Privacy Policy

Last Updated: January 30, 2026

Table of Contents

  1. 1. Introduction
  2. 2. UK GDPR Compliance (Primary Framework)
  3. 3. Information We Collect
  4. 4. How We Use Your Information
  5. 5. Artificial Intelligence & Voice Data
  6. 6. Data Sharing & Disclosure
  7. 7. Data Security
  8. 8. Healthcare Compliance (HIPAA)
  9. 9. Data Retention
  10. 10. Your Rights
  11. 11. EU GDPR for EEA/EU Users
  12. 12. CCPA (California Users)
  13. 13. Cookies & Tracking
  14. 14. Children's Privacy
  15. 15. International Data Transfers
  16. 16. Changes to This Policy
  17. 17. Contact Information

1. Introduction

Welcome to Voxanne AI, a product of Call Waiting AI Ltd. ("Voxanne AI," "we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered voice receptionist platform, website, dashboard, and related applications (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

Healthcare Organizations: If you are a healthcare provider using Voxanne AI to handle patient communications, please also review Section 8 (Healthcare Compliance) and our Healthcare Compliance Page.

2. UK GDPR Compliance (Primary Framework)

Voxanne AI is a UK-based company operating under UK GDPR as our primary compliance framework. We are committed to protecting the rights of individuals in the UK and EU in accordance with the UK General Data Protection Regulation (UK GDPR).

2.1 Data Controller Information

Call Waiting AI Ltd

Collage House, 2nd Floor

17 King Edward Road

Ruislip, London HA4 7AE

United Kingdom

Company Number: 16917594

ICO Registration: [ICO Number]

2.2 Legal Bases for Processing (UK GDPR Article 6)

We process personal data under the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide AI receptionist services (call handling, appointment booking, SMS sending)
  • Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvements, analytics, and business operations
  • Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, and optional features (with easy opt-out)
  • Legal Obligation (Article 6(1)(c)): Tax compliance, financial record-keeping, and regulatory obligations

2.3 Special Category Data (Health Data - Article 9)

If you process health-related information through our service (e.g., appointment bookings at medical clinics, diagnoses in call transcripts), this constitutes Special Category Data under UK GDPR Article 9, which requires additional protection.

Legal bases for health data:

  • Explicit Consent (Article 9(2)(a)): Patients explicitly consent when calling or using services
  • Healthcare Provider Operations (Article 9(2)(h)): Processing necessary for healthcare provision
  • Public Health Interest (Article 9(2)(i)): Appointment scheduling for public health purposes

Important: If you are a healthcare organization, please ensure you have appropriate consents from patients before processing their health data through Voxanne AI. Review our Healthcare Compliance Page for healthcare-specific requirements.

2.4 UK GDPR vs EU GDPR (Post-Brexit)

Following Brexit, the UK maintains its own GDPR framework (UK GDPR) that is substantially similar to EU GDPR with minor differences:

  • Supervisory Authority: Information Commissioner's Office (ICO) for UK customers
  • Data Transfer Mechanism: UK IDTA instead of SCCs for UK-to-third-country transfers
  • Adequacy Status: UK is recognized as adequate by the EU; EU is recognized as adequate by the UK
  • Regulatory Cooperation: ICO cooperates with EU supervisory authorities on cross-border matters

2.5 Your Rights Under UK GDPR

You have the following rights, which we support through our APIs and dashboard:

RightDescriptionHow to Exercise
Right to Access (Article 15)Request copy of your personal dataEmail privacy@voxanne.ai or use data export API
Right to Rectification (Article 16)Correct inaccurate personal dataUpdate via dashboard or email privacy@voxanne.ai
Right to Erasure (Article 17)Request deletion of personal dataUse data deletion API or email privacy@voxanne.ai (30-day process)
Right to Portability (Article 20)Receive data in machine-readable formatUse data export API (JSON format)
Right to Object (Article 21)Object to processing based on legitimate interestsEmail privacy@voxanne.ai with objection details
Right to Restrict (Article 18)Limit how we process your dataEmail privacy@voxanne.ai with restriction request

Response time: We will respond to all rights requests within 30 days (extendable to 60 days for complex requests). Fee: Free of charge (unless requests are manifestly unfounded or excessive).

