolation between organizations
Secure authentication (JWT + PKCE), restricted ports (localhost only), SSH with Ed25519 keys, fail2ban

6.4 Sub-processors

Shall not engage another processor without the Controller's prior general written authorization. The current list of authorized sub-processors is provided in Section 7 of this DPA.
Shall inform the Controller of any planned changes regarding the addition or replacement of sub-processors, giving the Controller the opportunity to raise objections within 30 days
Shall impose identical data protection obligations on sub-processors through a written contract (Art. 28(4) GDPR)
Shall remain fully liable to the Controller for the performance of sub-processors' obligations

6.5 Assistance to Controller

Assist the Controller through appropriate technical and organizational measures in fulfilling the obligation to respond to data subject requests (Art. 15-22 GDPR)
Assist the Controller in ensuring compliance with Art. 32-36 GDPR (security, incident notification, DPIA, prior consultation), taking into account the nature of processing and the information available

6.6 Incident Notification (Art. 33 GDPR)

Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of any personal data breach
Provide the following information: nature of the breach, categories and approximate number of affected data subjects, likely consequences, measures taken or proposed to remedy the breach
Cooperate with the Controller in investigating and remediating the incident

7. Authorized Sub-processors

The Controller authorizes the use of the following sub-processors by the Processor:

Sub-processor	Processing Purpose	Data Processed	Location	Safeguards
ElevenLabs, Inc.	AI voice agent: Speech-to-Text, Text-to-Speech, AI conversation	Voice (streaming), transcript	EU + USA	DPF + SCC
Telnyx LLC	Telephony: virtual numbers, call routing, SMS	Phone number, call metadata, SMS	EU (Frankfurt) + USA	DPF + SCC
Hetzner Online GmbH	Hosting: servers, database, infrastructure	All platform data	Germany (EU)	Art. 28 GDPR
Brevo (Sendinblue SAS)	Email: transactional notifications	Email, name, notification content	France (EU)	Art. 28 GDPR
Cloudflare, Inc.	CDN, security, DNS, secure tunnel	IP, traffic data (transit)	EU / Global	DPF + SCC
Stripe, Inc.	Payment processing	Card data, billing	EU (Dublin) + USA	DPF + SCC + PCI DSS

8. Controller Obligations

Have a valid legal basis (Art. 6 GDPR) for processing End Customer personal data
Inform End Customers in accordance with Art. 13/14 GDPR about data processing, including the fact that calls are processed by an AI agent and that data is processed by Rezervatio as a processor
Provide legal and documented instructions regarding data processing
Respond to data subject rights requests, with assistance from the Processor
Notify ANSPDCP and affected data subjects in case of an incident, pursuant to Art. 33-34 GDPR (with information provided by the Processor)
Ensure they have the legal right to transfer personal data to the Processor

9. International Transfers

Data is stored predominantly in the EU (Hetzner, Germany). For sub-processors with operations in the USA (ElevenLabs, Telnyx, Cloudflare, Stripe), transfers are carried out on the basis of:

Adequacy decision for the EU-US Data Privacy Framework (Decision (EU) 2023/1795 of 10.07.2023)
Standard Contractual Clauses (SCCs) approved under Decision (EU) 2021/914, as a fallback mechanism
Supplementary measures: encryption in transit and at rest, data minimization, transfer impact assessments

The Processor shall not transfer personal data to countries outside the EEA without a valid transfer mechanism under Chapter V GDPR.

10. Audit and Inspection (Art. 28(3)(h) GDPR)

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR
The Processor shall allow and contribute to audits and inspections, including inspections conducted by the Controller or another auditor mandated by the Controller
Audits shall be conducted with a minimum notice of 30 calendar days (except in emergencies caused by a security incident)
Audits shall take place on business days, respecting confidentiality and without unreasonably disrupting the Processor's activities
Audit costs are borne by the Controller, unless the audit reveals non-compliance by the Processor

11. Data Return and Deletion

Upon termination of the contract, the Processor shall:

At the Controller's choice, return all personal data in a structured format (JSON or CSV) or delete it permanently
Provide the Controller with a period of 30 days from contract termination to export data from the dashboard
After the 30-day period, irreversibly delete all personal data from all systems, including backups (within a maximum of 7 additional days for backup rotation)
Confirm deletion in writing (email) at the Controller's request
Exception: data that the Processor is legally required to retain (fiscal data — 10 years under the Fiscal Code) shall be kept only for this purpose, with restricted access

12. Liability

Each party is liable for damages caused by processing that infringes GDPR, pursuant to Art. 82 GDPR
The Processor is liable for damages only to the extent that it has not complied with obligations specifically directed at processors under GDPR or has acted outside of or contrary to the Controller's lawful instructions
Each party shall make reasonable efforts to minimize any damage and shall cooperate with the other party to this end

13. Final Provisions

This DPA forms an integral part of the Terms and Conditions of the Rezervatio.AI platform and prevails in the event of conflict in matters of data protection
Any amendment to this DPA requires written form (including electronic)
Governing law: Romanian law
Jurisdiction: competent courts in Romania
In the event of conflict between language versions of this DPA, the Romanian version prevails

14. Contact

Processor: Rezervatio SRL
DPO / Data protection: privacy@rezervatio.ai
General contact: office@rezervatio.ai
Website: www.rezervatio.ai