Privacy Policy

Last updated: September 2025

Recommended URL: https://lixsa.ai/en/privacy-policy
Terms & Conditions: https://lixsa.ai/en/terms-and-conditions

1. Who we are and how to contact us

Data Controller (when we process our own data: website/app, billing, support, Lixsa marketing/analytics):
Walkon Livos S.L., CIF/VAT B13674783, Alfonso el Magnánimo 13, Office 1B, 46003, Valencia, Spain.
Privacy & rights requests: hi@lixsa.ai
Lead supervisory authority: Spanish Data Protection Agency (AEPD).

Data Processor (when we process data on behalf of our customers, e.g., conversations in their channels):
Walkon Livos S.L., under the DPA/Processing Agreement executed with each customer.

Depending on context we may act as a Controller (our sites/apps, first-party analytics, billing, support) or as a Processor (the Lixsa service provided to our customers). This Policy covers both scenarios.

2. Service scope and supported channels

Lixsa is a conversational AI assistant for sales and customer support with omnichannel capabilities and native connections. Channels and platforms we can integrate/use (depending on each customer’s configuration):

  • Messaging channels: WhatsApp (multiple numbers via WhatsApp Business/Cloud API), Instagram Messenger, Facebook Messenger, Email (Google Workspace/Microsoft 365/Outlook, per customer), and our own WebChat.
  • E-commerce/CRM/helpdesk/bookings: Shopify, WooCommerce, PrestaShop, Magento, HubSpot, Gorgias, Restoo.me, Google Calendar.
  • Own infrastructure: Google Cloud (hosting and associated CDN/services), Google Workspace (email).
  • Analytics/monitoring on our sites and product: Google Analytics, Microsoft Clarity (see separate Cookie Policy).

Not all customers enable all integrations. We process only the data necessary for the features activated in each account.

3. Types of data we process

3.1. Data provided or generated while using the service (as Processor)

  • Identifiers and contact details: name, phone, email, language.
  • Conversation content and attachments: messages, audio, images, PDFs, videos, and similar information shared by end users.
  • Operational data: order/booking status, items, amounts, schedules/slots (when the customer integrates platforms).
  • Technical metadata: IP, device, browser/UA, entry channel, automatic tags (SmartTags), conversation context.
  • Voice and image recognition (if enabled): to transcribe audio and enhance recommendations/product.

3.2. Data we process as Controller (website/app, business relationship with our customers)

  • Customer/prospect identifiers and contact details: name, company, email, phone, role.
  • Transactional data: subscription, billing/payments (via Stripe), support.
  • First-party analytics: web/app usage metrics (Google Analytics, Microsoft Clarity), technical and performance events.
  • Communications: support or operational emails/WhatsApp and, where appropriate, B2B marketing in accordance with the law.

4. Sources of data

  • From the data subject (customers and end users) when chatting, subscribing, registering, or contacting us.
  • From integrations connected by each customer (Shopify, HubSpot, etc.) via API.
  • Automatically via cookies/SDKs and technical logs (see separate Cookie Policy: https://lixsa.ai/en/cookie-policy).

5. Purposes and legal bases

5.1. When we act as Processor (on the customer’s behalf)

  • Conversational support and sales/bookings across integrated channels.
  • Handoff to human agents, escalation, ticketing, and follow-up.
  • Service quality and security improvement (abuse/anomaly detection, logs, audit).

Legal basis: the customer’s (Controller’s) instructions and the processing contract (DPA).

5.2. When we act as Controller (our own data)

  • Providing the service and managing the account.
  • Support and operational communications.
  • Analytics and product improvement.
  • B2B marketing to customers/prospects in line with channel and jurisdiction.

Legal bases: GDPR art. 6.1(b) (contract performance), 6.1(f) (legitimate interest), and 6.1(a) (consent where applicable).

5.3. Automated decisions and profiling

Lixsa classifies and prioritizes conversations (e.g., with SmartTags) and may recommend products/actions based on rules and models. We do not make decisions with legal effects or similarly significant impacts on you without human involvement.

6. Responsibility for consent in campaigns

The Customer (our client) is the sole party responsible for obtaining, documenting, and maintaining a valid legal basis (e.g., explicit consent or another applicable basis) for marketing communications and campaigns to its end users via Lixsa (including WhatsApp, Instagram/Facebook Messenger, email, or any other channel), for managing opt-ins/opt-outs and suppression lists, and for demonstrating such consent to authorities or third parties. Lixsa does not verify or replace these obligations and is not responsible for missing or defective consent.

