Vocito.ai · AI Voice Receptionist Platform
Vocito.ai B.V. ("Vocito", "we", "us", or "our") is committed to protecting the privacy and personal data of our customers, their end users, and visitors to our website. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Vocito platform and related services.
Beta period notice (May 2026 – GA): Vocito is currently in Beta. During this period, call recordings, transcripts, and AI-generated conversation metadata are retained for 90 days by default (vs. the longer GA retention windows in Section 11). Aggregated, anonymized Beta usage data may be analyzed to improve the Service. We do not sell personal data and we do not share PII with third parties for marketing purposes. You may export or delete your data at any time via the dashboard.
We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG), the EU AI Act (Regulation (EU) 2024/1689), and other applicable data protection laws.
For personal data related to customer accounts, website visitors, and marketing, Vocito.ai B.V. is the data controller within the meaning of Article 4(7) GDPR.
For personal data processed on behalf of our customers through the Service (including call recordings, transcripts, lead data, SMS, and email communications), Vocito acts as a data processor on behalf of the customer, who is the data controller. The processing relationship is governed by our Data Processing Agreement.
This Privacy Policy applies to:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Full name, business name, job title | Account creation, identification |
| Contact data | Email address, phone number, business address | Communication, service delivery |
| Authentication data | Password (hashed), SSO tokens | Account security |
| Billing data | Payment method details, billing address, invoices | Subscription management, payment processing |
| Business data | Company size, industry, operating hours, services offered | AI agent configuration |
| Data Category | Examples | Purpose |
|---|---|---|
| Call recordings | Audio files of inbound phone calls | Service delivery, quality assurance |
| Call transcripts | Text transcriptions of recorded calls | Lead extraction, review, analytics |
| Call metadata | Caller ID, call duration, timestamp, call status | Service delivery, analytics |
| SMS messages | Content of sent/received text messages | Follow-up communications |
| Email data | Email addresses, subject lines, email content (via Gmail/Microsoft 365 integration) | Email notifications, lead management |
| Data Category | Examples | Purpose |
|---|---|---|
| Lead information | Name, phone number, email, inquiry details | Lead management for customers |
| Booking data | Appointment dates, times, service types | Scheduling on behalf of customers |
| CRM records | Customer interaction history, notes, tags | Relationship management |
| Data Category | Examples | Purpose |
|---|---|---|
| Usage data | Features used, call volumes, login history, dashboard interactions | Service improvement, analytics |
| Device and browser data | IP address, browser type, operating system, screen resolution | Security, compatibility, analytics |
| Log data | Server logs, error logs, API request logs | Debugging, security monitoring |
| Cookie data | Session cookies, analytics cookies | See Cookie Policy section |
Vocito does not intentionally collect special categories of personal data (Article 9 GDPR), such as health data, biometric data, or data revealing racial or ethnic origin. However, callers may voluntarily disclose such information during phone calls. Customers are responsible for implementing appropriate safeguards if their business context is likely to involve special category data.
We process personal data based on the following legal grounds under Article 6(1) GDPR:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing the Service to customers | Performance of a contract | Art. 6(1)(b) |
| Processing customer data on behalf of customers | Performance of a contract (DPA) | Art. 6(1)(b) |
| Billing and payment processing | Performance of a contract | Art. 6(1)(b) |
| Call recording (platform level) | Legitimate interest / Consent (managed by customer) | Art. 6(1)(f) / Art. 6(1)(a) |
| Security monitoring and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Service improvement and analytics | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Responding to data subject requests | Legal obligation | Art. 6(1)(c) |
We use personal data for the following purposes:
When an inbound call is received by a Vocito AI Agent:
Each Vocito AI Agent is configured to inform callers that the call may be recorded and transcribed at the beginning of the conversation. By continuing the call after this disclosure, the caller provides implied consent for recording. Customers (as data controllers) are responsible for ensuring this consent mechanism complies with the laws of their jurisdiction.
Call recordings and transcripts are stored in Supabase infrastructure in the EU region. Access is restricted to the Customer who owns the AI Agent configuration and authorized Vocito support personnel (only when necessary for technical support).
