Privacy Policy
- Who we are
- Our roles: controller vs. processor
- What data we collect
- Data about your agent's callers — how it works
- Special categories of data and CNP
- Why we collect it (legal basis)
- How long we keep your data
- Who we share it with (sub-processors)
- International transfers
- Your rights (GDPR)
- Security breach notification
- Cookies and similar technologies
- Security
- Minors
- Changes to this policy
- Contact and complaints
This policy explains what data we collect when you use the vocalyy.ro website, when you book a demo, or when you use our AI voice agent service, and how we protect this data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian law, including Law No. 190/2018.
1. Who we are
Vocalyy SRL, a Romanian legal entity with its registered office in Romania, operates the vocalyy.ro website and the Vocalyy AI voice agent service. For any questions related to data protection, you can contact us at agent@vocalyy.ro.
2. Our roles: controller vs. processor
Vocalyy SRL acts in two distinct legal capacities, depending on the category of data:
- CONTROLLER for our client's own data (contact person, legal representative, billing data, account/authentication data, commercial communications). For this data, Vocalyy alone determines the purposes and means of processing and answers directly to the client as the data subject.
- PROCESSOR for the data of our client's callers (the customers, patients, or prospective customers of the business who call or are called through the Vocalyy voice agent). For this data, the Vocalyy client is the controller, and Vocalyy processes exclusively on the basis of the client's documented instructions (voice agent configuration, conversation script, purpose of the calls), in accordance with Art. 28 GDPR.
The full details of the controller–processor relationship, including mutual obligations, are governed by the Data Processing Agreement (DPA) signed with each B2B client (Data Processing Agreement).
3. What data we collect
3.1 Data collected when you visit the site
- IP address, browser type, operating system, pages visited
- Date and time of visit, traffic source (where you came from)
- Cookies (see section 12)
3.2 Data you provide when you book a demo
- Full name
- Email address
- Phone number
- Business name and the industry you operate in
- Optional notes about your needs
3.3 Data collected when you test a demo voice agent on the site
- Audio recording of your call with the demo agent (typically up to 2 minutes)
- Automatic transcript of the conversation
- Microphone permission granted to your browser
For this specific interaction — the on-site demo test — we request your explicit consent before activating the microphone. This is the only legal basis used for the demo recording (see the table in section 6).
3.4 Data collected as a Vocalyy service subscriber
- Billing data: company name, tax ID (CUI), address, IBAN if applicable
- Contact details of the authorized person
- Data about your business needed to build the agent (hours, prices, services, frequently asked questions, etc.)
- Data about the calls your agent processes — see section 4
4. Data about your agent's callers — how it works
When your voice agent answers a call or calls a contact, Vocalyy processes data about that caller exclusively on the basis of your documented instructions, acting as processor. Here is exactly what happens with each type of data:
4.1 What the Vocalyy dashboard displays
- The caller's phone number — visible in the "Call History" section
- Call metadata — date, time, duration
- The complete conversation transcript — fully visible in the "Call Transcript" section
We state this honestly: the complete transcript of every conversation is stored and displayed in your dashboard. We do not delete or anonymize the content of the conversation by default.
4.2 What Vocalyy does NOT store: the audio recording
Vocalyy does not store the audio recording of calls on its own servers. The audio is recorded and hosted by ElevenLabs (our AI voice sub-processor).
Audio download mechanism: the Vocalyy dashboard displays a "Download audio" button. Pressing this button downloads the audio recording directly from ElevenLabs to the client's own device — Vocalyy's servers do not store and do not have persistent access to the audio file at any point. From the moment of download, the client becomes the sole controller of that copy of the audio recording and is solely responsible for its security, storage, and any further processing.
5. Special categories of data and CNP
Conversation transcripts may contain, depending on the client's industry (for example, medical or dental clients), health data or other special categories of data within the meaning of Art. 9 GDPR, as well as a Personal Numerical Code (CNP).
