Privacy Policy

For our customers’ data (account, billing, dashboard usage), Tinos is the data controller.

For data collected during calls received on a customer’s number (recordings, transcriptions, caller contact details), the customer is the data controller and Tinos acts as a data processor, in accordance with Article 28 of the GDPR. Tinos processes this data only on the customer’s instructions and to provide the Service to them.

Tinos can be contacted via our contact page.

2.1. Customer data provided directly

• Registration data: email address, authentication account
• Profile data: name of the organization, business sector, configured number(s)
• Agent configuration: script, qualification rules, time slots, routing rules
• Payment data: handled by Stripe (we do not store your banking details)
• Communications: support requests, messages via the contact form

2.2. Data collected automatically

• Dashboard usage data: pages visited, features used
• Technical data: IP address, browser type, operating system
• Service usage data: number of calls, duration, minutes consumed

2.3. Data collected during calls

When a call is handled by the voice agent, the Service may process, on behalf of the customer:

• The audio recording of the call and its text transcription
• The caller’s number and the contact details they provide (name, phone, email, address)
• The subject of the request, its urgency, the appointment time slot and the call summary

This data may, depending on the customer’s sector and the content of the conversation, contain sensitive information within the meaning of the GDPR. The customer is responsible for the lawfulness of the collection and for informing callers. The agent announces at the start of the conversation that it is an artificial intelligence.

3.1. Provision of the service

• Create and manage your account and your agent configuration
• Receive, qualify and route calls, book appointments
• Notify you (SMS, email) and provide transcriptions and summaries
• Write the request, contact or time slot into your management tool (if integration is enabled)
• Manage your subscription and payments, provide support

3.2. Improvement of the service

• Analyze the usage and quality of the Service in an aggregated manner
• Fix errors and improve the quality of the voice agents

Call content is not used to train third-party AI models for those providers’ own purposes.

3.3. Security and compliance

• Detect and prevent fraud and abuse
• Comply with our legal obligations and retain proof of an appointment

3.4. Advertising

No advertising on Tinos. Your data is never sold to third parties.

• Contract: to perform our Terms of Use and provide the Service
• Consent: for processing that requires your explicit agreement
• Legitimate interest: to improve the Service and ensure security
• Legal obligation: to comply with applicable legislation

For callers’ data, the legal basis lies with the customer, who is the data controller and must ensure that individuals are informed and, where applicable, that their consent is obtained.

Your data is never sold. It may be shared with:

5.1. Technical subprocessors

• Supabase (hosting, database and transcriptions, European Union region)
• Twilio (telephony and call routing)
• Retell (voice agent orchestration)
• Deepgram (speech recognition / transcription)
• OpenAI (the agent’s language model)
• Cartesia (speech synthesis)
• Stripe (payment processing)
• Vercel (dashboard hosting)
• Railway (voice agent hosting)
• Resend (email delivery)

5.2. Transfers outside the European Union

Some of our subprocessors may process data on servers located outside the European Union (notably in the United States). These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection. The database and call transcriptions are hosted in the European Union region.

5.3. Authorities and legitimate third parties

• Law enforcement upon legal request
• Courts in the context of legal proceedings

5.4. Change of subprocessors

Tinos reserves the right to add, replace or remove a subprocessor at any time for technical, economic or security reasons. Any material change will be notified by email or via the dashboard with reasonable advance notice, allowing customers who object to it to terminate at no cost before the change takes effect.

• Account data: until the account is deleted + 3 years for legal obligations
• Payment data: 10 years in accordance with accounting obligations
• Call recordings and transcriptions: retained for the period agreed with the customer, by default for as long as necessary to follow up on the request, then deleted or anonymized
• Aggregated usage data: 2 years maximum
• Technical logs: 13 months maximum
• Support data: 3 years after resolution

In accordance with the GDPR, you have the following rights:

• Right of access: obtain a copy of your personal data
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: delete your data under certain conditions
• Right to restriction: restrict the processing of your data
• Right to portability: retrieve your data in a structured format
• Right to object: object to processing on legitimate grounds
• Right to withdraw consent: withdraw your consent at any time

To exercise these rights, contact us via our contact page. If your request concerns a call received by one of our customers, it will, where applicable, be forwarded to the customer acting as data controller.

We implement appropriate technical and organizational measures:

• Encryption: data encrypted in transit (TLS) and at rest
• Access control: strong authentication, principle of least privilege
• Passwords: hashed and salted, never stored in plain text
• Payments: handled entirely by Stripe (PCI DSS certified)
• Transcriptions hosted in the European Union region

The Tinos dashboard may use cookies that are strictly necessary for the operation of the Service (session, authentication). No advertising or tracking cookie is placed without your consent.

When you delete your account:

• Your personal data is deleted from our servers
• The associated recordings and transcriptions are deleted or anonymized
• The voice agent stops handling your calls
• Certain accounting data may be retained in accordance with legal obligations

Because Tinos acts as a data processor for callers’ data, a Data Processing Agreement (DPA) specifying the processing terms, sub-processors and security measures is available on request via our contact page. It is particularly recommended for customers with enhanced GDPR obligations (healthcare, public sector, large accounts).

For any question about this Policy or to exercise your rights: our contact page.