Privacy Policy
We collect and use data to run AI Frontdesk. For calls your customers make, you are the data controller — we process data on your behalf. We never sell personal data.
1. Preliminary note
As the data controller under Article 4(7) GDPR, we take appropriate measures to protect your privacy and the security of your personal data. This Privacy Policy describes how we collect, use, store, and share personal data when you visit our website, use our products and services, or interact with us.
In delivering AI Frontdesk, we also act as a data processor under Article 4(8) GDPR on behalf of our business customers. The data processing we carry out in that capacity is set out in the data processing agreement (DPA) available to customers.
2. Who is responsible for data processing
The data controller is the operator of AI Frontdesk. You can reach us at support@ai-voicereceptionist.com.
For personal data processed during calls handled by AI Frontdesk, the relevant business customer is the data controller and we act as their processor. Callers wishing to exercise their rights in relation to call data should contact the business directly.
3. What data we process
We may process the following categories of personal data:
- Identity data: name, username, title
- Contact and contract data: billing address, delivery address, email address, phone numbers
- Financial data: payment details, bank account information
- Transaction data: details of payments and products or services you have purchased
- Technical data: IP address, browser type and version, operating system, device information
- Profile data: username and password, purchase history, preferences, feedback
- Usage data: how you use our website, products, and services
- Marketing and communications data: your preferences for receiving marketing communications
For calls processed through AI Frontdesk on behalf of business customers, data may also include: caller phone number (where available), call audio (if recording is enabled), transcripts (if transcription is enabled), information shared during the call, and call metadata such as date, time, duration, and routing decisions.
3a. Google user data — access, use and sharing
AI Frontdesk optionally integrates with Google Calendar via the Google Calendar API, using OAuth 2.0. This section explains exactly what Google user data we access, how we use it, and with whom we share it, in accordance with the Google API Services User Data Policy.
What Google data we access
When a business customer connects their Google account to AI Frontdesk, we request access to the following Google API scopes:
- google.calendar.readonly — read access to the connected Google Calendar, to allow AI Frontdesk to check availability and read existing calendar events on the business customer's behalf
- google.calendar.events — write access to create, update, or cancel calendar events (for example, booking an appointment requested by a caller)
We do not request access to Gmail, Google Drive, Google Contacts, or any other Google services beyond those listed above.
How we use Google user data
Google Calendar data accessed through the API is used solely to:
- Check the availability of the business customer's calendar when a caller requests to book or reschedule an appointment
- Create, update, or cancel calendar events as instructed by an authorised caller during an AI Frontdesk interaction
- Display calendar information to the business customer within their AI Frontdesk dashboard
Google user data is not used for advertising, profiling, or any purpose unrelated to providing the AI Frontdesk service to the connected business customer.
Google user data is not used to train any AI or machine learning model.
Who we share Google user data with
Google Calendar data may be shared with our technology partner Flowlyne, who provides the underlying AI voice and dialogue engine for AI Frontdesk. Flowlyne processes this data solely to deliver the service (for example, to read or write calendar events during a live call). Flowlyne does not use Google user data for its own purposes, for advertising, or for training AI models.
Google user data is not sold, rented, or shared with any other third parties, except where required by law.
Limited Use compliance statement
The use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically: Google user data obtained via Google APIs is used only to provide or improve the AI Frontdesk service. It is not used to serve advertising, is not transferred or sold to third parties for their own use, and is not used to determine creditworthiness or for lending purposes.
AI model and Google data
AI Frontdesk uses a third-party AI voice and language service provided by Flowlyne. Google user data (such as calendar events) may be passed to Flowlyne's AI engine during a live call interaction (for example, to read available time slots and confirm a booking). Flowlyne's terms of service prohibit the use of customer data to train general AI models. Google user data is processed by Flowlyne solely in the context of responding to the specific, real-time request — it is not retained for model training or any other purpose.
4. How we use your data
We use personal data for the following purposes:
Providing and managing the service
To fulfil our contractual obligations and ensure smooth operation of AI Frontdesk — including managing orders, providing technical support, and improving the service.
Processing orders and payments
To process your orders, handle payments securely, and issue invoices.
Customer support
To handle your queries efficiently, including the content of your support requests and your contact and communication history with us.
Account management and authentication
To secure your account, verify your identity, and enable personalised use of the service.
Service improvement
To improve our website and services using usage behaviour, IP addresses, and cookies. See also Section 13 (Cookies).
AI operation and improvement
To provide AI-powered features and improve their accuracy and efficiency — in areas including the service itself, fraud prevention, customer support, and marketing. Where possible, we use aggregated data. Where personal data is used, deletion routines are in place.
Call recording (for quality and evidential purposes)
Where enabled by the business customer, to record and store calls for quality assurance and evidential purposes.