In accordance with Article 50 of the EU AI Act, we provide the following transparency information:
Vocito engages the following sub-processors to deliver the Service. We require all sub-processors to enter into data processing agreements that ensure an equivalent level of data protection.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Twilio Inc. | Telephony infrastructure, voice routing, SMS delivery | Phone numbers, call audio (real-time), call metadata, SMS content | USA (EU routing available); SCCs in place |
| ElevenLabs Inc. | AI voice synthesis, speech-to-text | Call audio (real-time streaming for voice generation) | USA; SCCs in place |
| Anthropic PBC | Large language model (Claude) for conversation understanding and response generation | Call transcripts (real-time), conversation context | USA; SCCs in place |
| Google LLC | Large language model (Gemini) for conversation processing | Call transcripts (real-time), conversation context | USA / EU; SCCs in place |
| OpenAI Inc. | Large language model (GPT) for conversation processing | Call transcripts (real-time), conversation context | USA; SCCs in place |
| Supabase Inc. | Database hosting, file storage, authentication | All Customer Data (account data, call recordings, transcripts, leads, CRM data) | EU (Frankfurt region) |
| Railway Corp. | Backend application hosting | Application data in transit and processing | EU region |
We maintain an up-to-date list of sub-processors. Customers subscribed to our service will be notified at least 30 days in advance of any new sub-processor being engaged, providing the customer the opportunity to object.
Customer Data is primarily stored in the European Union using Supabase infrastructure located in the Frankfurt (EU) region.
Some of our sub-processors are based in the United States, which means personal data may be transferred outside the European Economic Area ("EEA"). For each transfer, we rely on one or more of the following safeguards:
Vocito conducts transfer impact assessments for each international transfer to evaluate whether the legal framework of the recipient country provides adequate protection for personal data. These assessments are reviewed periodically and updated as needed.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of the account + 30 days after deletion | Contract performance |
| Call recordings | 90 days from call date (default; configurable by customer) | Service delivery, customer configuration |
| Call transcripts | Duration of the account (default; configurable by customer) | Service delivery |
| Lead and CRM data | Duration of the account + 30 days | Service delivery |
| SMS messages | 90 days from send date | Service delivery |
| Billing data | 7 years after the transaction | Dutch fiscal retention obligations |
| Usage and log data | 12 months | Security, analytics |
| Marketing consent records | Duration of consent + 3 years | Legal compliance |
| Cookie data | See Cookie Policy section | Consent |
Customers may configure shorter retention periods for call recordings and transcripts through the dashboard. Upon account termination, Customer Data is deleted within 30 days unless a longer retention period is required by law.
Under the GDPR, you have the following rights regarding your personal data:
You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.
You have the right to request correction of inaccurate personal data and completion of incomplete data.
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, you withdraw consent, or another ground under Article 17 applies. This right is subject to exceptions, such as legal retention obligations.
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit it to another controller.
You have the right to object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Vocito.ai B.V. is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority):
To exercise any of these rights, contact us at privacy@vocito.ai. We will respond to your request within 30 days. If we need more time (up to an additional 60 days), we will inform you of the extension and the reasons for the delay. We may request additional information to verify your identity before fulfilling your request.
If you are a caller who interacted with a Vocito-powered AI Agent, your personal data is controlled by the business that deployed the AI Agent. Please contact that business directly to exercise your data protection rights. If you are unable to identify or reach the business, you may contact us at privacy@vocito.ai and we will assist in directing your request.
Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies to operate the website, analyze usage, and improve your experience.
| Cookie Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly necessary | Authentication, security, session management | Session / up to 30 days | Legitimate interest (no consent required) |
| Functional | Remembering preferences, language settings | Up to 12 months | Consent |
| Analytics | Understanding usage patterns, page views, feature adoption | Up to 12 months | Consent |
You can manage your cookie preferences through the cookie banner displayed when you first visit our website. You can also control cookies through your browser settings. Note that disabling strictly necessary cookies may impair the functionality of the Service.
We do not use third-party advertising cookies. We may use analytics tools that set their own cookies, subject to your consent.
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
The Vocito Service is a business-to-business platform and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe we have collected data from a child, please contact us at privacy@vocito.ai.
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
If you have questions or concerns about this Privacy Policy or our data processing practices, please contact us:
For formal data protection inquiries or to exercise your rights, please email privacy@vocito.ai with the subject line "Data Protection Request".