Vocalyy
  • About Us
  • Services
  • Industries
  • Pricing
  • Blog
  • Contact
Book a Call Talk to us

Privacy Policy

Version 2.0 — last updated 9 July 2026
Table of contents
  1. Who we are
  2. Our roles: controller vs. processor
  3. What data we collect
  4. Data about your agent's callers — how it works
  5. Special categories of data and CNP
  6. Why we collect it (legal basis)
  7. How long we keep your data
  8. Who we share it with (sub-processors)
  9. International transfers
  10. Your rights (GDPR)
  11. Security breach notification
  12. Cookies and similar technologies
  13. Security
  14. Minors
  15. Changes to this policy
  16. Contact and complaints

This policy explains what data we collect when you use the vocalyy.ro website, when you book a demo, or when you use our AI voice agent service, and how we protect this data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian law, including Law No. 190/2018.

1. Who we are

Vocalyy SRL, a Romanian legal entity with its registered office in Romania, operates the vocalyy.ro website and the Vocalyy AI voice agent service. For any questions related to data protection, you can contact us at agent@vocalyy.ro.

In short: Vocalyy SRL plays two different roles from a GDPR standpoint, depending on the category of data. Section 2 explains exactly which is which.

2. Our roles: controller vs. processor

Vocalyy SRL acts in two distinct legal capacities, depending on the category of data:

  1. CONTROLLER for our client's own data (contact person, legal representative, billing data, account/authentication data, commercial communications). For this data, Vocalyy alone determines the purposes and means of processing and answers directly to the client as the data subject.
  2. PROCESSOR for the data of our client's callers (the customers, patients, or prospective customers of the business who call or are called through the Vocalyy voice agent). For this data, the Vocalyy client is the controller, and Vocalyy processes exclusively on the basis of the client's documented instructions (voice agent configuration, conversation script, purpose of the calls), in accordance with Art. 28 GDPR.
In short: Vocalyy does not determine the purposes or the legal basis on which our client collects data about its callers. The client, as controller, is responsible for identifying the applicable legal basis (for example, consent, legitimate interest, or performance of a contract), for informing the data subjects (callers), and for obtaining any necessary consent, including for special category data under Art. 9 GDPR or CNP (personal numerical code) data under Law No. 190/2018.

The full details of the controller–processor relationship, including mutual obligations, are governed by the Data Processing Agreement (DPA) signed with each B2B client (Data Processing Agreement).

3. What data we collect

3.1 Data collected when you visit the site

  • IP address, browser type, operating system, pages visited
  • Date and time of visit, traffic source (where you came from)
  • Cookies (see section 12)

3.2 Data you provide when you book a demo

  • Full name
  • Email address
  • Phone number
  • Business name and the industry you operate in
  • Optional notes about your needs

3.3 Data collected when you test a demo voice agent on the site

  • Audio recording of your call with the demo agent (typically up to 2 minutes)
  • Automatic transcript of the conversation
  • Microphone permission granted to your browser

For this specific interaction — the on-site demo test — we request your explicit consent before activating the microphone. This is the only legal basis used for the demo recording (see the table in section 6).

3.4 Data collected as a Vocalyy service subscriber

  • Billing data: company name, tax ID (CUI), address, IBAN if applicable
  • Contact details of the authorized person
  • Data about your business needed to build the agent (hours, prices, services, frequently asked questions, etc.)
  • Data about the calls your agent processes — see section 4

4. Data about your agent's callers — how it works

When your voice agent answers a call or calls a contact, Vocalyy processes data about that caller exclusively on the basis of your documented instructions, acting as processor. Here is exactly what happens with each type of data:

4.1 What the Vocalyy dashboard displays

  • The caller's phone number — visible in the "Call History" section
  • Call metadata — date, time, duration
  • The complete conversation transcript — fully visible in the "Call Transcript" section

We state this honestly: the complete transcript of every conversation is stored and displayed in your dashboard. We do not delete or anonymize the content of the conversation by default.

4.2 What Vocalyy does NOT store: the audio recording

Vocalyy does not store the audio recording of calls on its own servers. The audio is recorded and hosted by ElevenLabs (our AI voice sub-processor).

Audio download mechanism: the Vocalyy dashboard displays a "Download audio" button. Pressing this button downloads the audio recording directly from ElevenLabs to the client's own device — Vocalyy's servers do not store and do not have persistent access to the audio file at any point. From the moment of download, the client becomes the sole controller of that copy of the audio recording and is solely responsible for its security, storage, and any further processing.

