Privacy Policy
Last updated: 11 June 2026
Effective date: 11 June 2026
AI Call Agent (“we,” “us,” or “our”) operates the AI Call Agent platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your information and the information of people you contact through the Service. It applies to users of the Service (account holders and their authorized users), website visitors, and, where relevant, call recipients and other data subjects.
Geographic Scope (United Kingdom)
The Service and this Privacy Policy apply to users located in the United Kingdom only. By using the Service, you represent that you are based in the United Kingdom. If you are outside the United Kingdom, you must not use the Service.
1. Who Is Responsible for Your Data?
We are the data controller for the personal data we process in connection with the Service (e.g. account data, usage data). We process personal data in accordance with the UK GDPR and the Data Protection Act 2018.
When you use the Service to place calls or upload contact data, you act as a data controller (or joint controller) for the personal data of the people you contact. You are responsible for having a lawful basis (e.g. consent, legitimate interest) to process their data and to provide them with any required notices. We process that data on your behalf as a processor to deliver the Service (see Section 6).
2. Data We Collect
2.1 Account and Registration Data
- Name, email address, company name, and other details you provide when signing up or managing your account.
- Login credentials (stored securely; we do not store raw card numbers—payments are handled by Stripe).
2.2 Usage and Service Data
- Contacts and leads you upload (e.g. name, email, phone number, business name, country).
- Call metadata: when calls are placed, duration, outcome (e.g. answered, not answered), cost.
- Call recordings and transcripts (where the Service is configured to record and transcribe).
- Calendar and appointment data you provide or that is captured during calls (e.g. for Cal.com booking).
- Billing and balance information (e.g. top-ups, credits used).
2.3 Technical and Log Data
- IP address, browser type, device information.
- Logs of API requests, errors, and system events (for operation and security).
- First-party cookies or similar identifiers used for authentication, security, abuse prevention, and remembering website preferences.
2.4 Data from Call Recipients
When you place a call through the Service, the recipient’s voice and the conversation content may be recorded and transcribed. We process this data to provide the Service (e.g. to store recordings and transcripts in your account). You must ensure that call recipients are informed and, where required by UK law (including the UK GDPR, Data Protection Act 2018, and PECR), have a lawful basis and any required consent to recording.
2.5 Website Visitors and AVA Assistant Usage
If you interact with AVA, our website voice assistant, we may collect anonymous identifiers, technical device and browser information, network-related information, widget interaction events (such as opening the assistant), AVA call start attempts, page path, timestamps, call metadata, and conversation content where a call is started. We use this information to operate AVA, prevent abuse, protect the security and availability of the Service, understand assistant performance, enforce usage limits, and improve the visitor experience. Where possible, we use privacy-preserving techniques and do not store raw IP addresses for AVA abuse-prevention purposes. Anonymous AVA identifiers are not used to access, read, or derive data from connected Google, Cal.com, or Calendly calendars.
3. How We Use Data
We use the data we collect to:
- Provide the Service – Account management, placing and managing calls, storing recordings and transcripts, billing, and support.
- Improve and secure the Service – Analytics (aggregated where possible), troubleshooting, fraud prevention, and security.
- Operate website assistant features – Enabling AVA, limiting repeated anonymous calls, detecting abuse, and measuring assistant performance.
- Comply with law – Responding to legal process, regulatory requests, and enforcing our terms.
- Communicate with you – Service-related emails (e.g. password reset, billing, important policy changes). We may send marketing only where permitted and with your consent; you can opt out at any time.
We do not sell your personal data or the personal data of call recipients to third parties for marketing. We may share data as described in the next section.
4. Third-Party Processors and Disclosure
We use the following categories of service providers to operate the Service. They process data on our instructions and are bound by contractual obligations consistent with this policy and applicable law.
| Purpose | Processor | Data shared | Location / notes |
|---|---|---|---|
| Telephony (voice calls) | Twilio | Phone numbers, call metadata, recordings (if configured) | US / global; see Twilio’s privacy policy |
| AI voice and conversation | VAPI | Conversation content, transcripts, call metadata | US; see VAPI’s privacy policy |
| Speech-to-text | Deepgram (via VAPI) | Audio / voice data for transcription | US; see Deepgram’s privacy policy |
| AI / LLM processing | OpenAI (via VAPI) | Conversation content for AI responses | US; see OpenAI’s privacy policy |
| Payments | Stripe | Billing details, payment method (we do not store card numbers) | Global; PCI-compliant; see Stripe’s privacy policy |
| Calendar / scheduling | Cal.com, Calendly, Google Calendar / Google Workspace APIs, and Microsoft Outlook Calendar (if used) | Calendar availability, slot data, and booking details necessary to schedule appointments | As per provider configuration and user authorization |
| Hosting and infrastructure | Vercel, Neon (database) | All data necessary to run the Service | As per provider; may include US/EU |
We may also disclose data:
- To our affiliates and professional advisers (e.g. lawyers, auditors) where necessary.
- When required by law (e.g. court order, regulatory request) or to protect our rights, safety, or property.
- In connection with a merger, sale, or restructuring (with notice where required by law).
