Privacy Policy — CallMeIE Technologies

1 · Roles + scope

Until CallMeIE Technologies Ltd is incorporated and CRO-listed, the data Controller-or-Processor party trading as "CallMeIE" / "CallMeIE Technologies" is Adam Vaughan, an Irish VAT-registered sole trader operating in Limerick, Ireland. Upon incorporation, Adam Vaughan may assign and novate this Privacy Policy and the related DPA to CallMeIE Technologies Ltd, provided the company assumes all obligations in writing and you receive written notice within 30 days of incorporation.

For each product:

AI Receptionist: we are the Processor; you are the Controller of your callers' personal data.
Document Ops: we are the Processor; you are the Controller of any personal data contained in the documents you submit.
AI-First Websites: we are the Processor of visitor analytics + form submissions; you are the Controller of your end-customer relationships.

This Privacy Policy is entered into pursuant to Article 28 GDPR + Irish Data Protection Acts 1988-2018. The full Data Processing Agreement (Article 28 contract) is at /legal/dpa.html and the signed binding contract is the DPA + Master Service Agreement + Order Form.

2 · Data we process — per product

2.1 · AI Receptionist

Vapi-fronted voice agent on Twilio numbers, with optional Google Calendar booking and SMS reply. We process the following categories of personal data on your behalf:

Data category	Source	Purpose	Lawful basis	Retention
Caller phone number	Inbound call (Twilio)	Lead capture · routing · SMS reply	Contract (Art 6(1)(b)) — to deliver the receptionist service to you	12 months from last call
Call recording + transcript	Inbound call (Vapi)	Quality assurance · your review of the call	Contract (Art 6(1)(b))	90 days then auto-delete from Vapi
Caller name + intent	Spoken in call	Lead routing · SMS confirmation	Contract (Art 6(1)(b))	12 months
Calendar event (booking)	Vapi → your Google Calendar	Appointment booking on your behalf	Contract (Art 6(1)(b))	Per your Google Calendar retention
SMS to caller	Vapi → Twilio	Confirm booking · follow-up	Contract (Art 6(1)(b))	12 months
Anomaly diagnosis (Claude API)	Failed-call webhook	Detect failed calls + recommend action to you	Legitimate interest (Art 6(1)(f)) — service health	90 days

2.2 · Document Ops

OCR + extraction pipeline for accounting source documents (invoices, receipts, credit notes, statements). We process the following categories of personal data on your behalf:

Data category	Source	Purpose	Lawful basis	Retention
Original-form document (PDF/JPG)	Your upload	OCR + field extraction	Contract (Art 6(1)(b))	Per Order Form (default 7 years per VATCA s.84(3) original-form retention)
Extracted fields (vendor / total / VAT / date / subtotal / vendor country)	Pipeline	Your accounting software input	Contract (Art 6(1)(b))	Per Order Form
Reviewer corrections (Label Studio)	Human review	Improve extraction quality for your tenant	Contract (Art 6(1)(b))	Per Order Form
Tenant config + magic-link auth identifiers	Account creation	Account access	Contract (Art 6(1)(b))	Account lifetime + 30 days
Stripe customer ID	Subscription	Billing	Contract (Art 6(1)(b))	Billing lifetime per Stripe retention

2.3 · AI-First Websites

Hosted client websites with privacy-friendly analytics (self-hosted Umami, no third-party trackers by default) and form submissions. We process the following categories of personal data on your behalf:

Data category	Source	Purpose	Lawful basis	Retention
Site visitor IP (anonymised)	Self-hosted Umami	Aggregate site analytics — no per-visitor profile	Legitimate interest (Art 6(1)(f)) — site operations	12 months aggregated
Form submission (contact / lead)	Site forms	Forward to you (the site owner)	Consent (Art 6(1)(a)) — visitor submits the form	90 days then auto-delete
Cloudflare DNS + CDN logs	All requests	Routing · DDoS protection	Legitimate interest (Art 6(1)(f)) — security	Per Cloudflare retention
Stripe checkout session (if commerce wired)	Site embed	Payment processing	Contract (Art 6(1)(b))	Per Stripe retention

What we do NOT do: no Google Analytics; no Facebook pixel; no behavioural retargeting cookies; no cross-site tracking. Self-hosted Umami runs on the same Hetzner infrastructure as Document Ops — visitor data does not leave EU jurisdiction.

