Privacy and Personal Data
How Rela AI protects your organization's data, portability and deletion rights under GDPR and local laws, and complete isolation between organizations.
Privacy and Personal Data
The data your organization generates in Rela AI — technician conversations, equipment history, personnel information — belongs to your organization. This section explains how that data is protected, what rights users have over their personal data, and how we guarantee that no organization accesses another's data.
What is it for?
For companies operating under data protection regulations (GDPR in Europe, and equivalent laws in other countries), this section documents how Rela AI meets those obligations. The administrator can use it as a reference for compliance audits or to respond to queries from the legal team.
Isolation between organizations
Each organization in Rela AI exists in a completely separate space from all others. Even if two plants from the same company have separate accounts, their data does not mix. It is impossible for a user from one organization to access another organization's data.
Queries from any user are always filtered by their organization — it is technically impossible for a search to return results from another organization, even if the data were similar.
Data portability
Any organization can export all of its data in structured format. This right complies with GDPR Article 20 and equivalent articles in local laws.
What the export includes
The export includes all organization information:
- Agents, tools, and configurations
- Data collections, records, and extractions
- WhatsApp and email conversations
- Tasks and work orders
- Assets and maintenance plans
- Personnel, departments, and roles
- Audit records
The only excluded data is passwords — stored as irreversible hashes and not exportable for security reasons.
To request an export, see the Data Management section in Administration.
Right to erasure — User account deletion
An employee who leaves the company can request deletion of their personal data from the platform. The process includes a 30-day grace period to prevent accidental deletions:
- The user (or the administrator on their behalf) requests account deletion.
- The account is immediately deactivated — the user loses access but their data is not yet deleted.
- For 30 days, the user can cancel the request and reactivate their account.
- After 30 days without cancellation, personal data is permanently deleted.
This process guarantees that accidental or rushed deletions can be reversed, while complying with the response timeframes required by regulations.
User consent
The platform records each user's consent individually and by type:
| Consent type | When requested |
|---|---|
| Terms and conditions | Upon registration |
| Privacy policy | Upon registration |
| Marketing communications | Optional, in profile settings |
Each acceptance is recorded with the exact date, the version of the accepted document, and the session identifier. This history is not deleted — it allows demonstrating in any audit that the user accepted the terms on a specific date with a specific version of the document.
Data retention
Data is retained at two levels and automatically deleted after 2 years:
| Period | Data status |
|---|---|
| First 30 days | Fast access — actively used data |
| 30 days to 2 years | Archive — available for query but compressed |
| After 2 years | Automatic and irreversible deletion |
Organizations with extended retention requirements (regulated plants, pharmaceutical sector, food sector) can request custom periods on Enterprise plans.
Key benefits
- Complete isolation between organizations — cross-access is technically impossible
- Full data export in structured format for portability or audit
- Deletion process with 30-day grace period for user safety
- Consent record with complete history for regulatory compliance
- Automatic tiered retention with definitive deletion at 2 years
- Customizable retention periods for sectors with special regulatory requirements