1 · Roles + scope
The Controller (you) determines the purposes and means of processing the personal data submitted to the Service. The Processor processes such personal data solely on the Controller's documented instructions, as set out in this DPA, the Master Service Agreement (Terms of Service), and the applicable Order Form.
This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") + the Irish Data Protection Acts 1988-2018.
2 · Subject matter, duration, nature, purpose
- Subject matter: processing of personal data contained in the inputs to the CallMeIE Service(s) named in your Order Form (call recordings + caller metadata for AI Receptionist; accounting source documents for Document Ops; visitor analytics + form submissions for AI-First Websites).
- Duration: the term of the active Order Form, plus any post-termination retention period set out in §4.
- Nature: automated voice-agent operation + OCR / field extraction + confidence scoring + optional human review + export to your accounting / calendar / website infrastructure.
- Purpose: enabling you to deliver receptionist services, meet bookkeeping + tax obligations under Irish Revenue rules and equivalent regimes, and operate your customer-facing website with privacy-friendly analytics.
3 · Where your data lives
- Document Ops + AI-First Websites: Coolify on a Hetzner Online GmbH dedicated server in Nuremberg, Germany (EU jurisdiction).
- AI Receptionist + Discovery quiz API (FastAPI): Render Inc. Frankfurt region (EU). Migration to Hetzner Coolify Nuremberg in progress; no change to your data residency (both EU).
- Onboarding form intake (webhook relay): Railway Corp. — webhook receiver for
/submit-onboarding; payload transits Railway and forwards to Render-hosted FastAPI for persistence; not retained on Railway storage beyond request lifetime; EU data plane where supported. - Vapi voice runtime: Vapi.ai US infrastructure with EU routing where supported.
- Call recordings — two-stage storage: Vapi holds the transient working copy for up to 14 days (its own US-with-EU-routing storage). Within that window the recording is mirrored to Hetzner Object Storage (Nuremberg, DE — EU) via the post-call webhook on api.callmeie.ie. The durable archive on Hetzner is the canonical 90-day copy; the bucket carries an S3 lifecycle rule that auto-expires objects at day 90. After 90 days no copy remains on either side. The demo line +353 61 788 120 also runs an opt-out path (caller says "I'd rather not be recorded" → recording manually purged from both stages within 24 hours of call end). Demo-line lawful basis = Art 6(1)(f) legitimate interests; paying-tier client lawful basis = Art 6(1)(b) contract (the recording IS the service).
- Twilio telephony + SMS: Twilio Inc. region depends on the phone number country.
- Object storage for Document Ops original-form documents: Hetzner Object Storage (EU, S3-compatible, Nuremberg).
- Backups: encrypted at rest, retained per the Order Form retention window.
- No transfers outside the EEA without an explicit additional clause (Standard Contractual Clauses or DPF).
4 · Cancellation + data export
You may cancel a monthly subscription at any time from the Stripe customer portal. Pilots are one-off and do not auto-renew. On cancellation:
- Within 7 calendar days: full CSV export of all extracted rows / call data / form submissions + a ZIP of original-form documents (where applicable).
- Within 30 days (or sooner on written request): permanent delete from primary storage + backups.
- Statutory retention exceptions take precedence (e.g. VATCA s.84(3) 7-year original-form retention for Irish accounting source documents). These are held for the statutory minimum then deleted.
- Nothing is retained past the contractual + statutory retention windows.
5 · Sub-processors
Per Article 28(2) GDPR, the current sub-processor list as of 2026-05-09 is itemised in Privacy Policy §5. Any change triggers 30-day prior written notice with a Controller objection right. The notice is delivered to your Order Form contact email.
Per-product Schedules (A, B, C below) call out which sub-processors apply to each product.
6 · Security measures
- TLS 1.3 in transit (Cloudflare-managed certificates).
- Encryption at rest for backups + object storage.
- Per-tenant database isolation enforced at the application middleware layer (Document Ops).
- Magic-link authentication; no shared accounts; admin actions audit-logged to a JSONL event store.
- Annual review of technical + organisational measures.
- Document Ops 0.98 confidence gate + bounce-back path: doubtful extractions returned to you with a one-line reason rather than silently exported.
- AI Receptionist anomaly diagnosis loop: failed calls scored + escalated to LLM-assisted root-cause analysis within 5 minutes.
7 · Liability + indemnity
Per the Master Service Agreement at Terms §8:
- Self-serve subscription tiers: aggregate Processor liability capped at the fees you paid us in the 12 months prior to the claim.
- Bespoke engagements: liability cap negotiated per engagement during the scoping call; the Order Form is the binding cap.
- We carry professional indemnity insurance (carrier + cover details available on request).
- Nothing limits liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; any other liability that cannot be excluded under Irish law.
8 · Sole-trader → Ltd assignment-on-incorporation
Until CallMeIE Technologies Ltd is incorporated and CRO-listed, the Processor is Adam Vaughan, an Irish VAT-registered sole trader trading as CallMeIE Technologies, operating in Limerick, Ireland.
Upon incorporation, Adam Vaughan may assign and novate this DPA to CallMeIE Technologies Ltd, provided:
- The company assumes all Processor obligations in writing.
- You receive written notice within 30 days of incorporation.
- You have a 30-day objection-and-cancel right with full data export per §4.
This pre-novation clause is the answer to the natural question "what if Adam is hit by a bus" — the contract assigns to the company on incorporation, and your data + DPA survive the transition.
