Skip to main content

Trust Center › EU AI Act

The EU AI Act & Toran

Toran's stance on Regulation (EU) 2024/1689 · Last reviewed 2026-05-19 · Article 50 application date: 2 August 2026

Working draft pending EU-qualified counsel review. Substance reflects the controls Toran ships today + our reading of the Regulation text and Commission draft guidance. For procurement teams who need a signed compliance statement on letterhead, email trust@toranhq.com.

Scope — what applies

Toran's widget includes an AI Concierge that engages visitors conversationally to qualify enquiries before routing them to your team. Because the AI Concierge interacts directly with natural persons, Article 50(1) of the EU AI Act applies to us. We treat it as the load-bearing article for this product.

Articles 50(2) (synthetic-content marking), 50(3) (emotion / biometric inference), and 50(4) (deepfakes / public-interest text) do not apply to Toran's current design — see §Adjacent articles for the reasoning on each.

Article 50 application date: 2 August 2026. Penalty regime for non-compliance: up to EUR 15,000,000 or 3% of worldwide annual turnover, whichever is higher (SMEs and start-ups are capped at the lower of the two).

What we disclose and where

Article 50(1) requires that visitors be informed they are interacting with an AI system. Article 50(5) requires the disclosure be "clear and distinguishable" and delivered "at the latest at the time of the first interaction." Toran ships three disclosure surfaces by default, all shipping in the widget code itself — not relying on you (the deployer) to remember to enable them.

(When we say "shipping in the widget code itself" we mean the Preact bundle Toran serves from cdn.toranhq.com; deployers embed it via a script tag and cannot reach into the disclosure logic without forking and self-hosting the bundle, which would make them a provider under Article 25 in their own right.)

Surface 1 — Entry-card subtext

The widget's home-screen "Ask a question" call-to-action shows "AI-powered instant answers" as subtext directly beneath the button. The visitor sees this before they click into chat, satisfying Article 50(1)'s "at the time of the first interaction" requirement.

Surface 2 — Persistent chat-header badge

The chat window header reads "AI Concierge" with a small hardcoded "AI" pill badge visible throughout the entire conversation. Both elements are baked into the widget code — not configurable by the deployer — so the disclosure persists if the conversation runs long or the visitor scrolls. This addresses Article 50(5)'s "clear and distinguishable" requirement by keeping the AI nature visible at all times, not just at the opening.

Surface 3 — First-bubble disclosure (override-proof)

The default first chat bubble reads "I'm the AI assistant for [your business]. How can I help you today?" If you customize the welcome message with humanizing copy (e.g. "Hi! Maria here from Clínica Sorriso"), Toran automatically prepends a non-overridable disclosure bubble: "You're chatting with an AI assistant for [your business] — it can connect you to the team when you're ready." Your customized message then follows as a second bubble. Brand voice preserved, statutory disclosure restored.

This is the part of our compliance posture we think is most differentiated: the AI disclosure is enforced inside the widget bundle Toran ships and prepended automatically when the welcome message is humanized. The prepend logic lives in the Preact code Toran ships from cdn.toranhq.com/widget.js — not in a deployer-toggleable setting and not in customer-side template logic. Even if a deployer customizes the welcome to "Hi, Maria here from Clínica Sorriso" — which is otherwise a sensible brand-voice choice — the disclosure bubble is restored before the conversation begins. Many chat tools ship a default header label; we haven't found another where the disclosure-prepend survives deployer customization of the welcome message because the prepend lives in provider-controlled code, not deployer-controlled configuration. (If you find one, tell us and we'll update this page.)

What deployers need to do

The AI Act splits responsibility between providers (Toran) and deployers (you). Toran handles the in-widget disclosure surface; you handle the privacy-notice disclosure on your own site and the deployment-context decisions.

Full deployer obligations + copy-paste privacy-notice clause at /legal/deployer-notes. The short version: update your privacy policy with a paragraph disclosing the AI Concierge + Google Gemini sub-processor (we provide the wording), and don't deploy on a careers/hiring page without telling us first (different Act classification — see §Adjacent articles).