Complaints: If you believe we have violated your UK GDPR rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

3. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

  • Name, email address, and business details
  • Organization name, type, and size
  • Billing information (processed securely by Stripe; we do not store full card numbers)
  • Account credentials (passwords are hashed and never stored in plaintext)

2.2 Voice & Communication Data

To provide our AI receptionist service, we process:

  • Call Recordings: Audio recordings of incoming and outgoing calls handled by the AI agent
  • Transcripts: Text transcriptions of voice conversations
  • Call Metadata: Phone numbers, timestamps, call duration, call direction (inbound/outbound)
  • Appointment Data: Scheduling details, calendar events, and booking confirmations
  • SMS Messages: Follow-up messages, appointment reminders, and notifications

Important: Call recordings may contain Protected Health Information (PHI) if you are a healthcare provider. We process PHI in accordance with HIPAA regulations and apply PHI redaction to stored transcripts where applicable.

2.3 Configuration Data

To customize your AI agent, we store:

  • Agent configuration (system prompts, voice selection, language preferences)
  • Knowledge base documents (uploaded PDFs, FAQs, service lists, pricing)
  • Business hours, holiday schedules, and availability settings
  • Integration credentials (Google Calendar, Twilio; encrypted at rest)

2.4 Automatically Collected Data

When you use our website or dashboard, we automatically collect:

  • IP address and approximate geographic location
  • Browser type, operating system, and device information
  • Pages visited, time spent, and interaction patterns
  • Referral source and search terms

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Operating and maintaining the AI voice receptionist
  • Processing and transcribing phone calls
  • Scheduling appointments and managing calendars
  • Sending SMS notifications and appointment reminders
  • Generating call analytics and dashboard reports

3.2 Service Improvement

  • Analyzing usage patterns to improve AI accuracy and response quality
  • Identifying and fixing bugs, errors, and performance issues
  • Developing new features based on aggregated usage data

Your Data, Your Control: We will never use your Customer Data (including call recordings, transcripts, or patient data) to train generalized AI models without your explicit, written consent. Your data is only used to provide the Service to you.

3.3 Communication

  • Sending account-related notifications (billing, security alerts)
  • Providing customer support and responding to inquiries
  • Sharing product updates and service announcements (with opt-out)

3.4 Legal & Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our Terms of Service
  • Protecting against fraud, abuse, and security threats
  • Maintaining audit trails for HIPAA compliance

4. Artificial Intelligence & Voice Data

Our Service uses advanced AI technologies to operate. We believe in transparency about how these technologies process your data.

4.1 Technologies Used

  • Speech-to-Text (Transcription): We use providers such as Deepgram to convert audio into text in real-time. Audio is processed in transit and not stored by transcription providers beyond the processing window.
  • Large Language Models (LLMs): We use AI language models to understand caller intent, generate natural responses, and make decisions about appointment booking and information retrieval.
  • Text-to-Speech (Voice Synthesis): We use providers such as ElevenLabs, OpenAI, and Azure to generate natural-sounding voice responses from over 100 available voices.
  • Knowledge Retrieval (RAG): Your uploaded documents are converted into vector embeddings and stored securely to enable contextual answers.

4.2 AI Data Processing Safeguards

  • Audio data is processed in real-time and not retained by AI providers beyond the call session
  • Transcripts are stored in our secure database with encryption at rest
  • PHI redaction is applied to stored transcripts (SSN, credit card numbers, medical diagnoses)
  • Your data is isolated per organization via Row Level Security (RLS)
  • We do not use your data to train third-party AI models

4.3 Provider Fallbacks

To ensure 99.9%+ availability, our system uses 3-tier fallback cascades for transcription and voice services. This means your calls may be processed by backup providers if the primary provider experiences an outage. All backup providers meet our security and data protection standards.

5. Data Sharing & Disclosure

We do not sell your personal data. We share data only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party providers strictly to deliver the Service:

  • Supabase: Cloud database hosting and authentication
  • Vapi: Voice AI orchestration platform
  • Twilio: Telephony and SMS services
  • Deepgram: Speech-to-text transcription
  • ElevenLabs / OpenAI / Azure: Voice synthesis
  • Google Calendar: Appointment scheduling (when connected by you)
  • Stripe: Payment processing
  • Sentry: Error monitoring (PII redacted)

Each provider is contractually obligated to protect your data and use it only for the purposes of providing their service to us.

