Privacy Policy for Sally AI
Effective Date: 25 June 2025
The protection of your personal data is of particular importance to Aliru GmbH. This privacy policy informs you about how we process personal data in connection with the use of our software "Sally AI" (accessible at www.sally.io), the purposes for which such data is used, and your rights as a data subject. We are committed to full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Controller for Data Processing
Aliru GmbH
Julian Kissel
Julius-Hatry-Straße 1
68163 Mannheim, Germany
Email: contact@sally.io
Phone: +49 621 49088670
If you have any questions or concerns regarding data protection, you may contact our Data Protection Officer at contact@sally.io.
2. Purpose and Scope of Data Processing
Sally AI is a software solution that assists companies with the execution, documentation, and follow-up of virtual meetings. This AI-based application actively participates in online meetings conducted via popular platforms such as Zoom, Microsoft Teams, or Google Meet. After a meeting concludes, Sally AI automatically generates a summary of the discussion and identifies any tasks, which are then assigned to the appropriate participants.
The processing of personal data through Sally AI serves the following purposes:
• Participation in virtual meetings: Analysis and processing of spoken content in real-time or post-meeting for the creation of meeting summaries.
• Generation of summaries: Provision of concise overviews of the key content and results of meetings.
• Task identification: Automated recognition of actionable items arising from the discussion and system-based assignment to responsible individuals.
• Documentation and management: Storage of summaries and identified tasks within collaboration platforms (e.g., Microsoft Teams) for later review by authorized users.
Data is processed exclusively within the scope of contractual agreements with our customers and in accordance with applicable data protection regulations.
Personal data processed through Sally AI is not used for further development or training of AI models.
3. Categories of Processed Data
During the use of Sally AI, various categories of personal and non-personal data may be processed. Data processing is limited to the extent necessary to deliver the contractual services. The following data categories may be affected:
• User Data:
- First and last name, email address, user ID, team or department affiliation
- Meeting metadata such as title, date, and time
• Meeting Content:
- Audio recordings and/or transcripts used to generate automated summaries
- Participants’ contributions, including discussed topics, tasks, and decisions
• Task Recognition and Management:
- Tasks identified by AI analysis and their context (e.g., “Max Müller will prepare the Q4 budget”)
- Automatic assignment of tasks using integrated tools (e.g., Microsoft Teams Tasks or Microsoft Outlook)
• Log and Connection Data:
- Time and duration of Sally AI’s participation in virtual meetings
- Details about the conferencing platform used (e.g., Zoom, Microsoft Teams, Google Meet)
- Technical information such as IP address, device identifiers, browser used
• Technical Usage Data:
- Usage statistics and telemetry data for optimization, error analysis, and stability improvements (e.g., usage frequency, features used)
Note:
Data is processed solely for the purposes outlined in Section 2. The content is not used for training purposes or profiling.
4. Use of External Service Providers
To operate and provide Sally AI functionalities, we engage specialized third-party service providers under strict contractual agreements. These include providers in the areas of infrastructure, payment processing, speech recognition, AI features, and system hosting. All service providers are carefully selected and integrated in accordance with Art. 28 GDPR. Data processing takes place exclusively within the European Union or is subject to appropriate safeguards under Art. 44 ff. GDPR.
Service Providers in Use:
• Microsoft Azure
Scalable cloud infrastructure for hosting and data processing within EU data centers.
- Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
• Microsoft Dynamics 365
CRM system for managing customer and user data, hosted within the EU.
- Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
• Amazon Web Services (AWS)
Use of specific infrastructure components for high availability architecture within EU data centers.
- Privacy Policy: https://aws.amazon.com/de/compliance/data-privacy/
• DeepL
Translation of meeting summaries and task descriptions on servers located in the EU.
- Privacy Policy: https://www.deepl.com/privacy
• Stripe
Payment processing (e.g., subscriptions) in compliance with EU data protection standards, including PCI-DSS certification.
- Privacy Policy: https://stripe.com/de/privacy
• Strato
German hosting provider for certain web services, operating solely within German data centers.
- Privacy Policy: https://www.strato.de/datenschutz/
• Assembly AI
Speech-to-text processing for spoken content on servers located in Ireland.
