GDPR Compliance
Effective date: January 1, 2025 · Last updated: January 1, 2025
This document explains how VoiceAgent complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and describes the rights of individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland.
1. Introduction
VoiceAgent is committed to protecting the privacy and rights of individuals whose personal data we process. We recognize the GDPR as a comprehensive and important framework for data protection, and we have built privacy considerations into the design of our platform from the ground up.
This GDPR compliance document supplements our Privacy Policy and provides additional detail specifically required by or relevant to the GDPR. In the event of any conflict between this document and our Privacy Policy, this GDPR document shall prevail for individuals in the EEA, UK, and Switzerland.
2. Data Controller Information
VoiceAgent acts as the data controller for personal data provided by users who register for accounts, visit our website, or contact us directly.
VoiceAgent acts as a data processor for personal data contained within calls and transcripts that our customers process using the Service. In such cases, the customer is the data controller and VoiceAgent processes data on their behalf under the terms of our Data Processing Agreement.
3. Legal Basis for Processing
Under Article 6 of the GDPR, we rely on the following legal bases for processing your personal data:
Art. 6(1)(b) — Performance of a Contract
Processing necessary to provide the Service you have subscribed to: account creation and management, call processing, billing, and customer support. This is our primary legal basis for most data processing activities.
Art. 6(1)(a) — Consent
Where you have given explicit consent, such as subscribing to our marketing newsletter, accepting optional analytics cookies, or opting into promotional communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Art. 6(1)(f) — Legitimate Interests
Processing necessary for our legitimate business interests, such as preventing fraud and abuse, securing our systems, improving the quality of our services, and communicating with business contacts about relevant products. We conduct a balancing test and will not process data under this basis where your interests or rights override ours.
Art. 6(1)(c) — Legal Obligation
Where processing is required to comply with applicable laws, such as retaining financial records for tax authorities or responding to lawful requests from competent authorities.
For special category data (e.g., sensitive information that may appear in call recordings), we rely on Art. 9(2)(a) explicit consent or Art. 9(2)(b) employment and social security obligations, as applicable.
4. Data Subjects’ Rights (Art. 15–22)
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, see Section 10.
Right of Access
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with supplementary information about how it is used.
Right to Rectification
You have the right to have inaccurate personal data corrected and to have incomplete data completed without undue delay.
Right to Erasure (“Right to be Forgotten”)
You have the right to request erasure of your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent (where consent was the legal basis), or you object to processing and there are no overriding legitimate grounds. This right may be subject to legal retention obligations.
Right to Restriction of Processing
You have the right to request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of data you have contested or assess an objection you have raised.
Right to Data Portability
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
Right to Object
You have the right to object to processing based on legitimate interests (Art. 6(1)(f)) and to direct marketing. Where you object to direct marketing, we will stop processing your data for that purpose immediately.
Rights Related to Automated Decision Making
You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects on you. See Section 7 for details on our automated processing activities.
5. International Data Transfers
VoiceAgent operates globally and may transfer your personal data to countries outside the EEA, including the United States, where our sub-processors (Twilio, Stripe, Azure, Supabase) maintain infrastructure.
We ensure all international transfers comply with Chapter V of the GDPR. The mechanisms we rely on include:
- →EU-US Data Privacy Framework (DPF). Where our US-based sub-processors are certified under the EU-US DPF, we rely on this framework as an adequacy mechanism for transfers to the United States (European Commission adequacy decision of July 10, 2023).
- →Standard Contractual Clauses (SCCs). For sub-processors not covered by an adequacy decision, we use the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as the transfer mechanism, supplemented by appropriate technical and organisational measures.
You may request a copy of the transfer mechanisms in place for specific sub-processors by contacting us at legal@usvoiceagent.com.
6. Data Retention Periods
We retain personal data only for as long as necessary for the stated purpose and as required by applicable law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract |
| Call recordings | 90 days | Contract / Consent |
| Transcripts | 90 days | Contract / Consent |
| System logs | 1 year | Legitimate interests |
| Payment records | 7 years | Legal obligation |
| Marketing consent | Until withdrawn | Consent |
7. Automated Decision Making
The VoiceAgent platform uses automated processing to deliver its core functionality, including real-time speech recognition, natural language understanding, and AI-driven call responses. However, these automated processes do not produce decisions that have legal or similarly significant effects on call participants independent of human configuration by our customers.
Automated profiling for purposes such as credit scoring, insurance pricing, or employment decisions is not a feature of VoiceAgent. If you believe an automated decision has had a significant impact on you, you have the right to request human review by contacting us at legal@usvoiceagent.com.
8. Data Protection Officer
While VoiceAgent is not currently required under Article 37 of the GDPR to appoint a Data Protection Officer, we have designated a privacy point of contact who is responsible for overseeing our data protection strategy and ensuring GDPR compliance.
9. Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.
We encourage you to contact us first so we can try to resolve your concern directly. A list of EU data protection supervisory authorities is available at edpb.europa.eu.
For UK residents, the relevant supervisory authority is the Information Commissioner’s Office (ICO).
10. How to Exercise Your Rights
To exercise any of the rights described in Section 4, please submit a written request to:
Data Subject Request
Email: legal@usvoiceagent.com
Subject line: “Data Subject Request — [Type of Request]”
Please include in your request: your full name, the email address associated with your account, and a clear description of your request. We may need to verify your identity before processing the request.
We will respond to your request without undue delay and in any event within 30 calendar days of receipt. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period.
All requests are free of charge. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.