Controller Guidance Notice

Last changed: Feb 27th, 2026

1. Purpose of This Notice

This document provides guidance to Controllers using SantaClues regarding:

  • Data protection responsibilities
  • Recording and transcription compliance
  • Use of AI-based analysis
  • International transfers
  • Retention and deletion practices

This Notice is informational only and does not modify the Terms of Service or Data Processing Agreement (DPA).

2. Roles and Responsibilities

SantaClues acts solely as a data processor.

The Customer acts as the controller and is responsible for:

  • Determining lawful basis for processing;
  • Ensuring recording and transcription of calls is lawful in applicable jurisdictions;
  • Providing required notices to call participants;
  • Responding to data subject rights requests;
  • Determining whether a Data Protection Impact Assessment (DPIA) is required.

SantaClues does not determine the lawful basis for call recording or transcription.

3. Nature of Data Processed

The Services involve:

  • Audio streaming of sales calls;
  • Transcription of call content;
  • Storage of transcript text;
  • Automated analysis using rule-based systems and large language model (LLM) providers;
  • Logging of prompt interactions;
  • Generation of coaching metrics and reports.

Transcript content may contain personal data depending on the nature of the conversation.

SantaClues does not perform automated redaction or anonymisation prior to analysis

Controllers should ensure that use of the Services aligns with their data protection obligations.

4. Use of Automated Analysis

SantaClues uses automated systems, including LLM-based analysis, to generate coaching insights.

Controllers should note:

  • Outputs are informational and assistive in nature.
  • SantaClues does not make employment or legally binding decisions.
  • Controllers remain responsible for decisions taken based on outputs.

If processing may involve systematic monitoring or performance evaluation, Controllers should assess whether a DPIA is required under Article 35 GDPR.

5. International Transfers

The Services may involve processing outside the European Economic Area.

EU-only processing is not enforced by default.

Where required, SantaClues relies on appropriate safeguards, including Standard Contractual Clauses, as described in the DPA.

Controllers should:

  • Consider international transfer implications in their own compliance assessment;
  • Review the DPA and Subprocessor Annex for further details.

6. Retention and Deletion Overview

SantaClues applies defined retention schedules, including:

  • Transcript retention (default 30 days);
  • Prompt log retention (database: 30 days; file-based logs: 7 days);
  • Backup retention (7-day rolling window).

Deletion applies to active production systems in accordance with retention schedules.

Backups are not immediately purgeable and expire automatically within the rolling retention window

Controllers should take these retention windows into account when responding to data subject requests.

7. Logging and Operational Transparency

To support operational integrity and troubleshooting:

  • Prompt inputs and outputs are logged;
  • File-based logs are retained for a limited period (7 days);
  • Logs are not publicly accessible and are restricted to authorised personnel.

Controllers should be aware that transcript excerpts may appear in operational logs during the defined retention window.

8. Data Subject Rights

SantaClues assists Controllers by:

  • Providing structured export functionality;
  • Enabling account deletion;
  • Enabling organisation-level purge;
  • Supporting backend deletion of specific calls upon request.

Controllers remain responsible for:

  • Validating identity of data subjects;
  • Determining applicability of rights;
  • Communicating with data subjects.

9. Security Measures

SantaClues implements technical and organisational measures as described in Annex II (TOM), including:

  • Role-based access control;
  • Restricted administrative access with 2FA;
  • TLS encryption in transit;
  • Managed database services;
  • Automated retention cleanup;
  • Incident response procedures.

Controllers should review the TOM document to assess appropriateness for their own risk profile.

10. Controller Risk Assessment

Controllers are encouraged to assess:

  • Lawful basis for call recording;
  • Transparency obligations toward call participants;
  • Whether monitoring constitutes systematic monitoring;
  • International transfer exposure;
  • Whether a DPIA is required.

SantaClues provides processor-level safeguards but does not replace controller compliance obligations.

11. Contact

For data protection inquiries:

hello@santaclues.ai

12. Relationship to Contractual Documents

This Notice is informational and does not override:

  • The Terms of Service;
  • The Data Processing Agreement;
  • Annex II (Technical and Organisational Measures);
  • The Subprocessor Annex.

In case of conflict, the DPA governs personal data processing.

Real-Time Coaching That Helps Every Sales Rep Sell Smarter. Like a seasoned coach in your corner — only this one listens quietly, learns fast, and gives your reps the right nudge at the perfect moment.

Menu
Home
Features
FAQ
Pricing
System
Log in
Sign up
Dashboard
Contact
hello@santaclues.ai
Santa Claus, 123 Elf Road, North Pole, 88888
© 2026 🎅 SantaClues | All rights reserved
Compliance center
Privacy policy
Terms and conditions
Made with 🧙 by Swml