Vivollo

PII & compliance

How Vivollo detects and protects personal data — the entities it catches, how masking works, and what it means for KVKK and GDPR.

Customer conversations are full of personal data — emails, phone numbers, sometimes a card number or an ID typed in haste. PII protection is how Vivollo keeps that data from ending up where it shouldn't. This page goes deep on what gets detected, what happens to it, and why it matters for compliance.

PII stands for personally identifiable information — anything that points to a specific person.

What gets detected

The standard PII guardrail recognizes the common, structured kinds of sensitive data on sight:

  • Email addresses
  • Phone numbers
  • Credit-card numbers
  • Turkish ID numbers (TC Kimlik)
  • National IDs / SSNs
  • IBANs and bank details
  • IP addresses
  • URLs
  • Crypto wallet addresses

The full PII guardrail (see Guardrail types) adds the fuzzier, context-dependent kinds that need a moment of judgment:

  • Person names
  • Locations (addresses, cities)
  • Identifying dates
  • Nationality, religion, or political references
  • Medical/healthcare identifiers

What happens when it's found

You choose how a PII guardrail responds:

  • Redact (the usual choice) — the message goes through, but the sensitive part is replaced with a clear, typed token, so the meaning survives while the data doesn't:

    Customer: "My email is ayse@example.com and my card is 4242 4242 4242 4242." Stored as: "My email is [EMAIL_REDACTED] and my card is [CARD_REDACTED]."

  • Block — for the strictest cases, reject the message entirely and ask the customer not to share that information in chat.

You can also customize the replacement tokens if you'd rather they read a particular way (for example, [CUSTOMER_EMAIL] instead of [EMAIL_REDACTED]).

Why redaction beats deletion

Redaction is deliberate: it preserves the shape of the conversation while removing the risk. Your team and the agent can still follow that the customer shared an email and a card, without those values being stored in your records or surfaced in a reply. You keep the context; you drop the liability.

Working safely, even mid-stream

Because replies stream out as they're written, PII protection is built to watch the stream and hold back just enough to catch sensitive data that might span a boundary. A card number can't slip through by being split across two chunks, and nothing sensitive flashes on screen before it's masked.

What this means for KVKK & GDPR

Turkey's KVKK and Europe's GDPR both expect you to handle personal data carefully — to minimize what you keep and protect what you must. Vivollo's PII handling supports that posture directly:

  • Minimize — sensitive values are masked rather than stored in the clear.
  • Protect by design — detection runs automatically on every conversation, in and out, so it doesn't depend on anyone remembering.
  • Privacy beyond guardrails — Vivollo also avoids storing raw IP addresses and strips sensitive parameters from page URLs, and offers a forget-this-visitor action to erase a person's data on request. See The visitor journey for that side of things.

Guardrails are a strong, automatic safety layer — but they're one part of compliance, not a legal guarantee on their own. How you configure them, what data you choose to collect, and your broader policies all matter. Treat PII guardrails as essential infrastructure, and pair them with sound practices and, where needed, your own legal guidance.

A sensible default

For most businesses, the right starting point is simple: put a PII guardrail set to redact on every assistant, covering at least emails, phones, cards, and TC Kimlik numbers. Turn it up to block, or to full PII, for assistants that handle especially sensitive conversations. From there, tune to your needs — but never run an assistant with no PII protection at all.