Voxanne AI is a Voice-as-a-Service (VaaS) platform that provides AI-powered voice receptionists for healthcare clinics and med spas. It answers calls 24/7, qualifies patients, books appointments, sends SMS confirmations, and syncs with Google Calendar — all autonomously.

How much does Voxanne AI cost?

Voxanne AI uses simple pay-as-you-go pricing. Top up your wallet from $25 and get credits. Credits are deducted based on call duration. All features are included — no setup fees, no monthly subscriptions, no lock-in.

Does Voxanne AI integrate with Google Calendar?

Yes. Voxanne AI integrates directly with Google Calendar for real-time availability checking and appointment booking. When a patient calls and requests an appointment, the AI checks your calendar for open slots, books the appointment, and creates a Google Calendar event — all during the phone call.

Can Voxanne AI handle appointment bookings automatically?

Yes. Voxanne AI handles end-to-end appointment booking autonomously. It checks real-time availability, prevents double-bookings with database-level locking, books the appointment, sends an SMS confirmation to the patient, and syncs the event to your Google Calendar.

Is Voxanne AI HIPAA compliant?

Yes. Voxanne AI implements PHI (Protected Health Information) redaction, GDPR-compliant data retention policies, row-level security for multi-tenant data isolation, and encrypted credential storage. The platform is designed for healthcare organizations with strict compliance requirements.

Data Processing Agreement

GDPR Article 28 Compliance for EU and UK Customers

Last Updated: January 30, 2026

What is a Data Processing Agreement?

Under the UK GDPR and EU GDPR (Article 28), organizations that process personal data on behalf of customers (Data Controllers) must have a written Data Processing Agreement (DPA) with their service providers (Data Processors).

Voxanne AI acts as a Data Processor when your organization uses our AI receptionist services. We process personal data (customer names, phone numbers, appointment details, health information, etc.) according to your instructions.

When do you need a DPA with us? If you are a Data Controller (clinic, med spa, healthcare provider, or any organization) and use Voxanne AI to process personal data of your patients, customers, or staff, you require a signed DPA.

Standard Data Processing Agreement

1. Parties to This Agreement

Data Controller:

[Customer Organization Name]

Data Processor:

Voxanne AI, a product of Call Waiting AI Ltd

Registered Address:

Collage House, 2nd Floor

17 King Edward Road

Ruislip, London HA4 7AE

United Kingdom

ICO Registration:

[ICO Number]

Company Number:

16917594

2. Scope of Processing

Data Categories:

Contact information (names, phone numbers, email addresses)
Voice recordings (call audio from inbound/outbound calls)
Call transcripts (AI-generated transcriptions of calls)
Appointment data (dates, times, service types)
Health data (medical history, diagnoses, treatment notes - if applicable)
Communication records (SMS messages, call notes)

Purpose:

Provide AI receptionist services including call handling, appointment scheduling, SMS notifications, and outbound calling on your behalf.

Duration:

For the duration of your service agreement with Voxanne AI, plus 30 days post-termination for data return/deletion.

Data Subjects:

Your patients, customers, clinic staff, appointment callers, and other individuals whose data you direct us to process.

3. Processing Instructions

Voxanne AI processes personal data only according to your documented instructions:

✓ Inbound call handling and transcription
✓ AI-generated responses based on your knowledge base
✓ Appointment booking and calendar integration
✓ SMS sending (confirmations, reminders, follow-ups)
✓ Knowledge base retrieval and RAG pipeline
✓ Call log storage and analytics
✓ Lead scoring and contact management

We do not use personal data for our own purposes except where necessary for service provision, security, and legal compliance.

4. Sub-Processors

We use the following sub-processors to deliver our services. A full list with data protection details is available at /sub-processors.

• Supabase - Database and authentication (SOC 2, HIPAA BAA)

• Vapi - Voice AI infrastructure (HIPAA-eligible)

• Twilio - Telephony and SMS (HIPAA BAA, SOC 2)

• Google Cloud - AI/ML infrastructure (HIPAA BAA)

• OpenAI - LLM processing (Enterprise DPA)

• Additional providers listed at /sub-processors

30-Day Notice: We provide 30 days' notice before adding or replacing sub-processors. You may object and terminate your agreement if you disagree.

5. Security Measures

Encryption: AES-256 at rest, TLS 1.3 in transit, SRTP for voice calls

Access Control: Role-Based Access Control (RBAC), MFA for all staff, comprehensive audit logging

Infrastructure: SOC 2 Type II certified (in progress), HIPAA-compliant hosting, daily automated backups with 30-day retention and Point-in-Time Recovery (PITR)

Data Isolation: Strong multi-tenant isolation via RLS (Row-Level Security) at the database level

Monitoring: Sentry error tracking, real-time security alerts, automated vulnerability scanning

6. Data Subject Rights Support

Article 15 (Right to Access): Data export API available. Response within 30 days.

Article 16 (Right to Rectification): Update via customer dashboard or API.

Article 17 (Right to Erasure): Initiate 30-day deletion process via dashboard. Permanent deletion after grace period.

Article 20 (Right to Portability): JSON export format for machine-readable data portability.

Article 21 (Right to Object): Contact privacy@voxanne.ai with objection details.

7. Breach Notification

In the event of a personal data breach affecting your data:

✓ Within 24 hours: We notify you of the breach
✓ Details provided: Nature of breach, affected data, mitigation steps
✓ Your responsibility: You notify data subjects and authorities as required by GDPR
✓ Root cause analysis: Full investigation and remediation plan provided

8. International Data Transfers

Some sub-processors are located in the United States (Vapi, Twilio, OpenAI, Supabase US region). Transfers are protected by:

✓ Standard Contractual Clauses (SCCs) for EU/UK customers
✓ UK IDTA (International Data Transfer Agreement) for UK-specific transfers
✓ Encryption in transit provides additional protection (TLS 1.3)
✓ EU-only option: Contact sales@voxanne.ai to discuss EU-region-only data residency

9. Audit Rights

SOC 2 Type II Reports: Available upon request (annual independent audit)

Customer Audit Rights: You may request security audits with 14 days' notice at reasonable frequency (typically no more than annually)

Regulatory Audits: We cooperate fully with ICO and other regulatory authority audits

10. Termination & Data Return

30-Day Grace Period: Upon termination, you have 30 days to export or request deletion of your data

Export Format: JSON format via secure API endpoint

Secure Deletion: After 30 days, all data is securely deleted with cryptographic certification

Backup Deletion: Backup copies deleted within 7 days of primary deletion

How to Execute This DPA

Option 1: Electronic Signature (Fastest)

Copy this DPA template
Sign electronically via DocuSign or Acrobat Sign
Email signed copy to support@voxanne.ai
Receive counter-signed copy within 5 business days

Option 2: Manual Signature

Download and print this DPA
Sign and date both copies
Mail to: Collage House, 2nd Floor, 17 King Edward Road, Ruislip, London HA4 7AE
We will counter-sign and return

Questions? Contact: support@voxanne.ai

GDPR Article 28 Compliant

Full compliance with GDPR data processor requirements for EU and UK customers

Enterprise Security

SOC 2 Type II certified, HIPAA-compliant hosting, AES-256 encryption, daily backups

Data Subject Rights

Full support for GDPR rights: access, rectification, erasure, portability, and objection

24-Hour Breach Response

Immediate notification of any security incidents affecting your data

Ready to Get Started?

Our DPA is ready to execute. If you have questions or need customization, our legal team is here to help.

Contact Support Team View Sub-Processors