- Privacy Policy: https://www.assemblyai.com/legal/privacy-policy
• Azure OpenAI (provided by Microsoft Azure)
Use of AI capabilities (e.g., semantic analysis and summarization), hosted in Ireland and the Netherlands.
- Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
5. Legal Basis for Processing
Processing of personal data in connection with the use of Sally AI is based on the relevant provisions of the GDPR, depending on the purpose and context of the processing:
• Art. 6(1)(b) GDPR – for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract (e.g., use of Sally AI functionalities per agreement);
• Art. 6(1)(c) GDPR – to comply with legal obligations (e.g., commercial and tax retention requirements);
• Art. 6(1)(f) GDPR – for the purposes of legitimate interests (e.g., ensuring IT security, error diagnosis, or service optimization), provided such interests are not overridden by data subjects' rights;
• Art. 6(1)(a) GDPR – based on freely given consent, where required (e.g., for optional features or third-party integrations not necessary for contract performance).
The specific legal basis applicable will be communicated transparently within this policy or in any supplemental information notices.
6. Disclosure of Personal Data to Third Parties
Personal data is disclosed to third parties only to the extent necessary to fulfill contractual obligations, comply with legal requirements, or with the explicit consent of the data subject.
Disclosure is limited to carefully selected processors and service providers involved in service delivery (e.g., hosting providers, payment processors, technical vendors). All recipients are contractually bound under Art. 28 GDPR to adhere to data protection requirements.
Data processing and storage occur exclusively within the European Union. There is no transmission of personal data to so-called third countries as defined under the GDPR, nor is any such transfer intended.
7. Data Security
Aliru GmbH implements appropriate technical and organizational security measures pursuant to Art. 32 GDPR to protect personal data. These measures include encrypted data transmission, access controls, and regular security audits.
Detailed information on our security measures can be found in our Data Processing Agreement (DPA) and its appendix on TOMs: https://www.sally.io/dpa
8. Data Retention and Deletion
Personal data is retained only for as long as necessary to fulfill the respective processing purposes or as required by statutory retention obligations. Once the purpose no longer applies or the applicable retention period expires, data is promptly deleted or anonymized, unless further retention is legally or contractually required.
9. Data Subject Rights
Under the GDPR, data subjects have the following rights regarding the processing of their personal data:
• Right of Access (Art. 15 GDPR): Obtain information about the data processed, including purpose, categories, recipients, storage duration, and your rights.
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or completion of incomplete data.
• Right to Erasure (Art. 17 GDPR): Request deletion of your personal data, unless legal retention obligations or overriding legitimate interests apply.
• Right to Restriction of Processing (Art. 18 GDPR): Request limited processing under certain conditions.
• Right to Data Portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format or request transfer to another controller.
• Right to Object (Art. 21 GDPR): Object to processing based on Art. 6(1)(f) GDPR due to your particular situation.
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw your consent at any time with future effect. Processing prior to withdrawal remains lawful. To exercise your rights, please contact us using the contact details provided above. Your request will be processed in accordance with legal requirements.
10. Right to Lodge a Complaint with Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that the processing of your personal data violates data protection laws.
The complaint may be submitted to the supervisory authority in your place of residence, your workplace, or the location of the alleged violation.
11. Amendments to this Privacy Policy
We reserve the right to amend this privacy policy at any time with effect for the future, particularly to comply with legal changes, regulatory requirements, or technical developments.
The current version is always available on our website at www.sally.io. We recommend reviewing this privacy policy regularly. Material changes will be communicated appropriately.
12. Data Processing Agreement (DPA)
Our Data Processing Agreement in accordance with Art. 28 GDPR, including an overview of the technical and organizational measures (TOMs), is available at:
13. Contact
For questions regarding this privacy policy or the processing of your personal data, please contact:
Aliru GmbH
Julius-Hatry-Straße 1
68163 Mannheim, Germany
Email: contact@sally.io
Note: This privacy policy is intended to provide transparent and comprehensive information in accordance with Articles 12 et seq. of the GDPR and ensures that the processing of your personal data is lawful and fair.