Privacy Policy

Last updated: October 16, 2025

At ConversAI Labs, your privacy is critically important to us. This Privacy Policy outlines how we collect, use, protect, and share your personal information when you use our AI-powered voice agent platform, which enables automated customer communication, lead qualification, and engagement across voice channels.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, company name, business address, phone number
• Payment Information: Credit card details, billing address (processed securely via Stripe; we do not store full credit card numbers - only last 4 digits for display purposes. Stripe is PCI DSS Level 1 certified.)
• Customer/End-User Data: Phone numbers, names, and conversation data of individuals your AI agents interact with
• Call Content: Voice recordings, transcripts, and metadata from calls made through our platform
• Support Communications: Any information you provide when contacting customer support
• Biometric Data (Voice): Your voice recordings may be considered "biometric data" under certain laws (GDPR, BIPA in Illinois/Texas, etc.). We process voice data to:
  • Generate transcripts
  • Analyze sentiment and emotion
  • Identify speakers (if you enable this feature)
  • Improve speech recognition

  Voice Print Technology: We DO NOT create permanent "voice prints" or biometric identifiers UNLESS you specifically enable speaker identification features.

  Illinois/Texas Users: If you're in Illinois (BIPA) or Texas, you have additional biometric privacy rights. Contact dpo@conversailabs.com for details.

1.2 Information Automatically Collected

• Usage Data: Pages viewed, features used, time spent, click patterns, API calls made
• Device Information: IP address, browser type, operating system, device identifiers
• Call Metadata: Call duration, timestamp, phone numbers (caller & recipient), call outcome
• Log Data: System errors, performance metrics, security events

2. How We Use Your Information

• Service Delivery: To provide AI voice agent services, process calls, generate transcripts and insights
• Billing & Payments: To process subscription payments and send invoices
• Platform Improvement: To analyze usage patterns, fix bugs, and enhance AI models
• Customer Support: To respond to inquiries and troubleshoot issues
• Security & Fraud Prevention: To detect unauthorized access and prevent abuse
• Legal Compliance: To comply with applicable laws, regulations, and legal requests
• Marketing Communications: To send product updates, newsletters, and promotional offers (you may opt out)

3. Call Recording Disclosures (IMPORTANT)

3.1 Call Recording Laws by Jurisdiction

United States - All-Party Consent States (11 states require ALL parties to consent):

• California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington

Other US States: One-party consent (only one party needs to know about recording)

European Union: GDPR requires explicit consent and lawful basis for processing voice data

India:

• Legal Framework: Indian Telegraph Act, 1885; IT Act, 2000 (Section 66E)
• Consent Requirement: Unclear under law, but best practice = Both parties
• Business Calls: Announcing "This call is recorded" = Generally acceptable
• Recommended Practice:
  • Play auto-announcement: "This call is being recorded for quality and training purposes"
  • OR get explicit verbal consent
• TRAI Regulations: For marketing/sales calls, must:
  • Check National Do Not Call (DND) Registry
  • Identify your company at call start
  • Don't call 9 PM - 9 AM
  • Provide opt-out option
• Penalties: Wiretapping = Up to 3 years imprisonment (IT Act Section 66E)
• Resources:
  • TRAI DND Registry: https://www.nccptrai.gov.in
  • Telecom Consumer Protection: https://trai.gov.in

Other Countries: Consult local legal counsel - laws vary significantly

3.2 ConversAI's Liability Disclaimer

ConversAI Labs is NOT responsible for your illegal call recordings. If you record calls without proper consent and face legal action (including wiretapping lawsuits, criminal charges, or regulatory penalties), you agree to indemnify and hold ConversAI Labs harmless. See our Terms & Conditions for full indemnification terms.

3.3 What We Do With Call Recordings

• Store recordings securely in encrypted cloud storage
• Generate AI-powered transcripts and conversation insights
• Make recordings available to you and your authorized team members
• Use anonymized call data to improve our AI models (see Section 11)
• Delete recordings per your retention settings or upon account termination

4. Data Sharing and Third-Party Services

We do NOT sell your personal information. We share data only with the following categories of third parties:

4.1 Telephony Services

• Twilio: Handles phone call routing and connectivity. See Twilio Privacy Policy
• Why: Required to make and receive phone calls
• Data Shared: Phone numbers, call metadata, audio streams

4.2 AI & Language Processing

• OpenAI / Anthropic: Powers conversational AI and transcription. See OpenAI Privacy
• Why: Required for AI voice agent responses and speech-to-text
• Data Shared: Call audio, transcripts, conversation context
• Note: We use enterprise API agreements with Zero Data Retention (ZDR) terms, meaning:
  • Your call data is NOT stored by OpenAI/Anthropic after processing
  • Your data is NOT used to train their public models
  • Data is processed in real-time and immediately discarded
  • Enterprise-grade data processing agreements in place

