EU AI Act compliance

From 2 August 2026, EU rules require any AI system that talks to people to: (a) clearly disclose it's an AI, (b) keep an auditable log of decisions, and (c) hand a caller back to a human on request. Tirza was built to these rules from day one — not bolted on later.

For UK-based businesses the EU AI Act doesn't bind you directly, but the same trust signals matter to your callers and the same UK ICO guidance on AI transparency points the same way. For Irish and other EU businesses, what's on this page is your compliance baseline.

The first sentence Tirza says, on every call:

“Hi, you're speaking with the AI receptionist for [business name]. I help with booking appointments. Would you prefer [owner name] to call you back? I can arrange that right now.”

No hidden AI. No pretending. The caller knows within two seconds, and they're offered a human callback before Tirza even tries to book. The principle holds throughout:Tirza answers when you can't. If she's not sure, she takes a message. You stay in control.

Saying any of human, person, someone else, manager, owner, call me back, urgent, emergency, angry, complaint, 999 or 112 automatically moves the call to a callback request. The caller never has to fight the AI to reach you.

For each call, Tirza writes an append-only record:

• What the caller said (transcript, timestamped)
• What Tirza considered (which slots, which response options)
• What Tirza chose, and why
• The version of the playbook in effect at that moment
• Whether the validation layer flagged or blocked anything

Transcripts are kept for 2 years; the decision log itself for 6 years. If a caller ever disputes a booking, or a regulator asks how a decision was reached, the answer is one query away — not a guess.

Before Tirza speaks, every response passes through a separate rule-based validation layer that runs independently of the AI itself. It checks for:

• Disclosure missing — if the opening AI-disclosure was skipped, the call is paused.
• Off-policy promises — out-of-hours bookings, made-up prices, services you don't offer. Blocked before the caller hears them.
• Slot integrity — Tirza can only offer times the calendar actually returned. No improvising.
• Quiet hours & consent — checks per-country rules before any outbound confirmation (SMS/email).
• Per-caller rate limit — a single number can't book or call repeatedly to run up your bill.

If validation can't make a confident call after two attempts, the system falls back safely: Tirza takes a callback request and you get notified. Better a clean hand-off than a wrong booking.

Customer data, call transcripts and the evidence log are stored in the EU (Frankfurt) on Supabase. Where partners are US-based (Retell, ElevenLabs, Anthropic) we use the EU Commission's Standard Contractual Clauses plus a transfer impact assessment per partner. Full breakdown on /subprocessors.

• A Data Processing Agreement (DPA) is signed automatically when you start your trial — see /dpa.
• A privacy notice you can hand to your callers if they ever ask — see /privacy.
• Export on demand: you can pull every call's transcript and decision log from the dashboard. We don't hold it hostage.