> For the complete documentation index, see [llms.txt](https://help.sipgate.de/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.sipgate.de/ai-agents/en/privacy-terms-and-conditions-and-dpa/faq-datenschutz.md).

# Privacy FAQ

### AI Regulation (AI Act)

<details>

<summary>Is the AI Agent GDPR-compliant</summary>

Yes, all data is processed and hosted in the EU.

</details>

<details>

<summary>Which provisions of the EU AI Act apply to AI Agents and what risk category do they fall into?</summary>

sipgate AI Agents generally fall under the category of “limited risk” pursuant to Art. 50 of the AI Regulation. For systems in this category, transparency obligations primarily apply. The AI Regulation classifies systems for direct interaction with natural persons (such as voice agents) as subject to transparency obligations, but not as high-risk systems.\
The AI Act has been in force since 1 August 2024; the transparency obligations under Art. 50 apply from 2 August 2026.

</details>

<details>

<summary>Does the AI Agent have to actively state at the beginning of a conversation that it is an AI-supported dialogue, and in what form?</summary>

Yes, under Art. 50(1) of the AI Act, providers of AI systems intended for direct interaction with natural persons must design them so that people are informed that they are interacting with an AI system. The notice must be clear, unambiguous, and transparent, at the latest upon the first interaction. An exception applies only if this is obvious from the context. By default, sipgate ensures that at the start of every conversation the AI Agent outputs a pre-formulated notice (greeting text) that clearly discloses the AI-supported nature of the dialogue. This notice is technically fixed at the start of the conversation and cannot be skipped. The notice must be reproduced in the specified wording regardless of the language setting and meets accessibility requirements.

</details>

<details>

<summary>What fines can be imposed for violations of the AI Act transparency obligations?</summary>

Violations of the transparency obligations under Art. 50 of the AI Act may, pursuant to Art. 99(4) of the AI Act, be penalized with fines of up to EUR 15 million or 3% of the company’s worldwide annual turnover (whichever is higher). The fines are imposed by national supervisory authorities. Please note that responsibility for compliance with the transparency obligations lies with the operator of the AI system (customer), while sipgate, as the provider of the AI system, provides the technical prerequisites.

</details>

### Data protection (GDPR)

<details>

<summary>What legal basis applies to the processing of conversation data by the AI Agent?</summary>

The processing of conversation data may be based, for example, on Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (performance of a contract), depending on the specific use case. For inbound calls in customer service, processing may be necessary for the performance of a contract or for taking steps prior to entering into a contract.

</details>

<details>

<summary>Is the caller’s voice biometric data within the meaning of Art. 9 GDPR, and does a company therefore need explicit consent?</summary>

The human voice can be classified as biometric data within the meaning of Art. 4 No. 14 and Art. 9 GDPR if it is processed using specific technical procedures for the unique identification of a person. The decisive factor is the purpose of the processing: if the voice is used solely for speech recognition and conversation handling (without biometric identification), Art. 9 GDPR does not apply. sipgate AI Agents use voice data exclusively for conversation processing, not for biometric identification. Explicit consent under Art. 9(2)(a) GDPR is therefore not strictly required.

</details>

### Data processing

<details>

<summary>Does sipgate use our customers’ data for training or machine learning?</summary>

No. sipgate does not use customer data for training AI models or machine learning. This is contractually excluded with all AI service providers (especially OpenAI). The data is used solely to provide the commissioned services and is deleted or anonymized after processing is complete. This rule is part of the technical and organizational measures and is documented in the DPA.

</details>

<details>

<summary>Can sipgate indemnify us against liability to third parties, especially in the event of violations of the AI Act and GDPR?</summary>

Indemnification by sipgate is not предусмотрено, since the customer, as the controller, is generally responsible for the lawful use of the AI Agent. This corresponds to the legal division of roles under the GDPR and AI Act.\
sipgate does, however, undertake to provide the technical and organizational prerequisites for lawful use and to support the customer in fulfilling its obligations within the framework of the DPA provisions. The systems provided are generally designed so that they can be used in compliance with the GDPR:\
\
(1) Our data processing agreement (DPA) regulates the details of data processing. Corresponding agreements exist with our sub-processors and partners to ensure lawful data processing.\
\
(2) We also point out that the assistant clearly indicates, or can indicate, at the beginning of each conversation that it is an AI (further information can be found in our [Privacy Policy](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/datenschutzerklaerung.pdf?alt=media\&token=bf03f619-6dfa-402d-8396-2db340462f10) as well as in the [Data Processing Agreement](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/auftragsverarbeitungs-vertrag.pdf?alt=media\&token=1e567ab2-d173-4b8e-b557-68c85ea66416))\
\
In cases where a breach is attributable to errors or breaches of duty by sipgate, sipgate is liable in accordance with the contractual liability provisions.

</details>

### Liability & responsibility

<details>

<summary>Who is liable if the AI Agent makes mistakes, provides incorrect information, or violates the AI Act or GDPR?</summary>

Liability is based on the division of roles between controller and processor: the customer, as the operator of the AI Agent, is the controller within the meaning of the GDPR and the AI Act and is therefore generally responsible for lawful use. This includes, in particular, compliance with transparency obligations, lawful data processing, and ensuring that the AI Agent is configured appropriately for its intended purpose. sipgate is liable as a processor for breaches of duty within the scope of processing on behalf of a controller (Art. 82 GDPR).

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.sipgate.de/ai-agents/en/privacy-terms-and-conditions-and-dpa/faq-datenschutz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.