4.3 Payment Processing

• Stripe: Processes credit card payments. See Stripe Privacy Policy
• Why: Required for subscription billing
• Data Shared: Payment information, billing address, transaction amounts

4.4 Analytics & Performance Monitoring

• Google Analytics: Tracks website usage. See Google Privacy Policy
• Microsoft Clarity: Session recordings and heatmaps. See Microsoft Privacy
• Why: To improve user experience and platform performance
• Data Shared: Anonymized usage data, page views, clicks
• Opt-Out: Use browser extensions like uBlock Origin or Privacy Badger

4.5 CRM & Integration Partners

• When You Connect: If you integrate with Salesforce, HubSpot, or other CRMs, data is shared per your configuration
• You Control: Which data fields are synced and when

5. Cookies & Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze platform usage.

5.1 Types of Cookies We Use

5.2 How to Control Cookies

• Browser Settings: Most browsers allow you to refuse cookies. See your browser's help documentation.
• Google Analytics Opt-Out: Install Google's opt-out browser add-on
• Do Not Track: We honor Do Not Track (DNT) signals where technically feasible

5.3 Cookie Consent Management

When you first visit our website, you'll see a cookie consent banner:

Your Choices:

• Accept All: All cookies enabled (analytics + marketing)
• Reject Non-Essential: Only essential cookies (login, security)
• Customize: Choose which cookie categories to allow

Change Anytime: Click the 🍪 icon in the footer to update your preferences.

For EU/EEA Users: We comply with ePrivacy Directive - non-essential cookies are NOT set until you give consent.

6. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

6.1 Lawful Basis for Processing

We process your personal data based on:

• Contract Performance: To provide our services under your subscription agreement
• Legitimate Interests: To improve our platform, prevent fraud, and ensure security
• Consent: For marketing communications (you may withdraw consent anytime)
• Legal Obligation: To comply with tax, accounting, and legal requirements

6.2 Your GDPR Rights

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal retention requirements)
• Right to Data Portability: Receive your data in a machine-readable format (CSV, JSON)
• Right to Restriction: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: For marketing emails (click "unsubscribe")
• Right to Lodge a Complaint: Contact your local data protection authority

To exercise these rights, email: dpo@conversailabs.com

6.3 International Data Transfers

Your data may be transferred to and processed in India and other countries. We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection. Upon request, we will provide a copy of the SCCs.

6.4 Automated Decision-Making

Our AI agents make automated decisions during customer interactions (e.g., qualifying leads, scheduling appointments). You have the right to request human review of any automated decision that significantly affects you.

6.5 India's Digital Personal Data Protection Act (DPDP Act 2023)

If you are located in India, you have rights under the Digital Personal Data Protection Act, 2023:

Your Rights:

• Right to access personal data
• Right to correction of inaccurate data
• Right to erasure (right to be forgotten)
• Right to grievance redressal
• Right to nominate (appoint someone to exercise rights after death)

Our Obligations:

• Process data lawfully, fairly, and transparently
• Obtain valid consent for processing
• Implement reasonable security safeguards
• Notify Data Protection Board of significant breaches
• Respond to your rights requests within prescribed timelines

Data Localization:

Primary data storage: India (Mumbai region)
Backup: India + encrypted international backups (with SCCs)

7. Data Retention Periods

7.1 Deletion Request Process

1. Submit deletion request to connect@conversailabs.com
2. We verify your identity (within 3 business days)
3. Data deleted from production systems (within 14 days)
4. Backup copies purged (within 30 days)
5. Confirmation email sent upon completion

Exception: We may retain data if legally required (e.g., ongoing litigation, tax audits).

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: AES-256 encryption at rest; TLS 1.3 in transit
• Access Controls: Role-based access (RBAC), multi-factor authentication (MFA), principle of least privilege
• Infrastructure Security: SOC 2 Type II compliant cloud hosting, firewalls, intrusion detection
• Regular Audits: Quarterly security assessments, penetration testing, vulnerability scans
• Employee Training: Annual security awareness training, background checks for employees with data access
• Monitoring: 24/7 security monitoring, automated threat detection

9. Security Breach Notification

In the event of a data breach involving your personal information:

• Notification Timing: We will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach (as required by GDPR)
• Notification Method: Email to your registered account email address
• Information Provided:
  • Nature of the breach and data affected
  • Likely consequences and potential risks
  • Measures we've taken to address the breach
  • Recommended actions you should take
• Incident Response: We maintain a documented incident response plan and will work with law enforcement and cybersecurity experts as needed

