Last updated: April 2026

We are pleased about your interest in LoyJoy. The protection of personal data is important to us. In this Privacy Policy we inform you about which personal data we process, for what purposes, on what legal bases the processing is carried out, and what rights you have.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

LoyJoy GmbH
Kapuzinerstr. 20
48149 Münster
Germany

Email: contact@loyjoy.com
Phone: +49 251 26538-136

A data protection officer has not been appointed, as there is no statutory obligation to do so. If you have any questions about data protection, you can contact us at any time using the email address above.

2. General Information on Data Processing

We process personal data only to the extent necessary to provide our website, our platform, and our services, to communicate with prospects, customers, and users, or to fulfil statutory obligations.

Depending on the processing activity, we rely in particular on the following legal bases:

• Art. 6(1)(a) GDPR, where you have given us your consent
• Art. 6(1)(b) GDPR, where processing is necessary for the performance of a contract or to take steps prior to entering into a contract
• Art. 6(1)(c) GDPR, where we are legally obliged to process data
• Art. 6(1)(f) GDPR, where processing is necessary for the purposes of our legitimate interests or those of a third party, and your interests or fundamental rights do not override those interests

Where we use cookies or comparable technologies, we additionally comply with the requirements of the German Telecommunications Digital Services Data Protection Act (TDDDG).

3. Visiting Our Website and Server Log Files

When you visit our website, technical information is automatically processed by the web server. This may include in particular:

• IP address
• Date and time of access
• Page or file accessed
• Referrer URL
• Browser type and version
• Operating system
• Volume of data transferred
• HTTP status code
• Technical security and log data

Processing is carried out to provide our website technically, to ensure system security, to prevent misuse, and to analyse errors.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, and error-free provision of our website.

Server log files are stored only for as long as necessary for the purposes described above, and are then deleted or anonymised, unless longer storage is required for security reasons or due to statutory obligations.

4. TLS Encryption

Our website and platform are transmitted using TLS encryption. You can recognise an encrypted connection by “https://” in your browser’s address bar.

The specific encryption depends on the browser, device, and server configuration.

5. Cookies and Comparable Technologies

We use cookies and comparable technologies to provide, technically secure, and improve the usability of our website and services, and — where you have given your consent — to analyse the use of our website and improve our communications.

Technically necessary cookies and comparable technologies are used to the extent required for the operation of the website or platform. The legal basis is § 25(2) TDDDG. The subsequent processing of personal data is carried out on the basis of Art. 6(1)(f) GDPR, to the extent necessary for the secure and functional provision of our services.

Non-necessary cookies and comparable technologies, in particular for analytics or marketing purposes, are only used with your consent. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Services subject to consent may include in particular analytics, marketing, and retargeting services, including Google Tag Manager, Google Analytics 4, Meta Ads, and LinkedIn Ads. These services are only activated if you have previously consented via our consent management.

You can withdraw or change your consent at any time via the Cookie Settings. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

6. Consent Management

We use a consent management system to obtain, document, and manage your consent for the use of certain services, cookies, and comparable technologies.

The following data may be processed in particular:

• Your consent decision
• Date and time of the decision
• Technical information about browser and device
• Shortened or technical identifiers to recognise your decision

Processing is carried out in order to provide evidence of legally required consents and to respect your data protection preferences.

The legal basis is Art. 6(1)(c) GDPR to the extent we are legally required to document consents, and Art. 6(1)(f) GDPR. Our legitimate interest lies in the legally compliant management of consents.

7. Contact, Demo Requests, and Sales Communication

When you contact us, request a demo, fill in a form, or otherwise communicate with us, we process the data you submit. This may include in particular:

• Name
• Business email address
• Phone number
• Company
• Position or role
• Content of your enquiry
• Communication history
• Technical metadata of the request

We process this data to respond to your enquiry, prepare demos, provide you with information about LoyJoy, and communicate with you about our services.

The legal basis is Art. 6(1)(b) GDPR to the extent that processing is necessary to take steps prior to entering into a contract or for the performance of a contract. Where communication also serves the maintenance of business relationships, sales organisation, or the improvement of our processes, processing is carried out on the basis of Art. 6(1)(f) GDPR.

Our legitimate interest lies in the efficient handling of enquiries, B2B communication, and the marketing of our services to business contacts.