7. Recipients and categories of providers (sub-processors)

  • Infrastructure/hosting/CDN: Google Cloud (including content delivery and associated services).
  • Messaging/channels: Meta (WhatsApp Business/Cloud API, Instagram/Facebook Messenger), the customer’s email providers (Google Workspace and/or Microsoft 365/Outlook).
  • Customer platforms (connected by the customer): Shopify, WooCommerce, PrestaShop, Magento, HubSpot (EU), Gorgias, Restoo.me, Google Calendar.
  • Payments: Stripe (for Lixsa customers; not for our customers’ end users).
  • Own analytics/monitoring: Google Analytics, Microsoft Clarity (on our sites/apps).

All these third parties operate under data processing agreements and appropriate security measures. The list may be updated to reflect reasonable changes in service delivery.

8. International transfers

We may carry out international transfers when channels/platforms (e.g., Meta – WhatsApp/Instagram/Facebook) or Stripe process data from the U.S. or other countries, or when Google Cloud uses global support services. The primary hosting region remains in the EU unless instructed otherwise. Where applicable, we apply Standard Contractual Clauses (SCCs) or other valid mechanisms (GDPR art. 46), together with transfer impact assessments and reasonable supplementary measures.

9. Retention and deletion

  • General principle: we retain data only as long as necessary for the stated purposes and for the maximum periods permitted by European law, after which data are deleted or anonymized.
  • Conversations and operational logs (as Processor): according to the customer’s configuration and decisions, or until the customer requests deletion under the contract.
  • Commercial/contract data (as Controller): for the time needed for the contractual relationship, billing, and legal obligations; thereafter data are blocked as required by law.

Deletion of inactive accounts after 90 days is governed by our Terms & Conditions: https://lixsa.ai/en/terms-and-conditions.

10. Security

  • Encryption of data in transit (TLS) and at rest.
  • Multi-factor authentication (MFA), identity and access management with least privilege.
  • Logical segregation per customer, logging, and auditing.
  • Backups and reasonable business continuity/disaster recovery procedures.
  • Vulnerability management, hardening, permission reviews, monitoring.
  • Periodic assessments and agreements with sub-processors requiring equivalent measures.

11. Your rights

You may exercise your rights of access, rectification, erasure, restriction, objection, and portability by writing to hi@lixsa.ai.

  • If your request concerns conversations processed on a customer’s behalf (we are the Processor), we will route your request to that Controller and support them in responding.
  • You have the right to lodge a complaint with the AEPD or another competent authority.
  • Where processing is based on consent, you may withdraw it at any time; withdrawal does not affect prior lawful processing.

12. Minors and sensitive data

  • The service is not directed at minors. If we detect minors’ data without a valid basis, we will delete it and take reasonable measures.
  • Please do not provide special categories of data (health, ideology, etc.) unless expressly agreed with reinforced measures.

13. Cookies and similar technologies

We use cookies/SDKs for analytics and product improvement on our sites/apps (e.g., Google Analytics, Microsoft Clarity). See the dedicated Cookie Policy: https://lixsa.ai/en/privacy-policy.

14. Additional information for customers (B2B)

  • Product improvement with aggregated/anonymous data: we may generate and use metrics that are not individually identifiable for statistics, security, benchmarking, and overall service improvement.
  • DPA/Processing Agreement: part of the contractual relationship and available for signature; it governs instructions, security measures, sub-processors, and transfers.
  • Your base’s consent and marketing: as stated in §6, you (the Customer) are responsible for opt-ins/opt-outs and the legal basis for campaigns and communications.

15. Changes to this Policy

We may update this Policy to reflect legal or functional changes. We will notify you by email at your account’s admin address and update the date on the public page.

16. Contact

For questions or data protection rights: hi@lixsa.ai
Walkon Livos S.L., Alfonso el Magnánimo 13, Office 1B, 46003, Valencia, Spain.
Terms & Conditions: https://lixsa.ai/en/terms-and-conditions

17. Quick glossary

  • Customer: the company that purchases Lixsa.
  • End user: the person who chats with the Customer’s assistant.
  • Controller/Processor: GDPR roles; Lixsa is Controller of its own data and Processor of end-user data for its Customers.
  • SCCs: Standard Contractual Clauses for international transfers.
  • SmartTags: automated conversation tagging to speed up handling.