3 · Where your data lives

Document Ops + AI-First Websites Postgres + object storage: Coolify on a Hetzner Online GmbH dedicated server in Nuremberg, Germany.
AI Receptionist + Discovery quiz API (FastAPI): Render Inc. Frankfurt region (EU). Migration to Hetzner Coolify Nuremberg in progress (no end-of-life date set; no change to your data residency — both regions are EU).
Onboarding form intake (webhook relay): Railway Corp. (US-managed control plane) — used as a webhook receiver for the Receptionist signup form (/submit-onboarding) which forwards directly into the Receptionist FastAPI for persistence. Form payload (business name, contact name, contact phone, contact email, address, hours, services) transits Railway and is not retained on Railway storage beyond request lifetime. SCCs in place; Railway data plane region pinned to EU where supported.
Vapi voice runtime + call recordings: Vapi.ai US infrastructure with EU routing where the carrier supports it. Recordings retained 90 days then auto-deleted.
Twilio telephony + SMS: Twilio Inc. region depends on the phone number country (Irish numbers route via EU; the Limerick line +353 61 788 120 also routes via EU).
Backups: encrypted at rest, retained per the Order Form retention window. No transfers outside the EEA without an explicit additional clause.

4 · How long we keep it

Retention windows are itemised in the per-product tables in §2. Defaults if no Order Form override:

AI Receptionist call data: 12 months from last call (recordings 90 days)
Document Ops corpus: 7 years (VATCA s.84(3) original-form retention; you may request earlier deletion for non-VATCA documents)
Websites visitor analytics: 12 months aggregated; no per-visitor profile
Form submissions: 90 days from submission
Auth + account metadata: account lifetime + 30 days

On cancellation: full CSV + ZIP export within 7 calendar days, full delete from primary + backup within 30 days (or sooner on written request).

5 · Sub-processors

Per Article 28(2) GDPR. Current sub-processor list as of 2026-05-09:

Sub-processor	Used by	Location	Function
Hetzner Online GmbH	Doc Ops · Websites · Receptionist DB-mirror · self-hosted Umami at analytics.owlzone.trade (consent-gated, callmeie.ie page counts only) · Receptionist call-recording archive (90 days)	Nuremberg, DE	Hosting · object storage · self-hosted analytics · durable call-recording storage
Vapi.ai	Receptionist	US (with EU routing where supported)	Voice agent runtime · transient call-recording working copy (≤14 days, then mirrored to Hetzner)
Twilio Inc.	Receptionist	US / IE (number-dependent)	Telephony · SMS
Google LLC (Workspace)	Receptionist	EU residency where set	Calendar API
Anthropic PBC	Receptionist (anomaly diagnosis)	US	LLM API for failed-call diagnosis
Stripe Payments Europe Ltd	All 3 (billing)	Dublin, IE	Payment processing
Cloudflare Inc.	All 3 (DNS / CDN)	Global with EU routing	DNS · CDN · DDoS protection
HumanSignal Inc. (Label Studio)	Doc Ops	Self-hosted on Hetzner DE — no data egress	Reviewer tool
Resend (Resend.com Inc.)	Websites · Receptionist (transactional email)	EU	Transactional email
Render Inc.	Receptionist + Discovery API server	Frankfurt, DE	FastAPI hosting (migration to Hetzner Coolify in progress)
Railway Corp.	Receptionist (onboarding form webhook relay)	US control plane · EU data plane where supported	Webhook relay only — no persistent storage beyond request lifetime; transits payload to Render-hosted FastAPI for persistence
xAI Corp.	Discovery quiz · Document Ops sandbox normaliser	US (under DPF + SCCs)	LLM API for visitor-quiz classification + sandbox-doc field extraction. Anonymised text snippets only; no document bytes; no identifying chat content beyond what the visitor types into the four-question quiz.
Telegram FZ-LLC	Internal owner alerts only (NOT customer data flow)	UAE / global	Operator-side Slack-style notification when a discovery quiz or onboarding form lands. Payload sent: business sector + pain chip + team-size chip + urgency chip + recommended-product label + optional contact name/email IF the visitor provided one. The bot account is owner-only; no third-party access.