Legal and regulatory compliance
Including tax, accounting, and record-keeping obligations; anti-money laundering regulations; compliance with telecommunications law; and, where applicable, responding to complaints under the Digital Services Act.
Fraud prevention and payment security
To detect suspicious activity and protect the financial security of all parties. This may include checking device data against known fraud indicators and, where relevant, manual review by our staff or a service provider.
Sending service communications
To keep you informed about your contract, service updates, and any changes affecting you.
Business intelligence and analytics
To improve our business processes and make strategic decisions, using aggregated and anonymised data wherever possible.
Contractual enforcement
To fulfil and enforce our contractual obligations, including recovering outstanding amounts where necessary.
Sanctions screening
To meet our legal obligations and ensure we operate in accordance with international regulations.
5. Marketing
We use personal data to send you relevant information about our products and services, guided by our legitimate interest in maintaining customer relationships. We may use machine learning to generate individual product recommendations based on how you use our services.
We may also use services such as Meta Custom Audiences, LinkedIn Matched Audiences, and Google Customer Match to show you relevant advertising on partner platforms. In these cases, contact data (such as email address or phone number) is transmitted in hashed form using the SHA-256 algorithm — never in plain text.
You can opt out of marketing communications at any time through your account settings or by contacting us at support@ai-voicereceptionist.com.
6. Legal bases for processing
| Purpose | Legal basis |
|---|---|
| Providing the service, order processing, account management | Contract performance (Art. 6(1)(b) GDPR) |
| Legal and regulatory obligations | Legal obligation (Art. 6(1)(c) GDPR) |
| Fraud prevention, service improvement, analytics, marketing (existing customers) | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing (new contacts), certain tracking technologies | Consent (Art. 6(1)(a) GDPR) |
For caller data processed on behalf of business customers, the legal basis is determined by the business customer as data controller.
7. Who we share data with
We share data only where necessary to deliver the service or meet legal obligations. We do not sell personal data.
Technology and functionality providers
Providers of cloud infrastructure, AI voice and language processing, telephony services, fraud detection (including reCAPTCHA, Friendly CAPTCHA, and similar tools), and social media platforms.
Marketing and analytics tools
Partners supporting digital marketing, web analytics (such as Google Analytics), and CRM (such as HubSpot and Salesforce). Advertising partners including Meta, LinkedIn, TikTok, Reddit, and Google.
Payment processing and debt recovery
Payment processors (such as PayPal), domain registrars, and debt collection agencies where necessary.
Legal and regulatory authorities
We may disclose data to government agencies, courts, or regulatory authorities where required by law or to protect our legal rights.
Group companies
Data may be shared with affiliated companies within our group to optimise services, administrative processes, and product development.
Our current list of sub-processors is available on request. We will notify you of any material changes.
8. International data transfers
Where personal data is transferred outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement (IDTA) or addendum, where applicable
- Adequacy decisions by the European Commission or UK ICO
9. Security
We have put in place appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, or destruction. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
10. How long we keep data
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
| Data type | Retention period |
|---|---|
| Contract data | Duration of contract plus up to 10 years (statutory retention) |
| Invoice and billing data | Up to 10 years |
| Call recordings and transcripts | 90 days by default; longer if the call results in a contract (up to 10 years) |
| Chat and support communication | 90 days; longer where linked to a contract |
| Log files and temporary data | A few days to 90 days depending on operational need |
| Fraud prevention data | Up to 6 months (longer where purpose requires) |
| Marketing data | Until you withdraw consent or object |
| Analytics and tracking data | For the duration of cookie lifetime or until withdrawal |
| AI-related data | Until purpose is fulfilled; deletion routines applied to any personal data |
11. Automated decision-making
We do not carry out automated decision-making within the meaning of Article 22 GDPR — including profiling — that produces legal effects or similarly significantly affects you, except where this is permitted by law.
12. Your rights
Under UK GDPR and EU GDPR, you have the following rights:
- Access: to request a copy of the data we hold about you
- Rectification: to have inaccurate data corrected
- Erasure: to request deletion of your data in certain circumstances
- Restriction: to limit how we process your data
- Portability: to receive your data in a machine-readable format
- Object: to object to processing based on legitimate interests or for direct marketing
- Withdraw consent: where we rely on consent, you can withdraw it at any time without affecting prior processing
To exercise your rights, use the contact details in Section 15. We will respond within one month.
UK residents
You can complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.
EU residents
You can complain to your local data protection authority. A full list is at edpb.europa.eu.
13. Cookies and similar technologies
We use cookies and similar technologies to improve and personalise your experience and to show you relevant advertising.
14. Changes to this policy
We may update this Privacy Policy from time to time. The current version is always published on this page. Where changes are material, we will give you advance notice.
15. Contact
For any questions about this policy or to exercise your rights, email us at support@ai-voicereceptionist.com.