Vocalyy
  • About
  • Services
  • Industries
  • Pricing
  • Blog
  • Contact
Talk to us Talk to us

Data Retention Policy

Version 2.0 — last updated 9 July 2026
Table of contents
  1. Vocalyy's roles — controller vs. processor
  2. Retention periods table
  3. Audio recording — why it does not appear in the table
  4. Automatic deletion
  5. Deletion at your request (Art. 17 GDPR)
  6. Exceptions to deletion
  7. Physical deletion — the technical cascade
  8. Audit and verification
  9. Changes to the policy
  10. Contact

This policy describes how long we keep each category of personal data and what the basis/reason for that period is. The policy implements the principles of storage limitation and data minimization set out in Art. 5(1) of Regulation (EU) 2016/679 (GDPR).

In short: We keep each category of data only for as long as necessary for the purpose for which it was collected, or for as long as the law requires (for example, accounting legislation). When the purpose ceases to apply and there is no legal obligation to retain the data, it is deleted.

1. Vocalyy's roles — controller vs. processor

Vocalyy SRL acts in two distinct legal capacities, depending on the category of data, and the retention periods below must be read with this in mind:

  • Controller for our client's own data (contact person, legal representative, billing data, account/authentication data, business communications). For this data, Vocalyy alone determines the purposes and means of processing.
  • Processor for the data of our client's callers (the customers, patients, or prospective customers of the business who call or are called through the Vocalyy voice agent). For this data, the Vocalyy client is the controller, and we process it exclusively based on the client's documented instructions, in accordance with Art. 28 GDPR.

Vocalyy does not determine the purposes or legal basis on which our client collects data about its callers. The client, as controller, is responsible for identifying the applicable legal basis (for example, consent, legitimate interest, or performance of a contract), for informing the data subjects (callers), and for obtaining any necessary consent, including for special category data under Art. 9 GDPR or personal numeric code (CNP) data under Law No. 190/2018.

2. Retention periods table

The table below is the single reference for the retention periods used by Vocalyy. Items marked [X] represent periods currently undergoing final confirmation before publication and will be completed with exact values.

Category Period Legal basis / reason
Caller's phone number [X months] — to be confirmed Legitimate interest of the client (controller) in the history of the relationship with the caller; Vocalyy's operational necessity as processor
Call metadata (date, time, duration) [X months] — to be confirmed Same as above
Full conversation transcript [X months] — to be confirmed May contain special category data (for example, health data) — requires limited retention and enhanced security under Art. 9 GDPR and Law No. 190/2018
Billing data (Vocalyy client) 5 years, calculated from 1 July of the year following the end of the financial year in which they were prepared Art. 25 of Accounting Law No. 82/1991, as amended by Law No. 36/2023
Audit logs [X] — to be confirmed Security and accountability under Art. 5(2) and Art. 32 GDPR
Website/demo data (not client caller data) [X] — to be confirmed Vocalyy's legitimate interest — website analytics, management of demo requests
Cookies [X] — per the cookie policy / consent Consent, Art. 6(1)(a) GDPR (for non-essential cookies)
Account data (Vocalyy client: name, phone, business, authentication) [X] — generally for the duration of the contract, plus the applicable subsequent legal period Performance of the contract, Art. 6(1)(b) GDPR

3. Audio recording — why it does not appear in the table above

In short: Vocalyy does not store the audio recording of calls. Audio is recorded and hosted by ElevenLabs, our AI voice sub-processor — never on Vocalyy's servers.

The Vocalyy dashboard displays a "Download audio" button. Pressing this button downloads the audio recording directly from ElevenLabs to the client's own device — Vocalyy's servers never store and do not have persistent access to the audio file at any point.

From the moment of download, the client becomes the sole controller of that copy of the audio recording and is solely responsible for its security, storage, and any subsequent processing.

The retention period for audio at ElevenLabs: [X] — to be confirmed by Vocalyy, treated as sub-processor information, in accordance with the Sub-processors List.

4. Automatic deletion

We have automated mechanisms that run periodically to delete data that has exceeded the applicable retention period set out in the table in Section 2. These mechanisms are periodically monitored to confirm correct operation.

5. Deletion at your request (Art. 17 GDPR)

You have the right to request the deletion of your personal data ("the right to be forgotten," Art. 17 GDPR) at any time, through:

  • Email to privacy@vocalyy.ro or dpo@vocalyy.ro
  • The "Delete account" button in the dashboard (where available)
  • Written request to the registered office of Vocalyy SRL

We commit to responding within a maximum of 30 days of receiving the request, in accordance with Art. 12 GDPR.

6. Exceptions to deletion

Under Art. 17(3) GDPR, the right to erasure is not absolute. We cannot delete certain data when there is a legal obligation to retain it, including:

  • Billing data — kept for 5 years under Art. 25 of Accounting Law No. 82/1991 (as amended by Law No. 36/2023)
  • Data necessary for the establishment, exercise, or defense of a legal claim — until the expiry of the applicable limitation period
  • Audit logs — necessary to fulfill security obligations under Art. 32 GDPR

In these cases, we restrict access to the relevant data to authorized personnel only and do not use it for any purpose other than the one that justifies its retention.

7. Physical deletion — the technical cascade

Once triggered, the deletion of a data category propagates through all systems in which it is stored:

  • Primary database — deletion from the active system
  • Cache and operational logs — removal as soon as reasonably possible
  • Backups — removal at the next backup cycle rotation
  • Sub-processors — we request corresponding deletion in accordance with the contractual obligations assumed under the Data Processing Agreement (DPA) signed with each sub-processor

8. Audit and verification

The retention policy is reviewed periodically to confirm that the stated periods correspond to actual practice and to the legal obligations in force.

9. Changes to the policy

Any change to this policy will be:

  • Published on this page, with the date of the new version
  • Communicated to our clients with sufficient advance notice before taking effect, for significant changes

10. Contact

For questions about retention or to request deletion of your data:

  • Privacy contact channel: dpo@vocalyy.ro
  • Data subject access requests (DSAR): privacy@vocalyy.ro

The address dpo@vocalyy.ro is a privacy contact channel and does not, in itself, imply the formal designation of a Data Protection Officer (DPO) within the meaning of Art. 37 GDPR.

Related pages: Privacy Policy · Sub-processors · About the AI System · Data Processing Agreement (DPA)

This document was drafted with computer assistance based on information available at the time of drafting and does not constitute legal advice from a licensed attorney. Vocalyy SRL recommends that this document be reviewed by an attorney specializing in data protection before publication, signature, or use in client relationships.

Vocalyy

© 2026 Vocalyy SRL — All rights reserved.