Privacy Policy

ChuiVoice ("ChuiVoice," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI voice receptionist platform, including our website, web application, application programming interfaces ("APIs"), and all related services (collectively, the "Service"). Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

This Privacy Policy applies to two distinct groups: (1) Customers — businesses and individuals who register for and use the ChuiVoice platform to manage AI receptionists; and (2) End Users — third-party callers who interact with an AI receptionist powered by ChuiVoice on behalf of a Customer. Where the distinction matters, we will note it explicitly.

1. Information We Collect

1.1 Information You Provide Directly

• Account Registration: When you create a ChuiVoice account, we collect your name, email address, username, and password (stored as a salted hash). We never store passwords in plaintext.
• Business Profile: Business name, business phone number, industry type, and any other details you enter when configuring your account.
• Agent Configuration: Agent names, greeting scripts, behavioral instructions, voice preferences, and feature toggles (booking enabled, lead capture enabled) that you provide when creating or editing AI agents.
• Knowledge Base Content: Text, documents (including PDF files), and URLs you upload or submit to train your AI agent. This content may include proprietary business information such as FAQs, service menus, pricing, and procedures.
• Payment Information: We use Paddle as our payment processor. ChuiVoice does not directly collect or store your credit card numbers or banking details. Paddle collects and processes all payment data in accordance with PCI-DSS standards. We receive a transaction identifier, subscription status, and plan details from Paddle.
• Support Communications: Emails, messages, or other communications you send to us for support or feedback.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken within the dashboard, session duration, and interaction patterns.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, referring URLs, and time zone.
• Authentication Tokens: JSON Web Tokens (JWTs) and refresh tokens stored in your browser's local storage to maintain your session.
• Log Data: Server-side logs recording API requests, error events, and system performance metrics. These logs are retained for operational and security purposes.

1.3 Call Data (Highly Sensitive)

The core function of ChuiVoice involves handling telephone calls. In connection with calls routed through the Service, we collect and process the following:

• Caller Phone Numbers: The phone number of individuals who call a ChuiVoice-powered number, as provided by Twilio's telephony infrastructure.
• Audio Streams: Real-time audio from telephone calls is transmitted to Deepgram for speech-to-text transcription. Audio is processed in real time and is not permanently stored by ChuiVoice unless a Customer explicitly enables call recording (where available).
• Call Transcripts: Full text transcriptions of conversations between callers and AI agents are stored in our database, associated with the relevant Customer account and agent.
• Call Summaries: AI-generated summaries of call content, produced by OpenAI's language models and stored in our database.
• Call Metadata: Call duration, timestamp, inbound phone number, and the identifier of the AI agent that handled the call.
• Leads: Name, phone number, and any other identifying information voluntarily provided by a caller and captured by the AI agent during a lead-capture interaction.
• Appointments: Date, time, caller name, phone number, and any notes captured by the AI agent when booking an appointment on behalf of a Customer.

1.4 Third-Party Integration Data

• Google Calendar: If you connect Google Calendar, we receive an OAuth access token and refresh token from Google. We use these tokens only to create, read, and sync calendar events associated with appointments booked through the Service. We store only the tokens and event identifiers necessary for this purpose.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To operate, maintain, and improve the ChuiVoice platform, including routing calls, transcribing speech, generating AI responses, booking appointments, and capturing leads.
• Account Management: To create and manage your account, authenticate your identity, and maintain session security.
• Billing and Subscriptions: To process payments through Paddle, manage subscription tiers, track minute usage, and enforce plan limits.
• AI Model Operations: To pass call transcripts and knowledge base content to OpenAI's GPT-4o-mini model for response generation. We send only the minimum information necessary for each request. We do not use your data to train OpenAI's foundational models under our enterprise API agreement.
• Communications: To send transactional emails (appointment confirmations, lead notifications, call summaries, password resets, and billing receipts). We do not send unsolicited marketing emails without your explicit consent.
• Analytics and Improvement: To monitor platform performance, diagnose errors, and improve the quality and reliability of the Service.
• Legal Compliance: To comply with applicable laws, regulations, court orders, and lawful requests from government authorities.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
• Google Calendar Sync: To create calendar events and check availability on behalf of Customers who have authorized this integration.
• SMS Notifications: If you enable SMS confirmations, we use Twilio to send appointment confirmation messages to callers' phone numbers.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined in the General Data Protection Regulation (GDPR) and applicable national laws:

• Contractual Necessity (Art. 6(1)(b) GDPR): Processing required to perform our contract with you — including account management, call processing, transcription, billing, and feature delivery.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as fraud detection, security monitoring, service improvement, and analytics, where those interests are not overridden by your data protection rights.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, including data retention obligations and government requests.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent (e.g., optional marketing communications), you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Call Recording and Third-Party Callers: Customers are solely responsible for ensuring that any required consent or notice is obtained from callers in their jurisdiction prior to recording or transcribing calls. Many jurisdictions — including but not limited to California (CIPA), the United Kingdom, Canada, and the European Union — require all-party or two-party consent before recording telephone conversations. ChuiVoice provides tools; compliance is the Customer's obligation. See Section 11 for further details.

4. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

4.1 Service Providers (Sub-processors)

We share data with vetted third-party vendors who process data on our behalf:

4.2 Business Transfers

If ChuiVoice is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information where required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a subpoena, court order, or other legal process; (b) protect the rights, property, or safety of ChuiVoice, our customers, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to lawful requests by government authorities, including law enforcement.

4.4 With Your Consent

We may share information with third parties when you give us explicit permission to do so.

5. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Account Data: Retained for the duration of your account and for up to 90 days after account deletion, to allow for account recovery and to comply with legal obligations.
• Call Transcripts and Summaries: Retained for the lifetime of your account. Customers may request deletion at any time via the dashboard or by contacting support.
• Lead and Appointment Data: Retained for the lifetime of your account. Deletable upon request.
• Billing Records: Retained for a minimum of 7 years as required by applicable tax and financial laws.
• Server Logs: Retained for up to 90 days for security and operational purposes, then automatically deleted.
• Google OAuth Tokens: Retained until you disconnect the Google Calendar integration or delete your account, at which point tokens are revoked and deleted.

When data is no longer required, it is securely deleted or anonymized so that it can no longer be associated with any individual.

6. Your Rights and Choices

6.1 All Users

• Access and Correction: You may access or update your account information at any time via the Settings page in your dashboard.
• Account Deletion: You may request deletion of your account and associated personal data by contacting us at privacy@chuivoice.com. We will process your request within 30 days.
• Data Portability: You may request a machine-readable export of your data by contacting us.
• Opt-Out of Communications: You may opt out of non-transactional emails by following the unsubscribe instructions in any such message.

6.2 EEA, UK, and Swiss Residents (GDPR Rights)

In addition to the above, you have the right to:

• Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy of that data.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal obligations.
• Right to Restriction of Processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce significant legal or similar effects.
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EEA).

To exercise any of these rights, contact us at privacy@chuivoice.com. We will respond within 30 days (or 45 days where an extension is permitted by law).

6.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted under the CPRA.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request, contact us at privacy@chuivoice.com or use the subject line "CCPA Request."

7. Data Security

We implement and maintain technical and organizational security measures designed to protect your personal data against unauthorized access, loss, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher on all connections.
• Encryption of data at rest on our Railway-hosted PostgreSQL database.
• Secure, hashed password storage using industry-standard algorithms (bcrypt/PBKDF2).
• JWT-based authentication with short-lived access tokens and refresh token rotation.
• Role-based access controls limiting data access to authorized personnel and services.
• Regular dependency updates and vulnerability scanning.
• API key restrictions and environment-level secret management.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and the appropriate supervisory authorities as required by law.

8. Cookies and Tracking Technologies

ChuiVoice's web application does not use third-party advertising cookies or tracking pixels. We use the following limited technologies:

• Browser Local Storage: We store authentication tokens (JWT access token and refresh token) in your browser's local storage to maintain your session across page reloads. These are not transmitted to third parties.
• Session Data: Transient in-memory session data used during your active browser session.

Our hosting provider (Vercel) and infrastructure providers may set technical cookies necessary for content delivery and DDoS protection. These are strictly necessary and cannot be disabled without affecting the functionality of the Service.

9. International Data Transfers

ChuiVoice is operated from and stores data primarily in the United States. If you are located outside the United States, including in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States, which may not have data protection laws equivalent to those in your jurisdiction.

Where required by applicable law (e.g., GDPR Chapter V), we ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU-U.S. Data Privacy Framework where applicable. Please contact us at privacy@chuivoice.com for a copy of the relevant transfer mechanism.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or under the age of 16 in certain EEA jurisdictions). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@chuivoice.com and we will promptly delete such information.

11. Call Recording, Transcription, and Wiretapping Laws

This section is critically important if you are a Customer using ChuiVoice to handle telephone calls.

ChuiVoice transcribes telephone conversations in real time as part of its core functionality. Many jurisdictions require that all parties to a telephone call consent to being recorded or monitored before a recording or transcription may lawfully be made. These laws vary significantly by location:

• United States — Federal (ECPA): Federal law requires one-party consent, meaning the recording party (the Customer) may consent on behalf of the conversation.
• United States — State Laws: Multiple U.S. states — including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington — require all-party consent. Customers operating in or receiving calls from these states must ensure callers are notified and consent is obtained.
• European Union (GDPR): Recording calls involving EU residents generally requires a valid legal basis, typically explicit consent or a legitimate interest, with appropriate notice.
• Canada (PIPEDA): Requires meaningful consent for recording, typically through a pre-recorded disclosure message.
• United Kingdom: Governed by RIPA 2000 and UK GDPR; consent or a legitimate interest basis is required.

Customer Responsibility: ChuiVoice provides the infrastructure. Customers are solely and exclusively responsible for: (a) determining the applicable laws in their jurisdiction and the jurisdictions of their callers; (b) obtaining all necessary consents and providing all required disclosures before any call is transcribed; and (c) configuring their AI agent's greeting to include any legally required notice (e.g., "This call may be recorded and transcribed for quality purposes."). ChuiVoice shall bear no liability for a Customer's failure to comply with applicable wiretapping, recording, or privacy laws.

12. Third-Party Links and Services

The Service may contain links to third-party websites and services that are not operated by ChuiVoice. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are material, we will provide a more prominent notice (such as an email notification or an in-app banner). Your continued use of the Service after any such changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: