Privacy Policy

Vociply Limited (“Vociply”, “we”, “us”, “our”) operates the Vociply platform at vociply.com — a cloud-based service that enables businesses to build, deploy, and manage AI-powered voice agents over telephony networks (the “Platform”).

This Privacy Policy governs how we collect, use, store, disclose, and protect personal data in connection with the Platform. It applies to:

• Business Customers — companies and individuals who subscribe to and use the Platform to build and deploy voice AI agents;
• End-Users — individuals who interact with AI voice agents deployed by our Business Customers via telephone; and
• Visitors — individuals who browse vociply.com.

By accessing the Platform or interacting with a Vociply-powered voice agent, you confirm that you have read and understood this Policy.

Vociply operates in two distinct legal capacities depending on context.

As a Data Controller, Vociply determines the purpose and means of processing for data we collect directly — including Business Customer account and billing information, and website visitor data.

As a Data Processor, when Business Customers deploy voice agents on the Platform, Vociply processes call recordings, transcripts, metadata, and End-User information strictly on behalf of, and under the instruction of, those Business Customers. In this capacity, the Business Customer is the data controller and bears full responsibility for establishing a lawful basis for processing End-User data, and for maintaining appropriate privacy notices informing End-Users that their calls may be recorded and processed by AI systems.

Data Processing Agreements (DPAs) are available to Business Customers upon request. All processing conducted by Vociply as processor is governed by those agreements.

3.1 Business Customer Data

• Account Information: Name, email address, company name, job title, and login credentials provided at registration.
• Payment Information: Billing address, card details, and transaction history. Card data is processed exclusively by our PCI-DSS compliant payment processors. Vociply does not store payment card numbers on its systems.
• Configuration Data: Voice agent settings, telephony configurations, API keys, webhook endpoints, and integration preferences.
• Support Data: Information shared through support tickets, email, or chat.

3.2 Call and Voice Data (Processed on Behalf of Business Customers)

• Call Recordings: Audio recordings of calls between End-Users and deployed voice agents, subject to Business Customer configuration.
• Transcripts: Text transcriptions derived from call audio.
• Call Metadata: Caller telephone numbers, timestamps, call duration, geographic origin (country/region level), and call disposition data.
• End-User Inputs: Information voluntarily provided by End-Users during agent interactions, such as names, reference numbers, or stated preferences.

3.3 Automatically Collected Data

• Log Data: IP addresses, browser type, pages visited, referral URLs, and access timestamps collected when you visit vociply.com.
• Cookies and Tracking Technologies: Session cookies, analytics cookies, and similar technologies. See Section 9 for full details.
• Device Data: Device type, operating system, and browser version.

3.4 Sensitive Data

The Platform may incidentally process sensitive categories of personal information if End-Users voluntarily disclose such information during calls (for example, health-related or financial details). Business Customers are solely responsible for ensuring they hold appropriate consent and legal authority to process such data through the Platform and must configure their agents accordingly.

4.1 To Deliver the Platform

• Routing telephony traffic and processing voice agent interactions
• Authenticating Business Customer accounts and managing subscriptions
• Processing payments and issuing invoices
• Storing call recordings and transcripts per Business Customer configuration
• Providing dashboards, analytics, and reporting

4.2 To Improve Our Services

• Analysing aggregated, de-identified usage patterns to improve Platform performance and reliability
• Conducting internal research and product development

We will not use identifiable call recordings or transcripts to train AI models without the express written consent of the relevant Business Customer.

4.3 To Communicate With You

• Sending transactional communications: account alerts, payment confirmations, and security notices
• Sending product updates and marketing communications, from which Business Customers may opt out at any time

4.4 For Legal and Security Purposes

• Complying with applicable laws, regulations, and lawful government requests
• Detecting, preventing, and investigating fraud, abuse, or security incidents
• Enforcing our Terms of Service and contractual agreements

For data processed on behalf of Business Customers, the Business Customer is responsible for identifying and documenting the lawful basis applicable to their End-User processing activities.

We do not sell personal data.

We may share information in the following circumstances only.

6.1 Service Providers and Sub-Processors

We engage trusted third-party providers who process data on our behalf, including cloud infrastructure providers, telephony carriers, AI model providers, payment processors, analytics tools, and customer support platforms. All sub-processors are bound by data processing obligations that meet or exceed the standards in this Policy. A current list of sub-processors is available upon request.

Our telephony and voice infrastructure is delivered through a carrier-grade infrastructure partner operating one of the world's largest private IP voice networks. This partner processes call traffic and telephony data on our behalf under robust contractual data protection obligations.

6.2 Business Customers

Call recordings, transcripts, metadata, and analytics derived from End-User interactions are made available to the relevant Business Customer through the Platform dashboard and API. Business Customers determine the retention and further use of that data.

6.3 Legal Requirements

We may disclose personal data where we believe in good faith that disclosure is required to: comply with a legal obligation; respond to a valid governmental or regulatory request; enforce our Terms of Service; or protect the rights, property, or safety of Vociply, our customers, or the public.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may form part of the transferred assets. We will provide notice before personal data is transferred and becomes subject to a different privacy policy.

Vociply operates internationally and your data may be transferred to, stored in, and processed in countries other than your country of residence — including the United States — where our infrastructure partners and service providers operate.