9.1 India-Specific Breach Notification

Under India's DPDP Act 2023:

• We will notify the Data Protection Board of India "as soon as possible"
• We will notify affected individuals without undue delay
• Notification includes: nature of breach, data affected, remedial actions

For Payment Data Breaches:

If payment/financial data is compromised:

• RBI notification: Within 6 hours
• Affected customers: Immediately
• Detailed report: Within 7 days

10. Team & Admin Access

If you use a team or multi-user account:

• Administrator Privileges: Your account administrator(s) can:
  • View all call recordings and transcripts made by team members
  • Access usage analytics for all users
  • Add, remove, or modify user permissions
  • Configure retention policies and integrations
• Team Member Visibility: Other team members may see shared call recordings, contacts, and analytics depending on their assigned role
• Your Responsibility: You are responsible for managing your team's access and ensuring they comply with this Privacy Policy and our Terms & Conditions

11. Anonymized & Aggregated Data Use

We may anonymize or aggregate your personal information so that you cannot be individually identified ("Anonymized Data"). We use Anonymized Data to:

• Improve AI Models: Train and refine our conversational AI, speech recognition, and natural language processing
• Develop New Features: Identify common use cases and customer needs
• Industry Benchmarks: Create aggregated reports on call metrics, conversion rates, industry trends
• Research & Publications: Publish anonymized insights in blog posts, whitepapers, and presentations

Important: Anonymized Data cannot be traced back to you. However, we do NOT use your identifiable call content to train public AI models (like OpenAI's ChatGPT).

12. Legal Requests & Law Enforcement

We may access, preserve, and disclose your information to third parties if we determine that such disclosure is reasonably necessary to:

• (a) Comply with the law, legal requests (subpoenas, court orders), or government investigations
• (b) Enforce our Terms & Conditions or investigate potential violations
• (c) Detect, prevent, or address fraud, security, or technical issues
• (d) Protect the rights, property, or safety of ConversAI Labs, our users, or the public

12.1 User Notification

When legally permitted, we will notify you of government data requests and provide a copy of the request. However, we may be prohibited from notifying you in cases involving national security, ongoing investigations, or gag orders.

13. International Users & Data Transfers

ConversAI Labs is based in India. We serve customers globally, and your information may be transferred to, stored in, and processed in India and other countries where our service providers operate.

• For EU/EEA/UK Users: We use Standard Contractual Clauses (SCCs) approved by the European Commission
• For US Users: Data may be stored in AWS US data centers
• Data Protection Standards: We require all third-party processors to maintain data protection standards equivalent to this Privacy Policy

By using our services, you acknowledge and consent to these international data transfers.

14. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data
• Update: Correct inaccurate or outdated information (you can do this directly in your account settings)
• Delete: Request deletion of your data (see Section 7.1 for process)
• Export: Download your data in CSV or JSON format
• Opt-Out of Marketing: Unsubscribe from promotional emails (click "unsubscribe" in any marketing email)
• Withdraw Consent: For processing based on consent (e.g., marketing communications)
• Object to Processing: Object to processing based on legitimate interests

To exercise these rights, contact us at connect@conversailabs.com or WhatsApp +91 9910 153 790.

14.1 Response Timeline

• We will acknowledge your request within 3 business days
• We will fulfill valid requests within 30 days (or as required by applicable law)
• For complex requests, we may extend by an additional 30 days (we will notify you)

15. Contact Us & Data Protection Officer

For any questions, concerns, or requests related to this Privacy Policy or our data handling practices, please contact:

16. Children's Privacy

Our services are NOT intended for individuals under 18 years of age.

We Do Not Knowingly Collect Data from Minors:

• We do not direct our services to children
• We do not knowingly collect personal information from anyone under 18
• If we discover we've collected data from a minor, we delete it immediately

If You're a Parent:

If you believe your child has provided us with personal information, contact us at connect@conversailabs.com and we will delete it within 48 hours.

Age Verification: By using our services, you represent that you are at least 18 years old.

17. Export Controls

Our AI technology may be subject to export control laws and regulations, including those of India and the United States.

You agree NOT to:

• Export or re-export the Service to prohibited countries
• Use the Service for any purpose prohibited by export laws
• Provide access to individuals on sanctions lists

Sanctioned Regions: We do not provide services to users in countries sanctioned by the UN, US, or Indian government.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email to your registered account email address
• For significant changes affecting your rights, request your renewed consent where required by law

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

Last updated: October 16, 2025