Our client, as controller, guarantees that it holds a valid legal basis under Art. 9 GDPR for any special category of data collected through the voice agent, and that it meets the conditions imposed by Art. 4 of Law No. 190/2018 when processing involves a CNP (including, where the legal basis is legitimate interest, technical minimization measures, defined retention periods, and training of its own staff). Vocalyy processes this data exclusively on the basis of the client's documented instructions, without determining the purpose or legal basis for its collection.
For this reason, we treat the security and retention of transcripts as priorities — see sections 7 and 13.
6. Why we collect it (legal basis)
| Data category | Purpose | GDPR legal basis |
|---|---|---|
| Web traffic data, analytics cookies | Understanding site usage | Consent (Art. 6.1.a) |
| Demo form data | Scheduling and preparing the call | Pre-contractual steps (Art. 6.1.b) |
| On-site demo audio recording + transcript | Operation of the interactive demo | Consent (Art. 6.1.a) |
| Billing and contractual data (Vocalyy client) | Performance of the service contract | Contract (Art. 6.1.b) + Legal obligation (Art. 6.1.c) |
| Account data | Provision and administration of the account | Contract (Art. 6.1.b) |
| Data about the agent's callers | Provision of the service to the B2B client | Determined by the client, as controller (typically Art. 6.1.a, 6.1.b, or 6.1.f) — Vocalyy processes as processor |
7. How long we keep your data
Full details are published in our Retention Policy.
| Category | Period | Legal basis / reason |
|---|---|---|
| Caller's phone number | [X months] — to be confirmed | Client's (controller) legitimate interest in the history of the relationship with the caller; Vocalyy's operational necessity as processor |
| Call metadata | [X months] — to be confirmed | Same as above |
| Complete transcript | [X months] — to be confirmed | May contain special category data — limited retention and enhanced security under Art. 9 GDPR / Law 190/2018 |
| Billing data (Vocalyy client) | 5 years, from 1 July of the following year | Art. 25, Accounting Law No. 82/1991, as amended by Law No. 36/2023 |
| Audit logs | [X] — to be confirmed | Art. 5(2) and Art. 32 GDPR |
| Site/demo data | [X] — to be confirmed | Vocalyy's legitimate interest |
| Cookies | [X] | Consent, Art. 6(1)(a) |
| Account data | [X] — duration of the contract + legal term | Art. 6(1)(b) |
Call audio is not stored by Vocalyy (see section 4.2). Retention period at ElevenLabs: [X] — to be confirmed; this is a policy of our sub-processor, not direct retention by Vocalyy.
8. Who we share it with (sub-processors)
We use external providers who process data on our behalf. All of them sign GDPR-compliant data processing agreements.
| Provider | Service | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| ElevenLabs [exact legal entity — X] | Voice AI (speech-to-text + text-to-speech); stores/hosts call audio recordings (downloadable by the client) | Voice/audio, transcript in transit | [X — to be confirmed] | [X — DPF or SCC, to be confirmed] |
| Telnyx LLC | Telephony / call routing (phone number, audio media stream, call metadata) | Phone number, audio in transit, call metadata | USA (with EU data residency option) [to be reconfirmed] | DPF [to be reconfirmed] |
| Anthropic PBC | LLM (Claude) — generates the agent's conversational responses; processes the transcript in real time | Transcript content (in transit/processing) | [to be reconfirmed] | DPF [to be reconfirmed — verify current status] |
| Supabase Inc. | PostgreSQL database + authentication | Account data, operational data | EU (Frankfurt) | N/A (within EU) — [to be reconfirmed if still in use] |
| Render Services Inc. | Backend hosting | Operational/application data | USA | DPF — [to be reconfirmed if still in use] |
| Resend | Transactional email | Email addresses, notification content | USA | SCC-DPF — [to be reconfirmed if still in use] |
| Cal.com Inc. | Demo call scheduling | Contact data for scheduling | EU/USA | [to be reconfirmed if still in use] |
| Stripe Payments Europe Ltd. | Payments | Billing/payment data | EU (Ireland) | N/A (within EU) — [to be reconfirmed if still in use] |
| Google LLC | Google Workspace Calendar OAuth | Calendar/scheduling data | USA | DPF — [to be reconfirmed if still in use] |
| SmartBill SRL | Invoicing (Romania) | Billing data | Romania | N/A (domestic RO) — [to be reconfirmed if still in use] |
The items marked [X] are to be confirmed by Vocalyy SRL before publication. OpenAI, L.L.C. is not and has not been used by Vocalyy for any personal data processing service.
