Privacy Policy
Last updated: June 2025
1. Controller & Contact
The controller responsible for data processing is:
Patrick Felber (Einzelunternehmer)
Austria
Email: contact@vocalo.at
For privacy-related inquiries, contact our Data Protection Officer at privacy@vocalo.at.
2. Data We Collect
We process the following categories of personal data:
- Account data: Name, email address, password (hashed), authentication provider, account creation date.
- Billing data: Payment method details (processed by Stripe — we do not store card numbers), invoices, subscription status.
- Voice agent data: Agent configurations, system prompts, tool definitions you create.
- Call data: Phone numbers of callers, call duration, timestamps, call status, cost. If enabled by you: call recordings and AI-generated transcripts.
- Identity verification data: When purchasing phone numbers in regulated countries, we collect your name, address, and identity/address proof documents. These are transmitted to Twilio for regulatory compliance.
- Usage data: Pages visited, feature usage, API calls, error logs.
- Technical data: IP address, browser type, device information, cookies (see Section 9).
3. Purposes & Legal Basis (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Vocalo platform | Art. 6(1)(b) — Contract performance |
| Process payments and billing | Art. 6(1)(b) — Contract performance |
| Process phone calls via AI voice agents | Art. 6(1)(b) — Contract performance |
| Identity verification for phone numbers | Art. 6(1)(c) — Legal obligation (telecom regulations) |
| Ensure platform security and prevent abuse | Art. 6(1)(f) — Legitimate interest |
| Analytics to improve our service | Art. 6(1)(a) — Consent (via cookie banner) |
| Send service-related communications | Art. 6(1)(b) — Contract performance |
4. AI Processing & Automated Decision-Making
Vocalo uses artificial intelligence (Google Gemini) to conduct voice conversations on behalf of your business. When a caller speaks to your AI agent:
- Audio from the phone call is streamed in real-time to Google's Gemini Live API for processing.
- The AI generates spoken responses based on your configured system prompt and connected tools.
- Callers are informed at the beginning of each call that they are speaking with an AI and that the call may be recorded (per EU AI Act Art. 52 and Austrian StGB §120).
- No fully automated decisions with legal or similarly significant effects are made. The AI assists with tasks like scheduling but does not make binding decisions autonomously.
5. Data Processors & International Transfers
We use the following third-party processors. Where data is transferred to the USA, we rely on the EU-U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) as appropriate:
| Processor | Purpose | Data | Location / Safeguard |
|---|---|---|---|
| Google (Gemini/Vertex AI) | AI voice processing | Call audio, system prompts | EU (europe-west1) / DPF |
| Twilio | Telephony, phone numbers, regulatory compliance | Phone numbers, call audio streams, identity documents | USA / DPF + SCCs |
| Stripe | Payment processing | Payment details, email, billing address | USA / DPF |
| Firebase (Google) | Authentication, file storage | Email, name, auth tokens, uploaded files | USA / DPF |
| Neon | Database hosting | All application data | EU (Frankfurt) / DPA |
| Vercel | Frontend hosting, CDN | IP addresses, cookies, page requests | Global CDN / DPF + SCCs |
| Render | Backend hosting | All backend data in transit | EU (Frankfurt) / DPA |
6. Call Recording & Caller Privacy
If you enable call recording in your agent settings, the following applies:
- Callers are notified at the start of each call that the conversation may be recorded.
- Under Austrian law (StGB §120), recording conversations without the consent of all parties is a criminal offense. Our AI agent is configured to always disclose recording at the start of each call.
- Recordings are stored securely and retained for the period you configure (default: 90 days).
- As a Vocalo user, you are the data controller for caller personal data processed through your agents. You are responsible for ensuring your use of recordings complies with applicable laws.
7. Identity Document Processing
When you purchase phone numbers in countries that require identity verification (including Austria, Germany, and most EU countries), we collect identity documents (e.g., passport, ID card, proof of address) and transmit them to Twilio Inc. (USA) for regulatory compliance review. This processing is based on Art. 6(1)(c) GDPR (legal obligation under telecom regulations). Twilio retains these documents as required by local telecom regulators. You may request deletion of your identity documents by contacting us, subject to any regulatory retention requirements.
8. Data Retention
- Account data: Retained for the duration of your account plus 30 days after deletion.
- Billing data: Retained for 7 years per Austrian tax law (BAO §132).
- Call logs & metadata: Retained for 12 months, then automatically deleted.
- Call recordings: Retained per your configured retention period (default: 90 days).
- Identity documents: Transmitted to Twilio; we do not store copies after submission. Twilio retains per regulatory requirements.
- Analytics data: Aggregated and anonymized after 26 months.
9. Cookies
We use the following categories of cookies:
- Essential cookies: Authentication session, CSRF protection, cookie consent preference. These are strictly necessary and do not require consent (TKG 2021 §165(3)).
- Analytics cookies: Only set with your explicit consent via our cookie banner. Used for aggregated usage statistics to improve our service.
You can manage your cookie preferences at any time via the cookie settings in the footer or by calling resetCookieConsent() in your browser console.
10. Your Rights (GDPR Art. 15–22)
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
- Restriction (Art. 18): Request restriction of processing.
- Data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
To exercise your rights, contact us at privacy@vocalo.at. You can also download your data directly from your account settings. We will respond within 30 days.
11. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42, 1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
12. Callers' Rights
If you are a person who has called a phone number operated by a Vocalo customer:
- The Vocalo customer (business you called) is the data controller for your call data.
- We process your phone number, call audio, and any information you share during the call on behalf of that business.
- You were informed at the start of the call that you are speaking with an AI and that the call may be recorded.
- To exercise your data rights (access, deletion, etc.), please contact the business you called directly. They can manage your data through their Vocalo dashboard.
- For questions about Vocalo's role as a data processor, contact us at privacy@vocalo.at.
13. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "last updated" date at the top indicates the latest revision.
14. Contact
For any privacy-related questions, contact:
Data Protection Officer
Email: privacy@vocalo.at
Postal: Patrick Felber, Austria