Skip to main content

Trust CenterEU AI Act › Deployer Notes

Deployer Compliance Notes

For Toran customers who embed the widget on their EU-facing websites · Last reviewed 2026-05-19

Working draft. This document is informed product guidance, not legal advice. Have your counsel review before relying on it commercially, especially if you're a regulated industry or you handle large EU traffic volumes.

Why this matters for you

When you embed the Toran widget on your website, the EU AI Act treats you as the "deployer" of an AI system and Toran as the "provider." Most of the disclosure work happens on Toran's side automatically — but you have a small set of responsibilities on your own site that we can't do for you.

This page gives you the exact text + the practical steps. Estimated effort to comply fully: ~10 minutes of edits to your privacy policy. No code changes needed.

1. What Toran handles automatically

Toran ships three Article 50(1) disclosure surfaces in the widget by default. You don't need to enable or configure any of them:

  • Entry-card subtext — the widget's home screen "Ask a question" button shows "AI-powered instant answers" before the visitor opens chat.
  • Persistent header badge — the chat window shows "AI Concierge" with an "AI" pill badge visible throughout the conversation, regardless of any customization you've made.
  • First-bubble disclosure — the default welcome message reads "I'm the AI assistant for [your business]." If you customize the welcome message with humanizing copy, a non-overridable disclosure bubble is prepended automatically so the AI nature is always identified.

The full Toran-side stance is at /eu-ai-act.

The disclosure prepend logic lives in the Toran-controlled widget bundle (not in deployer configuration). Forking and self-hosting the bundle would make you a provider in your own right under Article 25 of the EU AI Act — please don't.

2. Update your privacy notice (the one thing you must do)

Under GDPR Article 13/14, you must disclose to visitors that an AI system processes their messages and that a third-party AI sub-processor (Google Gemini) is involved. Toran's in-widget disclosure satisfies Article 50(1) of the AI Act itself; the privacy-notice update closes the GDPR side.

Paste this into your site's privacy policy under a heading like "AI-assisted contact form" or "How we use AI":

⚠ Before pasting this verbatim: the text below assumes you use Toran for inbound lead routing only (capture inquiry → route to your team → human reply). If you also use Toran to send price quotes, booking confirmations, account-status replies, or any automated outbound that affects the visitor materially, the categorical statement "does not make a final decision that legally or significantly affects you" no longer matches your deployment — adapt that sentence with your counsel before publishing.

AI-assisted chat & lead routing

When you use the chat widget on our site, your messages are processed by an AI assistant provided by Toran (toranhq.com). The assistant qualifies the enquiry and routes it to our team — for inbound lead routing it does not make a final decision that legally or significantly affects you, and a team member reviews every enquiry. Chat content is processed by Google Gemini as a sub-processor.

You can request human-only handling at any time by emailing [your contact address]. You can also request access, correction, or deletion of your data under GDPR Articles 15-17 by emailing [your DPO/privacy address].

For details on how Toran processes data on our behalf, see Toran's Data Processing Agreement and Sub-processors list.

Adapt the bracketed addresses to your organization and verify the factual statements match your actual deployment (especially the "no significant decision" sentence — see the caveat above). For most SMB inbound-routing use cases the wording is portable, but if you're in a regulated industry or your deployment differs, run it past counsel first.

3. Customizing the welcome message — the one constraint

You can customize the chat's welcome message in your widget settings (Dashboard → Widget → Welcome message). Feel free to add brand voice, language, or context — "Hi! We're here to help. What brings you in today?" works great.

The one thing you don't need to worry about: if your customized welcome message doesn't mention AI, Toran automatically prepends a disclosure bubble before your message so the AI nature is still identified. The header badge and entry-card subtext also remain visible. You can write your welcome message freely; we handle the disclosure.

4. When the rules change — careers-page deployments

If you embed the Toran widget on a careers or job applications page (to triage applicants), the AI Act treats that deployment differently. Job-applicant triage AI falls under Annex III(4) of the Act as a "high-risk" AI system. As the deployer, you'd inherit additional Chapter III obligations: fundamental-rights impact assessment, human-oversight documentation, registration on the EU AI Office database, etc.

Toran's standard use case — inbound contact-form lead routing for sales/service — is not high-risk and doesn't trigger these obligations. The "what's the customer enquiring about" question Toran answers is a commercial-intent classification, not an employment decision.

If you're using Toran on a careers page, please email trust@toranhq.com so we can flag the deployment context and help you assess whether Annex III(4) applies. We may recommend a different tool, or work with you on the additional compliance documentation.

5. Article 26 deployer responsibilities — the short list

The AI Act's Article 26 sets baseline deployer duties. For Toran's standard widget deployment, all of these are either non-applicable or already satisfied by following this page:

  • Use the system in accordance with the provider's instructions (Art 26(1)) — that's what this page is. Don't try to defeat the AI disclosure; update your privacy notice as shown in §2.
  • Human oversight (Art 26(2)) — by design, every lead Toran surfaces is reviewed by a human team member before any consequential decision. The widget hands off to your team via WhatsApp / email / SMS / push.
  • Input data control (Art 26(4)) — to the extent you control what shows up in the chat (e.g. you can configure prompt categories), make sure you're not feeding personal data of third parties into prompts.
  • Workplace use notification (Art 26(7)) — N/A. Visitors aren't workers; this duty doesn't apply to public-facing chat.
  • Public-sector FRIA (Art 27) — N/A. Applies to public-sector deployers or specific high-risk Annex III cases; not Toran's standard widget.

6. Useful links

Questions?

Email trust@toranhq.com and we'll respond within one business day. If you need a signed compliance statement on letterhead for procurement, mention that in the subject line.