Schedule A · AI Receptionist data flow
Per-product Article 28(3) annex.
| Field | Detail |
|---|---|
| Categories of personal data | Caller phone number, call recording + transcript, caller name + intent, calendar event details, SMS content, anomaly diagnosis |
| Categories of data subjects | Your callers (your customers + prospects who phone in) |
| Sub-processors | Vapi.ai (US, EU routing where supported — voice runtime + transient ≤14-day recording working copy), Hetzner Online GmbH (Nuremberg DE — durable 90-day call-recording archive via post-call webhook mirror), Twilio Inc. (US/IE number-dependent), Google LLC Workspace (Calendar API, EU residency), Anthropic PBC (anomaly diagnosis, US under DPF), xAI Corp. (Discovery quiz classifier, US under DPF + SCCs — anonymised text snippets only), Render Inc. (Frankfurt DE), Railway Corp. (webhook relay only, no persistent storage) |
| Retention | Call data 12 months from last call; recordings 90 days total (≤14d transient on Vapi → mirrored to Hetzner Object Storage Nuremberg → S3 lifecycle auto-expires at day 90); anomaly diagnosis 90 days |
| Transfers outside EEA | Vapi (US — DPF + SCCs); Twilio (US — DPF + SCCs); Anthropic (US — DPF) |
| Special category data? | Generally no. Callers may volunteer health / sensitive info during a call; we treat all call content as confidential and do not pass it through any third-party LLM other than the failed-call anomaly diagnosis loop (Anthropic) which is anonymised + scoped to call metadata, not call content |
Schedule B · Document Ops data flow
Per-product Article 28(3) annex.
| Field | Detail |
|---|---|
| Categories of personal data | Original-form accounting documents (invoices, receipts, credit notes, statements) which may contain: customer names, addresses, IE VAT numbers, IBANs, BICs, phone, email, dates, amounts. Reviewer corrections (Label Studio annotations). Tenant config + magic-link auth identifiers. Stripe customer ID |
| Categories of data subjects | Your suppliers + customers (whoever appears as vendor or customer on your accounting source documents) |
| Sub-processors | Hetzner Online GmbH (Nuremberg DE — hosting + object storage), HumanSignal Inc. Label Studio (self-hosted on Hetzner — no data egress), Stripe Payments Europe Ltd (Dublin IE — billing), Cloudflare Inc. (DNS + CDN + EU routing). Public sandbox extractor only at callmeie.ie/docs/#drop-it: Hetzner Online GmbH (Nuremberg DE — same Coolify deployment as paying-tier portal, real Tesseract OCR + pypdfium2 text layer, no third-country compute) + xAI Inc. (US under DPF — Grok-4 text-snippet field normalisation only, transient, no document storage). The sandbox runs the same OCR engine you'd get on a paying tier; what's missing vs. paying tier is the RapidOCR ensemble + voter agreement + GLM-OCR vision verifier + LineItems table parser + 7-year VATCA retention + Label Studio bounce-back queue. Production paying-tier OCR engine + LLM normalisation provider are pinned per Order Form (xAI may be replaced by a self-hosted Ollama deployment for clients with a no-third-country requirement) |
| Retention | Per Order Form. Default = 7 years for original-form documents (VATCA s.84(3) statutory retention); extracted fields + reviewer corrections per Order Form contractual window. Public sandbox: upload bytes are read into a memory buffer, run through OCR + LLM normalisation, and the buffer is explicitly dropped before the response goes out. Only an audit log line holding size in bytes, page count, and a SHA-256 truncated digest is kept (no document content recoverable from the digest) |
| Transfers outside EEA | None by default — all primary OCR + storage stays on Hetzner Nuremberg. The public sandbox extractor routes a transient text snippet (already OCR'd from the bytes that never left Frankfurt) to xAI Inc. (US, under EU-US Data Privacy Framework) for the field-normalisation step. xAI receives only the extracted text, not the original PDF, and is contractually bound by their DPF self-certification |
| Special category data? | Generally no. Customers should not upload Article 9 special category data (health, religious, political, biometric) to Document Ops; if you have a vertical that requires this (e.g. dental clinics with patient billing), contact us before signing the Order Form for additional terms |
Schedule C · AI-First Websites data flow
Per-product Article 28(3) annex.
| Field | Detail |
|---|---|
| Categories of personal data | Site visitor IP (anonymised by Umami), form submission content (whatever your site forms collect — typically name, email, message), Cloudflare DNS + CDN logs |
| Categories of data subjects | Visitors to your hosted site |
| Sub-processors | Hetzner Online GmbH (Nuremberg DE — site hosting + Postgres + Umami self-hosted), Cloudflare Inc. (DNS + CDN with EU routing), Resend (Resend.com Inc., EU — transactional email forwarding for form submissions), Stripe Payments Europe Ltd (Dublin IE — only if commerce wired) |
| Retention | Visitor analytics 12 months aggregated (no per-visitor profile); form submissions 90 days then auto-delete; logs per Cloudflare retention |
| Transfers outside EEA | None by default. Cloudflare uses EU routing where DNS is configured for it |
| Special category data? | None by default. If you collect special category data via your site forms (e.g. health intake forms), you must disclose this on your own site privacy notice + obtain explicit consent per Article 9 GDPR; you remain the Controller |
Get the full DPA
Email hello@callmeie.ie with the subject "DPA request" and we send the full v1.0 (PDF) within one business day. We sign per the Order Form before any pilot starts.