In short: the phone number, metadata, and transcript are stored in the client's Vocalyy account. The audio is stored at ElevenLabs and becomes the client's responsibility from the moment of download.

5. Special categories of data and CNP

Conversation transcripts may contain, depending on the client's industry (for example, medical or dental clients), health data or other special categories of data within the meaning of Art. 9 GDPR, as well as a Personal Numerical Code (CNP).

Our client, as controller, guarantees that it holds a valid legal basis under Art. 9 GDPR for any special category of data collected through the voice agent, and that it meets the conditions imposed by Art. 4 of Law No. 190/2018 when processing involves a CNP (including, where the legal basis is legitimate interest, technical minimization measures, defined retention periods, and training of its own staff). Vocalyy processes this data exclusively on the basis of the client's documented instructions, without determining the purpose or legal basis for its collection.

For this reason, we treat the security and retention of transcripts as priorities — see sections 7 and 13.

6. Why we collect it (legal basis)

Data categoryPurposeGDPR legal basis
Web traffic data, analytics cookiesUnderstanding site usageConsent (Art. 6.1.a)
Demo form dataScheduling and preparing the callPre-contractual steps (Art. 6.1.b)
On-site demo audio recording + transcriptOperation of the interactive demoConsent (Art. 6.1.a)
Billing and contractual data (Vocalyy client)Performance of the service contractContract (Art. 6.1.b) + Legal obligation (Art. 6.1.c)
Account dataProvision and administration of the accountContract (Art. 6.1.b)
Data about the agent's callersProvision of the service to the B2B clientDetermined by the client, as controller (typically Art. 6.1.a, 6.1.b, or 6.1.f) — Vocalyy processes as processor

7. How long we keep your data

Full details are published in our Retention Policy.

CategoryPeriodLegal basis / reason
Caller's phone number[X months] — to be confirmedClient's (controller) legitimate interest in the history of the relationship with the caller; Vocalyy's operational necessity as processor
Call metadata[X months] — to be confirmedSame as above
Complete transcript[X months] — to be confirmedMay contain special category data — limited retention and enhanced security under Art. 9 GDPR / Law 190/2018
Billing data (Vocalyy client)5 years, from 1 July of the following yearArt. 25, Accounting Law No. 82/1991, as amended by Law No. 36/2023
Audit logs[X] — to be confirmedArt. 5(2) and Art. 32 GDPR
Site/demo data[X] — to be confirmedVocalyy's legitimate interest
Cookies[X]Consent, Art. 6(1)(a)
Account data[X] — duration of the contract + legal termArt. 6(1)(b)

Call audio is not stored by Vocalyy (see section 4.2). Retention period at ElevenLabs: [X] — to be confirmed; this is a policy of our sub-processor, not direct retention by Vocalyy.

8. Who we share it with (sub-processors)

We use external providers who process data on our behalf. All of them sign GDPR-compliant data processing agreements.

ProviderServiceData categoriesLocationTransfer mechanism
ElevenLabs [exact legal entity — X]Voice AI (speech-to-text + text-to-speech); stores/hosts call audio recordings (downloadable by the client)Voice/audio, transcript in transit[X — to be confirmed][X — DPF or SCC, to be confirmed]
Telnyx LLCTelephony / call routing (phone number, audio media stream, call metadata)Phone number, audio in transit, call metadataUSA (with EU data residency option) [to be reconfirmed]DPF [to be reconfirmed]
Anthropic PBCLLM (Claude) — generates the agent's conversational responses; processes the transcript in real timeTranscript content (in transit/processing)[to be reconfirmed]DPF [to be reconfirmed — verify current status]
Supabase Inc.PostgreSQL database + authenticationAccount data, operational dataEU (Frankfurt)N/A (within EU) — [to be reconfirmed if still in use]
Render Services Inc.Backend hostingOperational/application dataUSADPF — [to be reconfirmed if still in use]
ResendTransactional emailEmail addresses, notification contentUSASCC-DPF — [to be reconfirmed if still in use]
Cal.com Inc.Demo call schedulingContact data for schedulingEU/USA[to be reconfirmed if still in use]
Stripe Payments Europe Ltd.PaymentsBilling/payment dataEU (Ireland)N/A (within EU) — [to be reconfirmed if still in use]
Google LLCGoogle Workspace Calendar OAuthCalendar/scheduling dataUSADPF — [to be reconfirmed if still in use]
SmartBill SRLInvoicing (Romania)Billing dataRomaniaN/A (domestic RO) — [to be reconfirmed if still in use]

The items marked [X] are to be confirmed by Vocalyy SRL before publication. OpenAI, L.L.C. is not and has not been used by Vocalyy for any personal data processing service.

