GDPR & data protection

We only process data when a legal basis justifies it (Article 6 of the GDPR): performance of the contract between us and the professional, the legitimate interest in ensuring the continuity of their phone reception, or consent where it is required. When a call is recorded to establish proof of an appointment or a commitment, the recording is kept only if it is genuinely necessary for that purpose. Each purpose is defined in advance; no data is reused for an unintended use.

We collect only what is strictly necessary to qualify the call and book the appointment, nothing more. Transcripts and recordings are kept for a limited period, proportionate to their purpose, then deleted or anonymized.

• Retention periods defined by purpose and documented in our privacy policy.
• Database and storage hosted in the European Union (Supabase, EU region, Frankfurt).
• Access restricted to authorized individuals only, within the scope of their duties.

Operating a voice agent requires the use of technical providers (telephony, transcription, language model, hosting, email). Each acts as a processor, governed by a data processing agreement (DPA, Article 28 of the GDPR) specifying processing solely on our instructions, confidentiality, security measures and what happens to the data at the end of the contract.

We favor European hosting. When a transfer outside the European Union is necessary, it relies on the mechanism suited to the provider concerned: either an adequacy decision by the European Commission (for example the Data Privacy Framework for certified US entities), or standard contractual clauses together with an assessment of the safeguards in place. We never present a transfer as non-existent: we describe the actual framework that applies.

In accordance with Article 32 of the GDPR, we implement technical and organizational measures appropriate to the risk: access control, encryption of data in transit and at rest with our hosting providers, and logging of sensitive operations. In the event of a data breach likely to present a risk, the data controller is informed as soon as possible so that they can fulfill their obligations.

Any data subject — first and foremost the caller — can exercise the rights provided for by the GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). Where a decision producing significant effects would be made entirely automatically, Article 22 also grants a right to human intervention. These requests receive a response within one month (Art. 12), extendable if necessary.

To learn more about the processing carried out, see our privacy policy. To exercise a right or ask a question, write to us via the contact page.