8. Newsletter and Marketing Communication

If you sign up for a newsletter or comparable marketing communications, we process your email address and, if applicable, additional information you provide voluntarily.

Processing is carried out to send you information about LoyJoy, product updates, events, specialist content, and similar topics.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future, for example via the unsubscribe link in the relevant email.

Where we inform existing customers or business contacts about our own similar services, processing may also be carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in direct marketing to existing B2B contacts. You can object to this processing at any time.

9. Use of the LoyJoy Manager

When you create or use a user account for the LoyJoy Manager, we process personal data necessary for the provision, management, security, and use of the platform.

This may include in particular:

• Name
• Business email address
• Company
• Role and permission information
• Login and authentication data
• Usage and log data
• Technical information about browser, device, and access
• Configurations, content, and process data created or managed within the platform

Processing is carried out to provide the platform, manage user accounts, control roles and permissions, ensure technical security, analyse errors, and fulfil contractual obligations.

The legal basis is Art. 6(1)(b) GDPR. Where we process data for system security, misuse prevention, logging, or product improvement, this is additionally carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, and efficient provision of our platform.

10. Login with Microsoft Entra ID

For login to the LoyJoy platform, we may use Microsoft Entra ID as an identity provider. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When you log in via Microsoft Entra ID, you are redirected to Microsoft for authentication. After successful authentication, we receive the information required for login. This may include in particular:

• Name
• Business email address
• User identifier
• Company or tenant information
• Technical authentication and security information

Processing is carried out to enable you to log in securely to the LoyJoy platform and to manage access to the platform.

The legal basis is Art. 6(1)(b) GDPR to the extent that login is necessary to use the platform under a contract. Where processing serves security, misuse prevention, and access control, it is additionally carried out on the basis of Art. 6(1)(f) GDPR.

Microsoft may also process data outside the European Union. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

11. Use of LoyJoy Chatbots, Phonebots, and AI Agents

LoyJoy is a platform for agentic AI in customer interaction via chat and phone. Our AI Agents can not only answer questions but — depending on configuration — execute processes, process information, handle requests, connect systems, and support users in completing tasks end-to-end.

When using chatbots, phonebots, or AI Agents, personal data may be processed. This may include in particular:

• Contents of your inputs and messages
• Voice data or transcripts when using phonebots
• Contact information, if you provide it
• Customer numbers, contract data, or other case information, if required for the relevant use case
• Technical metadata
• Timestamps and interaction history
• Process and status information
• Information from connected systems, if the relevant use case requires it

The specific data processing depends on the particular chatbot, phonebot, AI Agent, use case, and the configuration of the respective provider.

Where LoyJoy operates its own demos, chatbots, phonebots, or AI Agents, LoyJoy is the controller for this processing. Processing is then carried out to provide the relevant function, handle your request, take steps prior to entering into a contract, or improve and secure our services. The legal basis is Art. 6(1)(b) GDPR to the extent that processing is necessary for the performance of a contract or to take steps prior to entering into a contract. Otherwise, processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the provision, optimisation, and security of modern digital customer interaction.

Where AI functions are used, content from conversations, contextual information, knowledge sources, process data, and technical metadata may be processed in order to generate responses, classify requests, execute processes, or support users in resolving their concerns.

Depending on the configuration, AI models, speech processing services, knowledge bases, interfaces, integrations, and technical service providers may be involved. The specific processing depends on the relevant use case and configuration.

12. LoyJoy as Processor for Customers

If you use a chatbot, phonebot, or AI Agent provided by one of our customers via the LoyJoy platform, the respective customer is generally the controller within the meaning of the GDPR.

LoyJoy processes personal data in these cases regularly as a processor on behalf of the respective customer pursuant to Art. 28 GDPR.

In these cases, please also refer to the privacy notices of the company or provider operating the chatbot, phonebot, or AI Agent. These will provide more detailed information on the purpose, legal basis, storage period, and other particulars of the respective processing.

LoyJoy processes data in these cases only on the instructions of the respective customer, unless a statutory obligation requires otherwise.

13. Web Analytics with Google Analytics 4

We use Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics helps us understand how visitors use our website, which content is relevant, and how we can improve our website.