The complete, up-to-date list is published at the Sub-processors List. We notify B2B clients by email at least 30 days before any change.

9. International transfers

Certain providers (Telnyx, Anthropic, Render, Resend, Google, ElevenLabs) are based or have servers outside the European Economic Area. Transfers are protected by the EU-US Data Privacy Framework (DPF) and, where applicable, by Standard Contractual Clauses. Exact details for each provider are available at the Sub-processors List. We do not transfer data to other third countries beyond those listed there.

10. Your rights (GDPR)

You have the right to:

  • Access (Art. 15) — find out what data we hold about you
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure / "right to be forgotten" (Art. 17) — ask us to delete your data
  • Restriction of processing (Art. 18) — temporarily limit processing
  • Portability (Art. 20) — receive your data in a structured format
  • Object (Art. 21) — to processing based on legitimate interest
  • Not be subject to a decision based solely on automated processing (Art. 22)
  • Withdraw your consent at any time (where we relied on consent), without affecting the lawfulness of processing carried out before its withdrawal

Requests are sent to agent@vocalyy.ro. We respond within one month at most of receiving the request, a period that may be extended by a further two months in complex cases, with prior notice to you. Exercising these rights is free of charge.

If you are a caller of a Vocalyy client (not our direct client), your rights are exercised primarily against the controller — the business using the voice agent. Vocalyy, as processor, assists the client in resolving such requests in accordance with Art. 28(3)(e) GDPR.

11. Security breach notification

In the event of a breach of the security of personal data, Vocalyy notifies the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) without undue delay and, where feasible, within a maximum of 72 hours from the moment we became aware of the breach, in accordance with Art. 33 GDPR.

If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we inform the affected individuals without undue delay, in accordance with Art. 34 GDPR, except where the exceptions provided by law apply (for example, the data was encrypted, or we have taken subsequent measures that eliminate the high risk).

For the data of our clients' callers (where Vocalyy is processor), we immediately notify the affected client, who remains responsible, as controller, for notifying ANSPDCP and its own data subjects, with our support.

12. Cookies and similar technologies

We use cookies for:

  • Strictly necessary cookies (site functionality — session, language preference) — no consent required
  • Analytics cookies (anonymous visitor counting) — consent required, under Art. 6.1.a GDPR

We ask for your consent via the banner shown on your first visit. You can change your preferences at any time via the "Cookies" link in the site footer.

13. Security

We use appropriate technical and organizational measures, in accordance with Art. 32 GDPR: encryption in transit (HTTPS / TLS 1.2+), role-based access control, hashed passwords, continuous monitoring. Because transcripts may contain health data or other special categories, we treat security and access to this data as a priority. No system is 100% impenetrable — see section 11 for our procedure in the event of a breach.

14. Minors

The Vocalyy service is exclusively addressed to businesses (B2B). We do not knowingly collect data from individuals under 16 through our website or demo forms. If you notice that a minor has provided data, write to us at agent@vocalyy.ro and we will delete it.

15. Changes to this policy

We may update this policy. Significant changes are announced by email (to clients) or via a banner on the site at least 30 days before they take effect. The current version is indicated at the top of the page.

16. Contact and complaints

For any question or request about your data: agent@vocalyy.ro.

If you are not satisfied with our response, you can file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

  • B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
  • anspdcp@dataprotection.ro
  • www.dataprotection.ro

Related documents: Terms and Conditions, Retention Policy, Sub-processors List, About the AI System, Data Processing Agreement (DPA).

Note: This document was drafted with computer assistance based on information available at the time of drafting and does not constitute legal advice from a licensed attorney. Vocalyy SRL recommends that this document be reviewed by an attorney specializing in data protection before publication, signature, or use in client relationships.
Vocalyy
About Services Industries Pricing Blog Contact
Email copied
© 2026 Vocalyy. All rights reserved. Privacy·Terms·Sub-processors·Retention·AI System·Cookies