What we deliberately don't do

Several AI Act risk categories are kept narrow on purpose — both for compliance posture and because they wouldn't be appropriate for this product:

  • No emotion recognition. Hot/Warm/Cold lead scoring is a commercial-intent classification on the message content. It is not an inference about the visitor's emotional state, mood, or personality. Article 50(3) + Article 5 (emotion AI in workplaces) prohibitions don't apply.
  • No biometric categorization. Toran processes typed text content only. No facial recognition, no voice analysis, no fingerprint or behavioral biometrics. Annex III(1) biometric high-risk classifications don't apply.
  • No automated decisions affecting visitors. The AI's job is to qualify the lead and hand off to a human team member. Every consequential response to the visitor comes from a human via your real channels (WhatsApp, email, SMS, push). GDPR Article 22 (automated decision-making with significant effects) doesn't apply because no significant decision is made automatically.
  • No deepfake / synthetic-content publishing to visitors. The Smart Dossier (one-line AI summary) is rendered only inside the Toran dashboard for your team's internal use. It is not published, broadcast, or surfaced to visitors or external audiences, so Article 50(2)'s machine-readable marking obligations — which attach to publicly disseminated synthetic content — don't have a surface to attach to in Toran's current product.
  • No social-scoring features. No cross-context inference of visitor traits, no "trustworthiness scoring," no aggregating data across visitors for behavioral profiling. Article 5(1)(c) prohibition doesn't apply.

Toran's commercial-intent classification is narrower than sentiment or emotion inference, which would trigger a tougher Article 50(3) analysis if added later. Keeping the scope deliberately tight is a product choice with compliance benefits.

Other AI Act articles — where Toran lands

Article 4 — AI literacy In force since 2 Feb 2025 · covered

Article 4 requires staff using AI systems to have "a sufficient level of AI literacy." Toran's onboarding + dashboard label AI-generated outputs explicitly (the Hot/Warm/Cold scoring is identified as AI, the Smart Dossier is identified as an AI summary, and final routing decisions remain human). This supports your Article 4 deployer-literacy duty by giving your team a clearly-labelled UI to learn from; the operational training of your staff in using the system remains your responsibility under Article 4.

Article 5 — Prohibited practices Not triggered

Article 5 prohibits subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, untargeted facial-image scraping, emotion recognition in workplaces/education, and biometric categorization by sensitive attributes. None describe Toran's lead-scoring on inbound contact-form submissions.

Article 6 + Annex III — High-risk classification Not triggered for standard use; careers-page edge case

Annex III lists high-risk AI use cases including employment-decision AI (III(4)) and access-to-essential-services AI (III(5)). Toran's standard use case is scoring inbound sales / commercial enquiries. That's outside Annex III.

One edge case we're honest about: if a deployer embeds the widget on a careers / job-applications page to triage applicants, that specific deployment falls under Annex III(4) and the deployer inherits Chapter III high-risk obligations (fundamental-rights impact assessment, registration, human oversight documentation). Toran itself doesn't change; the deployment context does. We ask deployers to flag this use case so we can help assess. See deployer notes §4.

GDPR (still applies, regardless of AI Act)

Article 50(6) of the AI Act explicitly preserves all GDPR obligations. Toran's customers remain data controllers; Toran is a data processor. The full DPA, GDPR Article 28 clauses, and sub-processor list are at /legal/dpa and /legal/subprocessors. This is the bigger EU compliance surface than Article 50 itself.

AI sub-processors

Toran's AI Concierge is powered by Google Gemini. Conversation content is sent to Google's API for processing. Google's AI Act compliance posture is published at Google Cloud AI Act readiness.

Full sub-processor list (Gemini + Supabase + Cloudflare + Resend + Paddle + Sentry + IPinfo + Telegram) at /legal/subprocessors including data categories, regions, and transfer mechanisms.

What would change the answer

Our compliance posture depends on the product staying within its current scope. If any of the following changes, the answer above flips and we'll re-publish this page with the updated obligations:

  • If Toran ever surfaced AI-generated synthetic content to visitors (e.g. voice-cloned hold messages, AI-generated banner images, deepfake of a team member), Article 50(2) machine-readable marking obligations would attach.
  • If Toran ever added emotion / sentiment / personality inference (beyond commercial-intent classification), Article 50(3) deployer-information obligations would attach and Annex III(1)(c) emotion-recognition risk would trigger if used in workplaces.
  • If Toran ever made consequential automated decisions affecting visitors (e.g. refusing service, locking out an account, suspending a transaction) without human review, GDPR Article 22 and adjacent AI Act considerations would re-engage.
  • If you deploy the widget on a careers / job-applications page, Annex III(4) applies and you inherit deployer high-risk obligations.

We surface these constraints publicly because the differentiation we're claiming (transparency-by-default at the provider level) is only defensible while it stays structural.

Sources & further reading

Questions?

For procurement-form responses, signed compliance statements on letterhead, or specific questions about your deployment context, email trust@toranhq.com. We respond within one business day.

Last reviewed: 2026-05-19 · Re-review scheduled before 2 Aug 2026 application date. This page reflects Toran's interpretation of Regulation (EU) 2024/1689 for the standard product use case; it is not legal advice for your organization's specific facts.