01 Introduction
CallTEC AI ("we", "us", "our") is an AI agent platform that builds production-ready voice and text agents for businesses. Our agents make and answer phone calls, reply on WhatsApp, Messenger, Instagram DM, and web chat — handling sales, support, bookings, and customer service for call centers, restaurants, medical clinics, real-estate teams, and contact centers across the MENA region, GCC, and Europe.
This Privacy Policy describes how CallTEC AI, as a data controller and (where applicable) as a data processor on behalf of our customers, handles personal data. It applies to the marketing website at www.calltecai.com, our dashboard, our agent runtime, and any integration that connects to our API.
Questions? Email info@calltecai.com for general inquiries or privacy@calltecai.com for data-protection questions, requests, or complaints.
02 Data we collect
The categories of personal data we collect depend on how you interact with CallTEC AI:
From customers (business accounts)
- Company name, billing address, tax registration number
- Account-holder name, work email, work phone, password (hashed)
- Payment metadata (last 4 of card, billing region) — full card data is held by our payment processor, never by us
- Account usage telemetry (calls placed, messages exchanged, dashboard activity)
From end-users your agent interacts with
- Voice agents: phone number, call timestamp, call duration, voice transcript, audio recording (only as long as needed for transcription — see retention)
- Text agents (WhatsApp, Messenger, Instagram DM, web chat): handle/phone number, message content, attachments the user sends, timestamp, channel
- Any data the end-user volunteers during the conversation (name, address, order details, appointment preferences, etc.)
- Channel-provided identifiers (e.g., WhatsApp WA-ID, Messenger PSID)
From website visitors
- IP address, browser user-agent, referrer URL
- Pages visited, time on page, session ID
- If you book a demo: name, email, company, scheduling preferences
03 How we use data
We use personal data for the following purposes:
- Delivering the AI agent service — running the voice and text agents you configure, routing calls and messages, generating responses, transcribing speech
- Order & appointment fulfilment — when your agent takes an order or books an appointment, we relay that data to the destination system you've configured (POS, CRM, calendar)
- Customer support — responding to your inbound questions and troubleshooting issues
- Product improvement — analysing aggregated, anonymised usage patterns to improve agent accuracy and platform performance
- Billing & accounting — processing subscription payments and meeting tax and audit obligations
- Fraud prevention & abuse detection — identifying and blocking automated abuse, spam, and policy violations
- Legal compliance — responding to lawful requests from supervisory authorities
We do not sell personal data. We do not use end-user voice transcripts or message content to train third-party foundation models without explicit, separately-obtained consent.
04 Legal basis for processing
We process personal data under one of the following legal bases:
- Contract performance — we cannot deliver the AI agent service without processing the data described above. This covers most customer-account data.
- Consent — for marketing emails, optional analytics cookies, and any processing that goes beyond what's strictly required to deliver the service. Consent can be withdrawn at any time.
- Legitimate interest — for fraud prevention, network security, internal analytics, and limited product-improvement analytics where the interest is balanced against the rights of the data subject.
- Legal obligation — for tax, accounting, anti-money-laundering, and other statutory record-keeping (see retention below).
05 Third-party processors
We rely on the following sub-processors. Each is bound by a Data Processing Agreement and is contractually required to maintain confidentiality and security:
- Google Cloud Platform (europe-west region) — infrastructure hosting, databases, object storage
- OpenAI (United States) — language-model inference for agent responses
- Cartesia AI — voice synthesis and speech-to-text for voice agents
- Twilio — telephony provider for inbound and outbound calls
- Meta Platforms (WhatsApp Business API, Messenger Platform, Instagram Graph API) — message delivery on Meta channels
- Stripe — payment processing
- Cal.com — demo booking scheduler
- Vercel — marketing-site hosting and CDN
- Email delivery providers — for transactional and support email
We review this list quarterly and will update this page when processors change. Customers may request the current list with regions and purpose at privacy@calltecai.com.
06 Cross-border data transfers
Some of our processors operate outside the country your data originates from. The main transfer routes are:
- Primary hosting: Google Cloud Platform, europe-west region (Belgium / Netherlands)
- Language-model inference: OpenAI, United States
- Meta channels (WhatsApp / Messenger / Instagram): United States and Ireland, governed by Meta's processor agreements
- Payment processing: Stripe, United States / Ireland
Where personal data leaves the European Economic Area, the United Kingdom, or other jurisdictions that require a legal transfer mechanism, transfers rely on Standard Contractual Clauses (SCCs) and equivalent safeguards recognised under GDPR Articles 46–49. Customers transacting under additional regional frameworks (e.g., PDPL in Saudi Arabia, Egyptian personal-data law) are covered under equivalent SCC-style addenda.