4.1 Google API Limited Use Disclosure
The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
If you connect Google Calendar to AiCallAgent, we access only the Google Calendar API data needed to provide the scheduling features you choose to use. This may include calendar availability, event times, attendee or booking details, and related calendar metadata needed to check availability, create bookings, update bookings, prevent double-booking, and show scheduling information in the Service.
We use this data only to provide or improve user-facing scheduling features that are visible in the Service, maintain and secure those features, troubleshoot errors, prevent abuse, comply with applicable law, or as otherwise permitted with the user's consent. We do not use Google Workspace API data for advertising, cross-context behavioural advertising, resale, unrelated analytics, credit-worthiness or lending decisions, or to train generalised AI or machine learning models.
We do not use Microsoft Outlook Calendar data for advertising, cross-context behavioural advertising, resale, or unrelated analytics. Outlook Calendar data obtained through connected calendar providers is used only to provide and improve scheduling features that are visible in the Service, to troubleshoot or secure those features, to comply with law, or as otherwise permitted with the user's consent.
We transfer Google Workspace API data only where necessary to provide or improve the scheduling features the user has enabled and only with the user's consent, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale of assets after obtaining any required explicit prior user consent. We do not sell Google Workspace API data or transfer it to advertising platforms, data brokers, information resellers, or other third parties for their independent marketing or profiling purposes.
Human access to Google Workspace API data is restricted. Our employees, contractors, and service providers may access it only where the user has given affirmative agreement for support, where necessary to investigate security or abuse issues, where necessary to comply with applicable law, or where the data is aggregated and used for internal operations in accordance with applicable privacy laws.
Where Google Workspace API data contains personal data, we process it in accordance with applicable UK data protection laws, including the UK GDPR and the Data Protection Act 2018. This includes applying data minimisation, purpose limitation, storage limitation, appropriate security measures, and respecting applicable data subject rights described in this Privacy Policy.
5. Legal Basis (UK)
For users and data subjects in the United Kingdom, we rely on:
- Contract – Processing necessary to perform our contract with you (e.g. account, calls, billing).
- Legitimate interests – Improving the Service, security, fraud prevention, and defending our rights, where not overridden by your interests.
- Legal obligation – Where we must process data to comply with law.
- Consent – Where we ask for consent (e.g. marketing, optional features); you may withdraw consent at any time.
6. Your Rights (UK GDPR)
If you are in the United Kingdom, you have the right to:
- Access – Request a copy of your personal data we hold.
- Rectification – Request correction of inaccurate data.
- Erasure – Request deletion of your personal data (subject to legal exceptions).
- Restriction – Request that we limit processing in certain circumstances.
- Portability – Request a copy of your data in a structured, machine-readable format.
- Object – Object to processing based on legitimate interests (including profiling where applicable).
- Withdraw consent – Where processing is based on consent.
- Lodge a complaint – With the Information Commissioner’s Office (ICO) in the United Kingdom.
To exercise these rights, contact us at support@aicallagent.ai. We will respond within the time required by law (e.g. one month under the UK GDPR).
6.1 Data access and deletion process
We provide a process for data access and deletion requests as required by the UK GDPR. Contact support@aicallagent.ai or use the in-app/data request form if we provide one. We will respond and, where applicable, provide or delete data within the statutory timeframe.
7. Data Retention
- Account data – Retained while your account is active and for a period after closure as needed for legal, accounting, or dispute resolution (e.g. 3–7 years where required).
- Recordings and transcripts – Retained according to your account settings and our retention policy; you can request deletion of specific calls or account data.
- Billing and transaction data – Retained as required for tax, accounting, and legal compliance.
- Logs and technical data – Retained for a limited period for security and operation (e.g. 12–24 months unless longer required by law).
- Anonymous AVA visitor usage data – Retained for a limited period for abuse prevention, security, and assistant performance measurement, unless we need to keep it longer to investigate abuse, comply with law, or resolve disputes.
We minimise data collection and delete or anonymise data when no longer needed for the purposes described in this policy.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit and at rest where applicable, access controls, and secure development practices. Payment card data is handled by Stripe and is not stored on our servers.
9. International Transfers
We and our processors may store and process data in the United States and other countries. Where we transfer personal data from the United Kingdom to a country not recognised by the UK as providing adequate protection, we use appropriate safeguards (e.g. the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses) as required by law.
10. Children
The Service is not intended for individuals under 18. We do not knowingly collect personal data from children under 18. If you become aware that a child has provided us with data, please contact us so we can delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version and, for material changes, notify you (e.g. by email or in-app notice) and indicate the effective date. We encourage you to review the policy periodically.
12. Contact
- Data controller: AI Call Agent
- Contact for privacy and data subject requests: support@aicallagent.ai (use this address for UK GDPR requests and general privacy enquiries; we do not maintain a separate Data Protection Officer contact).
- Registered office / postal address: Available on request—email support@aicallagent.ai.
- Phone: We handle privacy and data requests by email only; please use the address above.
- Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk.
Have qualified legal counsel review registered office details, DPO requirements, and processor disclosures for your specific situation.