The following data may be processed in particular:

• Page views
• Interactions on the website
• Referrer URL
• Approximate location information
• Technical information about browser and device
• Usage data
• Shortened or technical identifiers

Google Analytics 4 is only used if you have previously given your consent. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

You can withdraw your consent at any time via the Cookie Settings.

Google may also process data outside the European Union. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

14. Google Tag Manager

We use Google Tag Manager, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is used to manage and deploy website tags. Through Google Tag Manager, other services — in particular analytics and marketing services — can be technically integrated and controlled.

To our understanding, Google Tag Manager itself does not create user profiles and does not carry out independent analyses. It may, however, process technical information required for triggering and managing tags. Services integrated via Google Tag Manager may in turn process personal data if those services are activated.

Google Tag Manager is configured so that tags subject to consent are only triggered after you have previously given your consent via our consent management.

The legal basis for the use of Google Tag Manager is Art. 6(1)(f) GDPR. Our legitimate interest lies in the efficient, secure, and centralised management of the services used on our website. Where tags subject to consent are triggered via Google Tag Manager, their use is only based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Google may also process data outside the European Union. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

15. Meta Ads and Meta Pixel

We use services from Meta, in particular Meta Ads and, where applicable, the Meta Pixel. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

With the help of these services, we can measure the effectiveness of our advertisements, build target audiences for ads, and re-engage people who have visited our website with relevant content on Meta platforms.

The following data may be processed in particular:

• Page views
• Interactions on our website
• Referrer URL
• Technical information about browser and device
• IP address
• Cookie and identification data
• Information about the effectiveness of advertisements

Meta Ads and the Meta Pixel are only used if you have previously given your consent. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

You can withdraw your consent at any time via the Cookie Settings.

Meta may also process the collected data for its own purposes, in particular for measuring and personalising advertising. If you are logged into a Meta service, Meta may be able to associate your visit to our website with your user account.

Meta may also process data outside the European Union. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

16. LinkedIn Ads and LinkedIn Insight Tag

We use services from LinkedIn, in particular LinkedIn Ads and, where applicable, the LinkedIn Insight Tag. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

With the help of these services, we can measure the effectiveness of our LinkedIn advertisements, build target audiences for ads, and re-engage people who have visited our website with relevant content on LinkedIn.

The following data may be processed in particular:

• Page views
• Interactions on our website
• Referrer URL
• Technical information about browser and device
• IP address
• Cookie and identification data
• Information about the effectiveness of advertisements

LinkedIn Ads and the LinkedIn Insight Tag are only used if you have previously given your consent. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

You can withdraw your consent at any time via the Cookie Settings.

LinkedIn may also process the collected data for its own purposes, in particular for measuring and personalising advertising. If you are logged into LinkedIn, LinkedIn may be able to associate your visit to our website with your user account.

LinkedIn may also process data outside the European Union. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

17. B2B Website Analytics with Dealfront

We use Dealfront for B2B website analytics and to identify which companies are visiting our website. The provider is Dealfront.

Dealfront helps us better understand the use of our website in a business context, identify relevant B2B prospects, and improve our sales and marketing activities.

The following data may be processed in particular:

• IP address
• Company attribution, where possible
• Pages visited
• Time and duration of visit
• Referrer URL
• Technical information about browser and device
• Usage and interaction data

Where Dealfront uses cookies or comparable technologies, their use is only based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Subsequent processing for B2B analytics may be carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the analysis and optimisation of our website, B2B lead generation, and the targeted approach of business prospects.

You can withdraw your consent at any time via the Cookie Settings.

18. Cloudflare

We use Cloudflare for the secure and efficient delivery of our website. The provider is Cloudflare.

Cloudflare may be used in particular for the following purposes:

• Content delivery network
• Performance optimisation
• Protection against attacks
• Website security
• Load balancing
• DNS and security functions

IP addresses, technical access data, security events, and metadata may be processed in particular.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, and fast provision of our website. Where Cloudflare uses technically necessary cookies or comparable technologies, this is done on the basis of § 25(2) TDDDG.

A data processing agreement has been concluded with Cloudflare. Processing of metadata outside the European Union, in particular in the USA, cannot be excluded. Where data is transferred to third countries, this is done on the basis of appropriate safeguards within the meaning of the GDPR.

19. Google API Services

Where we use Google API Services, this is only to the extent necessary and depending on the specific use case.