The complete, up-to-date list is published at the Sub-processors List. We notify B2B clients by email at least 30 days before any change.
9. International transfers
Certain providers (Telnyx, Anthropic, Render, Resend, Google, ElevenLabs) are based or have servers outside the European Economic Area. Transfers are protected by the EU-US Data Privacy Framework (DPF) and, where applicable, by Standard Contractual Clauses. Exact details for each provider are available at the Sub-processors List. We do not transfer data to other third countries beyond those listed there.
10. Your rights (GDPR)
You have the right to:
- Access (Art. 15) — find out what data we hold about you
- Rectification (Art. 16) — correct inaccurate data
- Erasure / "right to be forgotten" (Art. 17) — ask us to delete your data
- Restriction of processing (Art. 18) — temporarily limit processing
- Portability (Art. 20) — receive your data in a structured format
- Object (Art. 21) — to processing based on legitimate interest
- Not be subject to a decision based solely on automated processing (Art. 22)
- Withdraw your consent at any time (where we relied on consent), without affecting the lawfulness of processing carried out before its withdrawal
Requests are sent to agent@vocalyy.ro. We respond within one month at most of receiving the request, a period that may be extended by a further two months in complex cases, with prior notice to you. Exercising these rights is free of charge.
If you are a caller of a Vocalyy client (not our direct client), your rights are exercised primarily against the controller — the business using the voice agent. Vocalyy, as processor, assists the client in resolving such requests in accordance with Art. 28(3)(e) GDPR.
11. Security breach notification
In the event of a breach of the security of personal data, Vocalyy notifies the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) without undue delay and, where feasible, within a maximum of 72 hours from the moment we became aware of the breach, in accordance with Art. 33 GDPR.
If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we inform the affected individuals without undue delay, in accordance with Art. 34 GDPR, except where the exceptions provided by law apply (for example, the data was encrypted, or we have taken subsequent measures that eliminate the high risk).
For the data of our clients' callers (where Vocalyy is processor), we immediately notify the affected client, who remains responsible, as controller, for notifying ANSPDCP and its own data subjects, with our support.
12. Cookies and similar technologies
We use cookies for:
- Strictly necessary cookies (site functionality — session, language preference) — no consent required
- Analytics cookies (anonymous visitor counting) — consent required, under Art. 6.1.a GDPR
We ask for your consent via the banner shown on your first visit. You can change your preferences at any time via the "Cookies" link in the site footer.
13. Security
We use appropriate technical and organizational measures, in accordance with Art. 32 GDPR: encryption in transit (HTTPS / TLS 1.2+), role-based access control, hashed passwords, continuous monitoring. Because transcripts may contain health data or other special categories, we treat security and access to this data as a priority. No system is 100% impenetrable — see section 11 for our procedure in the event of a breach.
14. Minors
The Vocalyy service is exclusively addressed to businesses (B2B). We do not knowingly collect data from individuals under 16 through our website or demo forms. If you notice that a minor has provided data, write to us at agent@vocalyy.ro and we will delete it.
15. Changes to this policy
We may update this policy. Significant changes are announced by email (to clients) or via a banner on the site at least 30 days before they take effect. The current version is indicated at the top of the page.
16. Contact and complaints
For any question or request about your data: agent@vocalyy.ro.
If you are not satisfied with our response, you can file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
- B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
- anspdcp@dataprotection.ro
- www.dataprotection.ro
Related documents: Terms and Conditions, Retention Policy, Sub-processors List, About the AI System, Data Processing Agreement (DPA).