Pravakta.ai — The World's Best Enterprise AI Voice Bot Stack

Architecture & GDPR Advantage

🏛️

Zero-Egress = Zero-Egress GDPR Risk: The Pravakta AI Voice Stack (built by ThinkMindLabs) offers significant GDPR compliance advantages. Because all enterprise call data is processed exclusively on the customer's own infrastructure and never transmitted to ThinkMindLabs, the most common cloud AI GDPR risk categories — cross-border transfer, shared data storage, and vendor access — simply do not apply to customer call data.

This architecture means that for enterprise deployments:

No call recordings, transcripts, or voice interaction personal data ever leaves the customer's EEA infrastructure (or wherever the customer designates)
No Article 46 transfer safeguards are required for operational call data because no transfer to Pravakta occurs
The customer retains complete control over data subject rights fulfilment for call-related personal data
Data minimisation is maximised — Pravakta receives no copy of personal data from voice interactions

Controller / Processor Roles

2.1 ThinkMindLabs as Data Controller

ThinkMindLabs acts as a Data Controller in respect of:

Personal data of website visitors (pravakta.ai)
Personal data of prospective customer contacts (name, email, company)
Personal data of customer account contacts and authorised administrators
Personal data of Pravakta employees and contractors

2.2 ThinkMindLabs as Data Processor

When ThinkMindLabs processes any personal data on behalf of a customer (e.g. during a deployment engagement where our engineers have temporary, authorised access to customer systems), ThinkMindLabs acts as a Data Processor under Article 28 GDPR. A Data Processing Agreement governs such processing.

2.3 Customer as Controller

The customer is the sole Data Controller in respect of all personal data processed by the Pravakta AI Voice Stack in production (call recordings, transcripts, voice interaction data). Pravakta does not act as processor in respect of production call data because it has no access to that data.

ℹ️

If your organisation requires formal confirmation of ThinkMindLabs' controller/processor status for a specific data flow, contact legal@thinkmindlabs.com for a written determination.

Lawful Bases for Processing

Pravakta relies on the following GDPR lawful bases for processing personal data in its capacity as Data Controller:

Processing Activity	Lawful Basis	Article
Responding to enquiries & sales discussions	Legitimate interests (enterprise business development)	Art. 6(1)(f)
Providing contracted services to customers	Performance of contract	Art. 6(1)(b)
Invoicing & financial record-keeping	Legal obligation	Art. 6(1)(c)
Marketing communications (where opted in)	Consent	Art. 6(1)(a)
Security monitoring & fraud prevention	Legitimate interests	Art. 6(1)(f)
Compliance with legal obligations	Legal obligation	Art. 6(1)(c)

Where processing is based on Consent, you may withdraw consent at any time without detriment by contacting privacy@thinkmindlabs.com.

Data Subject Rights (GDPR Articles 15–22)

As a Data Controller, Pravakta is committed to honouring the following GDPR data subject rights:

Right	GDPR Article	How to Exercise	Response Time
Right of Access	Art. 15	Email privacy@thinkmindlabs.com	30 days
Right to Rectification	Art. 16	Email privacy@thinkmindlabs.com	30 days
Right to Erasure	Art. 17	Email privacy@thinkmindlabs.com	30 days
Right to Restriction	Art. 18	Email privacy@thinkmindlabs.com	30 days
Right to Data Portability	Art. 20	Email privacy@thinkmindlabs.com	30 days
Right to Object	Art. 21	Email privacy@thinkmindlabs.com	Immediate for marketing
Rights re: Automated Decisions	Art. 22	Email privacy@thinkmindlabs.com	30 days

For data subject rights requests relating to personal data processed by Pravakta AI Voice Agents in a customer's production environment, requests must be directed to that customer (the Data Controller) — Pravakta has no access to that data.

International Data Transfers

5.1 Pravakta Corporate Data

Pravakta's corporate data (website visitor data, prospect data) is primarily stored in India and the EU. Where data is transferred to a third country, Pravakta relies on:

Standard Contractual Clauses (SCCs) — 2021 EU Commission modules applicable to controller-to-processor transfers
Adequacy decisions where applicable
Binding Corporate Rules or other appropriate safeguards as required

5.2 Customer Deployment Data

Customer call data processed by the Pravakta AI Voice Stack does not leave the customer's designated infrastructure. Customers may deploy the Platform in any EEA region (or any other jurisdiction) they choose, giving them complete control over data residency.

Because no customer call data is transferred to Pravakta, the international transfer provisions of the GDPR are not triggered for operational call processing.

🌍

Customers with strict EEA data residency requirements can deploy the Pravakta stack on infrastructure located entirely within the EEA — no data will leave that perimeter.

Data Processing Agreement

Pravakta offers a GDPR-compliant Data Processing Agreement (“DPA”) to all enterprise customers. The standard DPA covers:

Subject matter, nature, purpose, and duration of processing
Types of personal data and categories of data subjects
Pravakta's obligations as a Data Processor (where applicable)
Technical and organisational security measures (TOMs)
Sub-processor management and notification obligations
Assistance with data subject rights requests
Cooperation with supervisory authorities
Deletion or return of data upon contract termination
Standard Contractual Clauses (2021 EU Commission version) as an annex where required

The standard DPA is included with all Scale and Sovereign tier contracts. To request a DPA for review, contact legal@thinkmindlabs.com.

📄

Custom DPA Terms: Sovereign tier customers may negotiate custom DPA terms including additional technical specifications, enhanced audit rights, and jurisdiction-specific provisions.

Retention & Deletion

Pravakta retains personal data in its corporate systems for the following periods:

Data Category	Retention Period	Legal Basis for Retention
Website visitor logs	90 days	Legitimate interests (security)
Prospect contact data	3 years from last contact	Legitimate interests (sales)
Customer account data	Contract duration + 5 years	Legal obligation (audit, tax)
Support communications	3 years	Legitimate interests (operations)
Legal holds	Duration of proceedings	Legal obligation

Data subject erasure requests are processed within 30 days, subject to any overriding legal retention obligations.

Data Protection Officer

Pravakta has appointed a Data Protection Officer (“DPO”) responsible for overseeing compliance with GDPR and applicable data protection laws. The DPO may be contacted at:

Data Protection Officer
ThinkMindLabs
Email: dpo@thinkmindlabs.com
Privacy queries: privacy@thinkmindlabs.com

Data Breach Notification

In the event of a personal data breach affecting data for which Pravakta is the Data Controller, Pravakta will:

Notify the relevant supervisory authority within 72 hours of becoming aware (if risk to rights)
Notify affected data subjects without undue delay where high risk
Maintain a record of all data breaches

✓

Note on Customer Data: Pravakta has no access to personal data processed by the AI Voice Stack in customer production environments. Customers must manage breach detection and notification for their own infrastructure.

GDPR & the EU AI Act

The EU AI Act (“EUAIA”) (Regulation (EU) 2024/1689) introduces obligations for AI systems. Pravakta monitors its compliance obligations, including:

Risk Classification: Classified as Limited Risk AI Systems under Article 50 EUAIA. We provide transparency so end-users know they are interacting with AI.
No Prohibited Uses: Not offered for any prohibited AI use under Article 5 EUAIA.
GDPR Interaction: Where obligations overlap, Pravakta applies the higher standard.

GDPR Compliance Centre