07 Data retention
We retain personal data only as long as we need it to deliver the service or meet a legal obligation:
| Data category | Retention window | Then |
|---|---|---|
| Voice call recordings (raw audio) | Discarded immediately after transcription | Permanently deleted |
| Voice transcripts | 12 months (active retention) | Auto-deleted |
| Text-channel conversations (WhatsApp, Messenger, Instagram DM, web chat) | 12 months (active retention) | Auto-deleted |
| Order & invoice records | 7 years (Egyptian tax requirement) | Archived, then deleted |
| Customer profile & account data | Until you request deletion or close your account | Deleted within 30 days of request |
| Marketing-list subscribers | Until you unsubscribe | Suppression list kept for 3 years to honour unsubscribe |
| Website server logs | 30 days | Auto-rotated |
Per-customer overrides: our customers can configure shorter retention windows for their accounts (e.g., delete transcripts after 30 days) via their dashboard. Contact your account manager or privacy@calltecai.com to set this up.
08 Your rights
If you're in a jurisdiction with personal-data protection law (GDPR, UK GDPR, Egypt PDPL, Saudi Arabia PDPL, UAE PDPL, and equivalent), you have the following rights over your data — in plain language:
- Access — get a copy of the personal data we hold about you (GDPR Art. 15)
- Rectification — correct inaccurate or incomplete data (GDPR Art. 16)
- Erasure ("right to be forgotten") — request deletion of your data, subject to legal-retention obligations (GDPR Art. 17)
- Restriction — pause our processing of your data while a dispute is resolved (GDPR Art. 18)
- Portability — receive your data in a structured, machine-readable format and transmit it to another controller (GDPR Art. 20)
- Objection — object to processing based on legitimate interest, including profiling (GDPR Art. 21)
- Withdraw consent — where processing relies on consent, you can withdraw it at any time without affecting prior lawful processing (GDPR Art. 7)
- Not be subject to solely automated decisions with legal or similarly significant effects (GDPR Art. 22)
- Lodge a complaint with your local supervisory authority
09 How to exercise your rights
Email privacy@calltecai.com with your request. To protect against impersonation, we may ask you to verify your identity before fulfilling certain requests (especially erasure and access).
We respond within 30 days. If the request is complex we may extend by a further 60 days and will tell you why. Requests are free unless they're manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse — and we'll explain why in writing.
If you're an end-user whose data was processed by an agent on behalf of one of our customers, please address your request to that customer first (they're the controller). We will support them in fulfilling your request.
10 Children's data
CallTEC AI is a business-to-business platform. We do not knowingly collect personal data from anyone under 16 years of age. Our customers are responsible for ensuring their agents do not solicit personal data from minors. If you believe we have collected data from a child, contact privacy@calltecai.com and we will delete it as soon as it's verified.
11 Security measures
We protect personal data using a layered set of technical and organisational measures, including:
- Encryption in transit — TLS 1.2+ on every connection to our API, dashboard, and agent endpoints
- Encryption at rest — AES-256 for all stored data, databases, and object storage
- Role-based access control — staff access to customer data is limited to the smallest team that needs it, on a need-to-know basis
- Audit logging — every access to production data is logged and reviewed
- Multi-factor authentication required for all staff accounts
- Secure software development — code review, dependency scanning, secret scanning in CI
- Vulnerability management — quarterly penetration testing and continuous automated scanning
- Compliance posture — SOC 2 Type I & II, HIPAA-aligned controls, GDPR-aligned controls
- Vendor management — sub-processors are reviewed for security posture annually
12 Data breach notification
If a personal-data breach occurs that is likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay, where the breach is likely to result in a high risk
- Notify our customers (as data controllers) without undue delay so they can fulfill their own notification duties
- Document the breach, its effects, and the remediation taken
13 Changes to this policy
We may update this policy as our services evolve or as regulation changes. When we make material changes, we will:
- Update the "Effective date" at the top of this page
- Email registered customers at the address on file
- Where appropriate, request fresh consent before the new terms take effect
Non-material changes (typographical fixes, formatting) may be made without notice.
14 Effective date
This policy is effective as of 29 May 2026.
15 Contact & complaints
For any privacy question, request, or complaint:
- Email (data protection): privacy@calltecai.com
- Email (general): info@calltecai.com
- Mail: CallTEC AI, c/o Data Protection Officer
You also have the right to lodge a complaint with the data-protection authority in your country. If we cannot resolve your concern directly, please contact your local supervisory authority.