How we handle your personal data

The controller for personal data collected via this website, the services and the communication channels of Noctua AI is:

• Name: Noctua AI
• Website: https://noctuaai.site
• Contact email: agustin@noctuaai.site
• Phone / WhatsApp: +34 610833866
• Scope: European Union and rest of the world, with full GDPR compliance for residents of the EEA, UK and Switzerland.

This privacy policy applies to every processing operation carried out in connection with:

• The website noctuaai.site and any subdomain operated by Noctua AI.
• The contracted services and products (WhatsApp bots, voice agents, Content Studio, Ads Pilot, CRM integrations and other AI automations).
• Communication channels: email, WhatsApp, Telegram, contact forms, phone and video calls.
• Commercial campaigns and content distributed on social networks (Meta, Instagram, LinkedIn, YouTube, TikTok and similar).
• Meta Business Tools, including Meta Pixel, Conversions API, Custom Audiences and messaging via the WhatsApp Business Platform.

We only collect data that is strictly necessary to deliver the requested service, to comply with legal obligations and to improve the experience of visitors and clients. Categories processed:

3.1. Identity and contact data

• First and last name.
• Email address.
• Phone number (including your WhatsApp number when you interact with our bots).
• Company name, role and sector.
• Country and city (when needed for tax or support reasons).

3.2. Billing data

• Tax ID (VAT or equivalent).
• Billing address.
• Invoice history and payment records.
• Card data processed by PCI-DSS providers (Stripe and others). Noctua AI does not store full card numbers.

3.3. Usage and technical data

• IP address, approximate country and ISP.
• Browser, OS and versión.
• Pages visited, time on page, referrer and campaign source (UTM).
• Cookie identifiers and similar technologies (localStorage, limited fingerprinting).
• Product events (click, form submit, conversation start, conversion).

3.4. Conversation data

• Messages you send through WhatsApp bots, voice agents, chat widgets or email.
• Voice call transcripts when the voice agent is active (you are informed at the start of the call).
• Associated metadata: timestamp, channel, language, AI-detected intent and generated summary.

3.5. Advertising data

• Click and conversion identifiers sent to Meta Ads via Meta Pixel and Conversions API (click_id, event_id, SHA-256 hashes of email/phone when advanced matching applies).
• Custom and lookalike audiences built on those events.
• Aggregated campaign metrics.

3.6. What we do NOT collect

• We do not collect special categories of data (health, religion, union membership, sexual orientation, political views, race or ethnicity) unless you provide them voluntarily in a conversation.
• We do not knowingly collect data from children under 16.
• We do not buy databases from unverified third parties.

When the legal basis is consent, you may withdraw it at any time through the channels listed in the rights section, without affecting the lawfulness of processing before withdrawal.

We use tools provided by Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland) to measure ad performance, show more relevant ads and deliver customer support via WhatsApp. Specifically:

5.1. Meta Pixel

The Meta Pixel is a script that loads cookies and collects information about the pages you visit, the actions you take (page view, lead, schedule call, purchase) and device information. Data is sent to Meta to measure conversions, build custom audiences and optimise ad delivery. The Pixel only fires after your explicit consent via the cookie banner.

5.2. Conversions API (CAPI)

We complement the Pixel with Conversions API, which sends events server-side to Meta for deduplication and browser-block resilience. Before sending them we hash personal identifiers (email and phone) with SHA-256, as required by Meta.

5.3. Custom and lookalike audiences

We build audiences from conversion events and hashed customer lists to show ads to people with similar profiles. You can opt out of these audiences at any time from your Facebook/Instagram account settings, under ‘Ad preferences’.

5.4. WhatsApp Business Platform

When you provide your WhatsApp number or start a conversation with our bots, messages are transmitted through Meta/WhatsApp infrastructure. Meta acts as processor at the transport layer; Noctua AI is controller with respect to the content and AI response logic.

5.5. Joint controllership

For Pixel and Conversions API events, Meta and Noctua AI act as joint controllers under Meta's Controller Addendum, available at www.facebook.com/legal/controller_addendum.

We rely on processors and third-party controllers strictly necessary to operate the service. All of them are bound by data processing agreements (DPA) pursuant to GDPR art. 28.