On Telegram: CallMeIE uses a private Telegram bot for owner-side alerts (Adam-only). When you submit the discovery quiz or onboarding form, a notification is sent to that bot containing your sector + pain + team-size + urgency choices and any contact details you provided. This is the same content your form/quiz answers carry; nothing additional is shared. If you'd like us to skip the Telegram channel for your submission specifically, mention it in any contact field and we'll suppress it on our side.

Any change to the sub-processor list triggers 30-day prior written notice, with a Controller objection right per the DPA.

On the Google service-account email: The Receptionist service account is callmeie-receptionist@callme-ie.iam.gserviceaccount.com. The callme-ie portion is a Google Cloud project-id technical identifier (Google project IDs cannot contain certain characters); it is not the brand name and not a separate legal entity. The brand is CallMeIE; the domain is callmeie.ie; the legal entity is CallMeIE Technologies (Adam Vaughan trading as).

6 · Your GDPR rights

You can exercise the following rights at any time by emailing hello@callmeie.ie with the subject "GDPR rights request":

Right of access (Art 15): receive a copy of all personal data we hold about you.
Right to rectification (Art 16): correct inaccurate or incomplete data.
Right to erasure (Art 17): delete your data ("right to be forgotten") subject to overriding obligations (e.g. VATCA 7-year retention on accounting source documents).
Right to restrict processing (Art 18).
Right to data portability (Art 20): receive your data in CSV + ZIP within 7 calendar days.
Right to object (Art 21).
Right not to be subject to automated decision-making (Art 22): note that the 0.98-confidence gate in Document Ops is a confidence threshold, not an automated decision with legal effect — extraction outputs are reviewed by you before they take any action.

To exercise your data subject rights, email hello@callmeie.ie. We use the admin-side SAR + erasure endpoints (/admin/api/data-export and /admin/api/erase on api.callmeie.ie) to fulfil these within 7 calendar days of your request. Erasure is implemented as a 30-day soft-delete window followed by hard purge from primary storage and the daily backup propagation chain — this respects the Article 19 notification grace period and matches the cancellation-erasure window in §4.

If you are unsatisfied with our response, you may lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.

7 · Cookies + tracking

On callmeie.ie (this hub):

Aggregate page-count analytics (consent-gated): if you click Allow page counts on the consent banner, we load a tracking script from our own server at analytics.owlzone.trade running self-hosted Umami. It records anonymous, aggregate counts per URL — no third party, no cross-site tracking, no profile of you, IP not stored, EU-only on Hetzner Nuremberg. If you click No, thanks the script never loads. Your choice is remembered in a single localStorage entry called cmt-consent (essential, exempt under ePrivacy strictly-necessary).
Cloudflare may set a strictly-necessary cookie for DDoS protection (__cf_bm, ~30 minutes).
Google Fonts loaded from fonts.googleapis.com + fonts.gstatic.com — no cookies set, but Google receives the visitor IP per request.

On portal.callmeie.ie (Document Ops customer portal):

Strictly-necessary session cookie for magic-link auth (HttpOnly, Secure, SameSite=Lax).
Stripe cookies set during the checkout flow only.

On AI-First Websites we host for you: configurable per site. Default = self-hosted Umami (no cookies, IP-anonymised). If your site adds Stripe checkout or third-party widgets, those tools set their own cookies and you must disclose them in your own site's privacy notice.