Where required by applicable law, we implement appropriate safeguards for cross-border transfers, including Standard Contractual Clauses (SCCs) and Data Processing Agreements with Business Customers and sub-processors. Enterprise Business Customers with specific data residency requirements should contact us to discuss available options.

We retain personal data for as long as necessary to fulfil the purposes set out in this Policy, unless a longer period is required by law.

Business Customers may request early deletion of call data via the Platform dashboard or by contacting support@vociply.com. We will process deletion requests within 30 days.

• Strictly Necessary: Required for the website and Platform to function. These cannot be disabled.
• Analytics: Help us understand how visitors use our website (for example, via Google Analytics). You may opt out via our cookie consent manager or your browser settings.
• Marketing: Used to deliver relevant communications. Placed only with your explicit consent.

You may manage your cookie preferences at any time through our cookie consent banner or your browser settings. Disabling certain cookies may affect your experience on the Platform.

The Vociply Platform is built on carrier-grade infrastructure engineered for enterprise-level security, reliability, and regulatory compliance. Our platform-level security posture is anchored in the following certifications and commitments:

• SOC 2 Type I and Type II (Security, Confidentiality, and Availability) — independently audited
• SOC 3 — publicly shareable summary of SOC 2 controls
• ISO 27001:2013 — certified information security management
• ISO 27701:2019 — privacy information management
• PCI DSS — payment card industry data security standard
• HIPAA-eligible infrastructure — for applicable healthcare use cases
• GDPR and CCPA compliant — data privacy regulations across the EU and US
• EU-U.S. Data Privacy Framework (DPF) certified, including UK Extension and Swiss-U.S. DPF

In addition to platform-level certifications, Vociply implements the following operational controls:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls (RBAC) restricting data access to authorised personnel
• Multi-factor authentication (MFA) on all internal systems
• Regular security assessments and penetration testing
• Incident response procedures with mandatory breach notification protocols

In the event of a data breach posing a risk to your rights and freedoms, we will notify affected Business Customers within 72 hours of becoming aware of the breach, in line with applicable law.

11.1 Rights of Business Customers

Business Customers may exercise the following rights in respect of their personal data held by Vociply:

• Access: Request a copy of personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of personal data, subject to legal retention obligations
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we restrict processing in certain circumstances
• Objection: Object to processing based on legitimate interests or direct marketing

11.2 Rights of End-Users

End-Users whose data is processed through the Platform should direct privacy requests to the Business Customer that deployed the voice agent they interacted with, as that Business Customer is the data controller. Where Vociply receives such requests directly, we will forward them to the appropriate Business Customer within 5 business days.

11.3 U.S. State Privacy Rights

Residents of U.S. states with applicable privacy legislation — including California (CCPA/CPRA), Virginia, Colorado, and Connecticut — have additional rights, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information.

Vociply does not sell or share personal information as defined under the CCPA/CPRA. We do not knowingly sell or share the personal information of consumers under 16 years of age.

11.4 African Privacy Rights

We respect the rights established under applicable African data protection legislation, including Kenya's Data Protection Act 2019 and equivalent laws across the jurisdictions in which we operate. These rights include the right to access, rectification, erasure, objection to processing, and the right to lodge a complaint with a relevant data protection authority.

12.1 Call Recording Consent

Business Customers bear sole legal responsibility for compliance with all applicable call recording consent laws in the jurisdictions where they deploy voice agents. This includes, without limitation:

• All-party (two-party) consent requirements under applicable U.S. state laws, including California Penal Code Section 632
• One-party consent requirements under U.S. federal law (18 U.S.C. § 2511)
• Applicable consent obligations under the Kenya Information and Communications Act and Data Protection Act 2019
• Any other national or regional legislation governing the recording or interception of communications

Vociply strongly recommends that all Business Customers implement a call disclosure prompt at the start of each interaction. Configurable disclosure prompts are available natively within the Platform.

12.2 Outbound Calling Compliance

Business Customers are solely responsible for compliance with all applicable do-not-call registries, telemarketing laws, and anti-spam regulations when using the Platform to initiate outbound calls — including the U.S. Telephone Consumer Protection Act (TCPA) and equivalent regulations in African jurisdictions.

12.3 Emergency Services

Vociply voice agents are not designed to handle emergency calls. Business Customers must not deploy voice agents as a substitute for emergency services and must ensure that End-Users in emergency situations are appropriately directed to human agents or local emergency services.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. Business Customers must not deploy voice agents directed at children under the age of 13 (or the applicable local minimum age) without implementing appropriate safeguards and obtaining verifiable parental consent as required by law.

If you believe we have inadvertently collected data relating to a child, contact us immediately at admin@vociply.com.

Business Customers who require a Data Processing Agreement (DPA) to satisfy obligations under the GDPR, CCPA/CPRA, Kenya's Data Protection Act 2019, or any other applicable legislation may request our standard DPA by contacting admin@vociply.com. The DPA covers sub-processor management, data subject rights assistance, security obligations, and breach notification responsibilities.

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised Policy at vociply.com with an updated effective date and notify Business Customers via email or in-Platform notification at least 30 days before changes take effect. Where required by law, we will seek your consent before applying changes. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For questions, concerns, or privacy rights requests:

We aim to respond to all privacy enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.