Privacy Policy

1. Introduction

Caller ("Company," "we," "us") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our AI phone calling platform ("Service").

This policy applies to all users of the Service, including business customers ("Customers") and individuals who are called through the Service ("Called Parties"). If you are a California resident, please see Section 10 for your specific rights under the CCPA/CPRA.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (hashed), workspace name
• Billing Information: Payment card details are processed by Stripe and never stored on our servers. We store Stripe customer IDs and transaction records.
• Phone Numbers: Workspace phone numbers, called party numbers, caller IDs
• Agent Configuration: AI agent names, system prompts, knowledge base documents, greetings
• Provider Credentials: If you provide your own API keys (Twilio, Deepgram, etc.), they are encrypted at rest using AES-256-GCM

2.2 Information Generated Through Use

• Call Recordings: Audio recordings of phone calls (when recording is enabled)
• Transcripts: Text transcriptions of call audio generated by speech recognition services
• AI Outputs: Summaries, sentiment analysis, action items, structured outcomes generated by AI models
• Translation Data: Real-time translation text and audio for Live Translator sessions
• Usage Data: Call duration, timestamps, costs, API usage metrics

2.3 Automatically Collected Information

• Log Data: IP address, browser type, access times, pages viewed
• Device Information: Operating system, device type

3. How We Use Your Information

• Service Delivery: To make and receive phone calls, generate transcripts, provide AI agent services, and deliver live translation
• Billing: To process payments, track usage costs, manage subscriptions
• Security: To authenticate users, prevent fraud, detect unauthorized access
• Improvement: To analyze aggregate usage patterns and improve the Service (we do not use your call recordings or transcripts for AI model training)
• Communication: To send service-related notifications, billing alerts, and (with consent) product updates
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

4. Third-Party Service Providers

We share data with the following categories of service providers, solely to deliver the Service:

We maintain data processing agreements with all providers. We do not sell your personal information to third parties.

5. Data Retention

• Call Recordings: Retained per your workspace settings (default: 90 days). Configurable from 1 to 365 days.
• Transcripts and Summaries: Retained for the life of your account unless deleted by you.
• Account Data: Retained while your account is active and for 30 days after termination.
• Billing Records: Retained for 7 years as required by tax and accounting regulations.
• Audit Logs: Retained for 1 year for security purposes.

You can delete specific recordings, transcripts, and call data at any time through the dashboard. Upon account termination, all Customer Data is deleted within 30 days, except billing records retained for legal compliance.

6. Sensitive Information — Health, Legal, and Financial Data

When you use the Live Translator or AI calling features for personal matters such as healthcare appointments, insurance calls, legal consultations, or financial inquiries, your calls may contain sensitive information including health conditions, medications, legal matters, or financial details.

How we handle this data:

• Call audio is processed in real-time by our AI providers (see Section 4) and is not stored permanently by those providers under their API terms
• Transcripts and recordings that may contain sensitive content are stored in your workspace and are accessible only to you and your workspace members
• We do not analyze, mine, or use the content of your calls for advertising, profiling, or any purpose other than delivering the Service
• You can delete any recording or transcript at any time
• Under CCPA/CPRA, health-related information is classified as "sensitive personal information" — you have the right to limit its use (see Section 10)

Important: We are not a HIPAA-covered entity and the Service is not designed for use by healthcare providers or insurers to process patient data. However, as an individual consumer, you are free to use the Service for your own personal healthcare communications. We recommend deleting recordings containing sensitive health information once you no longer need them.

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for sensitive credentials)
• API keys hashed with SHA-256 and verified using timing-safe comparison
• Workspace isolation — all data is scoped to individual workspaces
• Role-based access control (owner, admin, operator, analyst)
• Rate limiting on all API endpoints
• Audit logging for administrative actions

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for securing your account credentials and API keys.

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising cookies or third-party tracking pixels. We do not participate in cross-site tracking.

9. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (legal obligations, ongoing service delivery, security).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: Voice recordings and precise call content are considered sensitive PI. We use this data only to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 45 days. We may need to verify your identity before processing your request.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the US, you consent to the transfer of your data to the US, where data protection laws may differ from your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the effective date. Your continued use of the Service constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions or to exercise your rights:

Caller
Email: [email protected]