8 · International transfers

Data residency by default is EU (Hetzner DE + Render DE + Stripe Dublin + Cloudflare EU routing). Sub-processors with US-based runtime (Vapi, Twilio, Anthropic) operate under the EU-US Data Privacy Framework and Standard Contractual Clauses. The DPA Schedule lists the transfer mechanism for each sub-processor.

9 · Security measures

TLS 1.3 in transit (Cloudflare-managed certificates).
Encryption at rest for backups + object storage.
Per-tenant database isolation enforced at the application middleware layer (Document Ops).
Magic-link authentication; no shared accounts; admin actions audit-logged to a JSONL event store.
Annual review of technical + organisational measures.
0.98 confidence gate in Document Ops + bounce-back path: doubtful extractions are returned to you with a one-line reason rather than silently exported. This is a quality control, not a security claim, but it limits one specific failure mode.

10 · Disputes + DPO contact

Until Ltd incorporation, the data-protection contact is Adam Vaughan at hello@callmeie.ie. We do not formally hold a DPO appointment under Article 37 (the legal threshold has not been crossed); a DPO will be appointed if and when CallMeIE Technologies Ltd reaches a scale that requires one.

Supervisory authority: Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland · dataprotection.ie.

12 · Call recording on the demo line

The CallMeIE demo line +353 61 788 120 records every inbound call. Recording starts the moment the AI assistant Clare picks up; Clare states the recording disclosure in her first sentence so callers know before they speak.

What is recorded: the full inbound audio (caller + assistant) and a verbatim transcript.
Why: product quality assurance, prompt tuning, abuse prevention, and to give Adam the evidence to fix any call that goes wrong. Not used for advertising, profiling, or training third-party AI models.
Lawful basis (GDPR Art 6): Article 6(1)(f) — legitimate interests. Our interest in continuously improving a live voice-AI product is balanced against the caller's privacy interest by (a) up-front disclosure in the assistant's first sentence, (b) a real opt-out path (tell Clare "I'd rather not be recorded" and she will note it; the recording is then manually deleted from storage within 24 hours), (c) restricted internal access (Adam only), (d) bounded retention (90 days), (e) EU-only data residency. Balancing test on record in our DPA.
Retention: 90 days from call end, then auto-deletion. Vapi (the voice-runtime sub-processor) holds the file in its own US-with-EU-routing storage for the first 14 days only as a transient working copy; within that window the recording is mirrored to Hetzner Object Storage (Nuremberg, DE) — our already-disclosed EU sub-processor — and the durable archive lives there for the remaining 90-day window with a server-side lifecycle policy enforcing auto-delete. After 90 days no copy remains on either side.
Opt-out: tell Clare during the call: "I'd rather not be recorded." She will acknowledge and note the opt-out flag on the call record. Within 24 hours of the call ending, the recording + transcript for that call are manually deleted from both Vapi and Hetzner storage. You can also email hello@callmeie.ie with the date/time of your call and we will purge it within 24 hours.
Your rights: the standard §6 GDPR rights apply to your recording — access, erasure, restriction, objection, portability. Email hello@callmeie.ie with the date/time of your call.

Real-client deployments (paying tier) — different lawful basis: when CallMeIE is deployed as a receptionist for a real Irish business that you ring on the business's own number, the recording is processed under Article 6(1)(b) contract (the recording IS the service the business has contracted for) and the business is the controller. That business's own privacy notice governs that recording; CallMeIE is the processor. The 90-day retention + EU-residency + Hetzner archive posture is the same.

11 · Changes to this policy

We will give you 30 days' written notice of any material change to this Privacy Policy. Notice is delivered to the contact email on your Order Form. Continued use after the notice period is acceptance. The "Last updated" stamp at the top reflects the most recent change.

Version history:

v1.1 · 2026-05-11 — added §12 explicitly covering call recording on the +353 61 788 120 demo line (disclosure, lawful basis Art 6(1)(f), 90-day retention via Hetzner Object Storage archive, opt-out path).
v1.0 · 2026-05-04 — first multi-product version (covers all three products: AI Receptionist + Document Ops + AI-First Websites). Replaces the previous Receptionist-only version at /receptionist/privacy.html.