If you use a function that establishes a connection to Google services, personal data may be processed depending on the function and your authorisation. This may include in particular:

• Account information
• Email address
• Technical authentication data
• Content or metadata required for the relevant function

Processing is only carried out to the extent necessary to provide the relevant function or where you have consented to its use.

The legal basis is Art. 6(1)(b) GDPR to the extent that processing is necessary to provide a function you are using, and Art. 6(1)(a) GDPR where consent is required.

LoyJoy’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. LoyJoy does not transfer Google user data to third-party applications, including AI models, unless this is explicitly requested by the user.

Where Google API Services are used in customer projects, the specific processing depends on the respective configuration and the privacy notices of the respective controller.

20. Hosting, Operations, and Security

Our website and platform are operated via secure, encrypted cloud hosting on EU servers. We use technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration, or disclosure.

These measures may include in particular:

• Encryption during transmission
• Access controls
• Role and permission concepts
• Logging of security-relevant events
• Backup and recovery processes
• Technical protective measures against misuse and attacks
• Regular review and further development of security measures

Processing is carried out for the secure provision of our services and the fulfilment of contractual obligations. The legal basis is Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Our legitimate interest lies in the security, availability, and integrity of our systems.

21. Recipients and Sub-processors

We only transfer personal data where this is necessary to fulfil the purposes described, a statutory obligation exists, you have given your consent, or another legal basis permits this.

Recipients may include in particular:

• Hosting and infrastructure service providers
• Security and CDN service providers
• Tag management service providers
• Analytics and marketing service providers
• Advertising networks and retargeting service providers
• Communication and CRM service providers
• Identity and authentication services
• AI, speech processing, and integration services, to the extent required for the relevant use case
• Support, maintenance, and IT service providers
• Authorities, courts, or legal advisors, where legally required or necessary to enforce legal claims

Where we engage service providers as processors, we conclude data processing agreements pursuant to Art. 28 GDPR.

An overview of our sub-processors can be found in our Trust Centre: loyjoy.com/de/trust-center/subprocessors/

22. International Data Transfers

Processing of personal data outside the European Union or the European Economic Area cannot be excluded in all cases, in particular where service providers with a registered office or group affiliation in a third country are used.

Where personal data is transferred to third countries, this is only done where the conditions of Art. 44 et seq. GDPR are met. This may be done in particular on the basis of an adequacy decision by the European Commission, appropriate safeguards such as EU Standard Contractual Clauses, or other legally provided mechanisms.

23. Storage Periods

We store personal data only for as long as necessary for the relevant purposes, statutory retention obligations exist, or legitimate interests justify further storage.

The specific storage period depends on the type of data and the relevant processing activity.

As a general rule:

• Data from contact and demo requests is stored for as long as necessary to process the request and for further B2B communication.
• Contract and billing data is stored in accordance with statutory retention obligations.
• Platform and account data is stored for the duration of the contractual relationship and thereafter only to the extent that statutory obligations or legitimate interests exist.
• Log and security data is stored only for as long as necessary for security, error analysis, and misuse prevention.
• Data from chatbots, phonebots, and AI Agents is stored or deleted depending on the use case, customer configuration, and contractual agreement.

After the relevant purpose has ceased to apply or statutory retention periods have expired, personal data is deleted or anonymised.

24. Your Rights

You have the following rights subject to the statutory conditions:

• Right of access pursuant to Art. 15 GDPR
• Right to rectification pursuant to Art. 16 GDPR
• Right to erasure pursuant to Art. 17 GDPR
• Right to restriction of processing pursuant to Art. 18 GDPR
• Right to data portability pursuant to Art. 20 GDPR
• Right to object pursuant to Art. 21 GDPR
• Right to withdraw consent pursuant to Art. 7(3) GDPR
• Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

If you have given consent, you can withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal is not affected.

25. Right to Object under Art. 21 GDPR

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object at any time to the processing of your personal data on grounds relating to your particular situation.

We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

Where we process personal data for direct marketing purposes, you may object to this processing at any time. In that case, we will no longer use your personal data for direct marketing.

26. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

The supervisory authority with competence for us is in particular:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2–4
40213 Düsseldorf
Germany

You may also contact any other competent data protection supervisory authority.

27. Changes to this Privacy Policy

We may update this Privacy Policy if our website, our platform, services used, legal requirements, or internal processes change.

The current version is always available on this website.