5.2 Legal Requirements

We may disclose your data when required to:

  • Comply with applicable law, regulation, or legal process
  • Respond to lawful requests from public authorities
  • Protect the rights, property, or safety of Voxanne AI, our users, or the public
  • Enforce our Terms of Service

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: AES-256 encryption for all stored data
  • Encryption in Transit: TLS 1.3 for all data transmission
  • Access Controls: Role-based access controls (RBAC) with multi-factor authentication
  • Data Isolation: Multi-tenant architecture with Row Level Security (RLS) ensuring complete isolation between organizations
  • Credential Management: Third-party credentials encrypted with AES-256-GCM with IV and AuthTag
  • Monitoring: Real-time error tracking via Sentry with PII redaction
  • Audit Logging: Comprehensive audit trails for all data access and modifications
  • Rate Limiting: 1,000 requests/hour per organization, 100 requests/15 minutes per IP

No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

7. HIPAA Compliance

If you are a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) and use the Service to process Protected Health Information (PHI):

  • You must execute a Business Associate Agreement (BAA) with Voxanne AI
  • We act as a Business Associate under HIPAA
  • We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
  • We apply PHI redaction to stored transcripts (8 pattern types including SSN, credit cards, diagnoses)
  • We maintain audit logs as required for HIPAA compliance

To request a BAA, email legal@voxanne.ai with subject "BAA Request." For full details, see our HIPAA Compliance Page.

8. Data Retention

We retain your data according to the following schedule:

Data TypeRetention Period
Account informationDuration of account + 30 days after deletion
Call recordings90 days (configurable per organization)
Call transcriptsDuration of account + 30 days
Audit logs90 days
Webhook delivery logs7 days
Billing records7 years (legal requirement)

Upon account closure, all Customer Data is permanently deleted within 30 days in accordance with our GDPR data retention policy. You may export your data via the dashboard before deletion.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Data Portability: Request your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data for certain purposes
  • Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise any of these rights, contact us at privacy@voxanne.ai. We will respond within 30 days (or sooner as required by law).

10. GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

10.1 Legal Basis for Processing

  • Contract Performance: Processing necessary to provide the Service you requested
  • Legitimate Interests: Service improvement, security, fraud prevention
  • Consent: Marketing communications (with opt-out)
  • Legal Obligation: Compliance with applicable laws

10.2 Data Controller

Voxanne AI (Call Waiting AI Ltd.) is the data controller for personal data collected through the Service. Our registered address is:

Call Waiting AI Ltd.

Collage House, 2nd Floor

17 King Edward Road

Ruislip, London HA4 7AE

United Kingdom

10.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at privacy@voxanne.ai.

10.4 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11. CCPA (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of personal information we collected from you
  • Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell personal data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise CCPA rights, contact us at privacy@voxanne.ai or call +44 7424 038250.

12. Cookies & Tracking

We use cookies and similar tracking technologies to enhance your experience. For full details, see our Cookie Policy.

Types of cookies we use:

  • Essential Cookies: Required for the Service to function (authentication, security)
  • Analytics Cookies: Help us understand how you use the Service (can be disabled)
  • Preference Cookies: Remember your settings and preferences

You can manage your cookie preferences through your browser settings.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

If you believe a child has provided us with personal information, please contact us at privacy@voxanne.ai.

14. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States and the United Kingdom. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) where applicable
  • Data processing agreements with all third-party providers
  • Encryption of data in transit and at rest

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will:

  • Email you at your registered email address (at least 30 days in advance for material changes)
  • Display a prominent notice on our website and dashboard
  • Update the "Last Updated" date at the top of this page

Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.

16. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Voxanne AI

A product of Call Waiting AI Ltd.

Collage House, 2nd Floor
17 King Edward Road
Ruislip, London HA4 7AE
United Kingdom

General Support: support@voxanne.ai

Privacy Inquiries: privacy@voxanne.ai

Legal Matters: legal@voxanne.ai

Security Issues: security@voxanne.ai

Last Updated: January 30, 2026
Effective Date: January 30, 2026
Version: 2.0

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Thank you for trusting Voxanne AI with your data.