Privacy Policy

This policy explains what data we collect about you when you use vocalyy.ro, when you book a demo call, or when you use our AI voice agent service, and how we protect that data in line with the General Data Protection Regulation (EU 2016/679 — "GDPR") and Romanian law.

1. Who we are

The data controller is Vocalyy SRL, a Romanian limited liability company. For any questions about your personal data, contact us at agent@vocalyy.ro.

2. What data we collect

2.1 Data collected when you visit the site

• IP address, browser type, operating system, pages visited
• Date and time of visit, traffic source
• Cookies (see section 8)

2.2 Data you give us when you book a demo

• Full name
• Email address
• Phone number
• Company name and industry
• Optional notes about your needs

2.3 Data collected when you test a demo voice agent on the site

• Audio recording of your call with the agent (typically up to 2 minutes)
• Automatic transcript of the conversation
• Microphone permission granted to your browser

2.4 Data we collect as a Vocalyy subscriber

• Billing data: company name, tax ID (CUI), address, IBAN if applicable
• Contact details for the authorised representative
• Information about your business needed to build the agent (hours, prices, services, FAQ etc. — provided by you via the onboarding form or call)
• Data about calls your agent processes (audio recordings, transcripts, duration, caller number, bookings created) — see below

2.5 Data about your agent's callers

When your agent answers a call, we record the conversation, the transcript and the call metadata. In this context, you (our client) are the controller of your callers' data, and Vocalyy SRL is the processor acting on your behalf. We sign a Data Processing Agreement (DPA) with every B2B client.

3. Why we collect it (legal basis)

Data category	Purpose	GDPR legal basis
Web traffic data, analytics cookies	Understanding site usage, content improvement	Consent (Art. 6.1.a)
Demo form data	Scheduling and preparing the call	Pre-contractual steps (Art. 6.1.b)
On-site demo audio recording	Demo functionality, quality monitoring	Consent + legitimate interest (Art. 6.1.a + 6.1.f)
Billing and contractual data	Performance of the service contract	Contract (Art. 6.1.b) + Legal obligation (Art. 6.1.c)
Call recordings on subscriber agents	Service delivery, agent improvement	Contract with B2B client (Art. 6.1.b) — caller is informed at the start of every call

4. How long we keep your data

Data type	Retention period
Web log and traffic data	Up to 12 months
Cookies (analytics)	Up to 13 months or until consent is withdrawn
Demo form data	24 months from last interaction
On-site demo audio recordings	30 days for quality, then deleted
Billing data	10 years (Romanian tax obligation)
Subscriber call recordings	Per the contract with the client; default 90 days, deleted immediately on client request

5. Who we share it with (sub-processors)

We use external providers that process data on our behalf. All have GDPR-compliant data processing agreements in place.

Provider	Role	Location
OpenAI, L.L.C.	AI model that generates voice responses (Realtime API)	USA — DPF certified
Anthropic PBC	Claude LLM (optional fallback)	USA — DPF certified
Telnyx LLC	Phone call routing + media streaming	USA — DPF certified
Supabase Inc.	PostgreSQL database + authentication	EU (Frankfurt, Germany)
Render Services, Inc.	Backend application hosting	USA — DPF certified
Resend	Transactional email	USA — SCC / DPF
Cal.com Inc.	Demo call scheduling	EU / USA
Stripe Payments Europe Ltd.	Payment processing	EU (Ireland)
SmartBill SRL	Romanian-compliant invoicing	Romania

The full and current list is published at vocalyy.com/en/sub-processors. We notify B2B customers by email at least 30 days before any change.

6. International transfers

Some providers (OpenAI, Anthropic, Telnyx, Render) are based or have servers in the United States. Transfers are protected by the EU-US Data Privacy Framework (DPF) and, where applicable, by Standard Contractual Clauses. We do not transfer data to other third countries.

7. Your rights under GDPR

You have the right to:

• Access — find out what data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — ask us to delete your data
• Restrict — temporarily limit processing
• Portability — receive your data in a structured format
• Object — to processing based on legitimate interest
• Withdraw consent at any time (where consent was the legal basis)

Send requests to agent@vocalyy.ro — we respond within 30 days.

8. Cookies and similar technologies

We use cookies for:

• Strictly necessary cookies (site function — session, language preference) — no consent required
• Analytics cookies (anonymous visitor counting) — consent required

We ask for consent via the banner shown on first visit. You can change your preferences at any time via the "Cookies" link in the site footer.

9. Security

We use reasonable technical and organisational measures: encryption in transit (HTTPS / TLS 1.2+), role-based access control, hashed passwords, continuous monitoring. No system is 100% impenetrable. We notify the supervisory authority (ANSPDCP) and affected users within 72 hours of discovering a breach that presents a risk.

10. Minors

The Vocalyy service is exclusively addressed to businesses (B2B). We do not knowingly collect data from people under 16. If you notice a minor has provided data, write to agent@vocalyy.ro and we will delete it.

11. Changes to this policy

We may update this policy. Significant changes are announced by email (to clients) or via a banner on the site at least 30 days before they take effect. The current version is shown at the top of the page.

12. Contact and complaints

For any question or request about your data: agent@vocalyy.ro.

If you are not satisfied with our response, you can file a complaint with the Romanian Data Protection Authority (ANSPDCP):

• B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
• anspdcp@dataprotection.ro
• www.dataprotection.ro