We do not sell personal data. We do not transfer it for commercial purposes outside the processors listed. We may be required to disclose data to competent authorities when a valid legal request applies.

Some of our processors operate outside the European Economic Area, primarily in the United States. In every case we ensure an equivalent level of protection through:

• Adequacy decisions from the European Commission (e.g. EU-US Data Privacy Framework).
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfer Impact Assessments where required.
• Additional technical measures: encryption in transit (TLS 1.2+), encryption at rest and data minimisation.

You can request a copy of the applicable safeguards by writing to agustin@noctuaai.site.

Once the applicable periods expire, data is securely deleted or anonymised beyond re-identification.

As a data subject, GDPR grants you the following rights:

• Right of access (art. 15): confirm whether we process your data and obtain a copy.
• Right to rectification (art. 16): correct inaccurate or incomplete data.
• Right to erasure / ‘right to be forgotten’ (art. 17): request deletion when data are no longer necessary.
• Right to restriction of processing (art. 18): freeze processing while a dispute is resolved.
• Right to data portability (art. 20): receive your data in a structured, commonly used format (JSON or CSV).
• Right to object (art. 21): object to processing based on legitimate interest or for direct marketing, including related profiling.
• Right not to be subject to solely automated decisions (art. 22), including profiling with legal effects.
• Right to withdraw consent at any time, without affecting prior lawful processing.

To exercise any of these rights, write to agustin@noctuaai.site, stating your name, the right you want to exercise and any information that helps us locate your data. We may ask for an ID document to verify your identity. We will respond within one month, extendable by two additional months for complex cases.

If you believe your rights have not been properly addressed, you may lodge a complaint with:

• Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es — C/ Jorge Juan 6, 28001 Madrid.
• Other Member States: the data protection authority of your country of residence.
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk.

We use first- and third-party cookies to maintain your session, remember preferences and measure campaign performance. You can manage your preferences at any time via the cookie settings panel accessible from the footer.

You can withdraw consent to non-essential cookies at any time without affecting access to the site. Advertising cookies, when accepted, send data to Meta, Google and LinkedIn for the purposes described in this policy.

Noctua AI's services are intended for professionals and companies. We do not knowingly collect data from people under 16. If we become aware that data from a minor have been submitted without parental authorisation, we will delete it as soon as possible. Parents or guardians who suspect their child has provided data may contact agustin@noctuaai.site for deletion.

We apply the technical and organisational measures required by GDPR art. 32 to ensure a level of security appropriate to the risk, including:

• TLS 1.2+ encryption for all communications.
• Encryption at rest for databases and backups.
• Role-based access control (RBAC) and least-privilege principle.
• Mandatory multi-factor authentication for internal operators.
• Activity logging and periodic log review.
• Encrypted backups with limited retention.
• Confidentiality agreements with all staff and collaborators.
• Periodic review of providers and their certifications (SOC 2, ISO 27001, etc.).

In the event of a breach that poses a risk to your rights and freedoms, we will notify the affected individuals and the AEPD within 72 hours, in accordance with GDPR art. 33 and 34.

Some of our services use large language models (LLMs) to generate responses, summarise conversations and classify intents. These automations do not produce legal effects on you nor take decisions that significantly affect your rights. You can request human intervention at any time by writing to agustin@noctuaai.site.

We do not use your content to train our or third-party AI models unless you give us explicit consent. The AI providers we use (OpenAI, ElevenLabs) operate in enterprise API mode with training opt-out.

Our website may link to third-party sites (social networks, providers, booking tools). This policy does not apply to any processing those third parties perform. We recommend reading their privacy policies before providing them with data.

We may update this privacy policy when processing activities, providers, applicable law or regulator decisions change. The date of the last update appears at the top of this document (April 20, 2026). For substantial changes we will notify you by email or through a prominent notice on the site with at least 15 days' prior notice.

Any query regarding this policy or the processing of your data can be addressed to:

• Contact email: agustin@noctuaai.site
• Supervisory authority in Spain: Agencia Española de Protección de Datos (www.aepd.es).

We welcome any feedback that helps us improve how we protect your information.