GDPR Compliance Statement

Effective Date: January 6, 2026
Last Updated: January 6, 2026
Version: 1.0

1. Executive Summary

This document demonstrates Voice AI Portal’s commitment to compliance with the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (EU GDPR), and the Data (Use and Access) Act 2025. As a white-label voice AI analytics platform operated by ALIM Ltd (Company Number 14528810), we process personal data on behalf of our agency clients while maintaining the highest standards of data protection and privacy.

Voice AI Portal serves as a data processor for voice AI analytics and workspace management data, implementing robust technical and organizational measures to ensure GDPR compliance across all processing activities. This document serves as both an internal compliance guide and external demonstration of our data protection commitments to clients, data subjects, and supervisory authorities.

Key Compliance Highlights:

  • Authentication database hosted in EU (Supabase eu-central-1, Frankfurt, Germany)
  • Application data hosted exclusively in EU region (Google Cloud Platform europe-west1, Belgium)
  • Comprehensive data subject rights fulfillment within regulatory timeframes (30 days standard, 72 hours for urgent requests)
  • Privacy by design and by default architecture with data minimization principles
  • Regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities
  • Detailed Records of Processing Activities (RoPA) pursuant to Article 30 UK GDPR
  • 24/7 security monitoring with breach notification within 72 hours to ICO
  • Standard Contractual Clauses (SCCs) for international data transfers where applicable
  • SOC 2 Type II certified infrastructure for authentication and hosting

2. GDPR Compliance Framework

2.1 Regulatory Scope

Voice AI Portal’s GDPR compliance framework applies to:

Geographic Scope:

  • Processing of personal data of individuals located in the United Kingdom
  • Processing of personal data of individuals located in the European Economic Area (EEA)
  • Clients and end users operating within UK and EEA jurisdictions
  • Cross-border data transfers from UK/EEA to third countries with adequate safeguards

Service Scope:

  • Voice AI analytics dashboard services and reporting
  • Multi-tenant workspace management and client portal operations
  • Integration with third-party voice AI platforms (Retell AI, VAPI, ElevenLabs)
  • Call metadata processing and performance analytics
  • White-label branding and custom domain services
  • API and webhook data processing
  • User authentication and role-based access control (RBAC) management

Data Subject Categories:

  • Agency administrators and account owners (our direct clients)
  • End users accessing client workspaces (our clients’ customers)
  • Call recipients whose data appears in voice AI analytics
  • Support and communication contacts

2.2 Compliance Objectives

Our GDPR compliance program aims to:

  1. Ensure Lawful Processing: Establish and document lawful bases for all processing activities under Article 6 UK GDPR
  2. Implement Privacy by Design: Build data protection into system architecture and business processes from inception
  3. Enable Data Subject Rights: Provide comprehensive mechanisms for individuals to exercise their rights under Articles 15-22
  4. Maintain Robust Security: Implement state-of-the-art technical and organizational measures per Article 32
  5. Establish Clear Accountability: Maintain detailed records, conduct regular audits, and demonstrate compliance under Article 5(2)
  6. Transparent Processing: Provide clear, accessible privacy information to all data subjects under Articles 13-14
  7. Minimize Data Risks: Conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities
  8. Manage International Transfers: Ensure appropriate safeguards for data transfers outside UK/EEA under Chapter V

2.3 Compliance Governance Structure

Data Protection Officer (DPO):

  • Contact: [email protected]
  • Responsibilities: GDPR compliance oversight, supervisory authority liaison, data protection advice, DPIA review, breach notification coordination

Data Protection Committee:

  • Membership: Chief Executive Officer, Data Protection Officer, Technical Director, Legal Counsel
  • Meeting Frequency: Quarterly scheduled meetings, ad-hoc for incidents or significant changes
  • Responsibilities:
    • Strategic GDPR compliance decisions and policy approval
    • Review of DPIAs and high-risk processing activities
    • Oversight of data subject rights request trends and resolution
    • Budget allocation for data protection initiatives
    • Review of data breach incidents and response effectiveness
    • Monitoring of regulatory developments and compliance requirements

Compliance Roles:

  • Data Controller: ALIM Ltd for agency account and billing data
  • Data Processor: Voice AI Portal for end user workspace data processed on behalf of clients
  • Joint Controllers: Defined in specific circumstances with written arrangements

Data Protection Responsibilities by Role:

  • Developers: Privacy by design, secure coding, data minimization in system design
  • Operations: Security monitoring, incident response, backup and recovery
  • Support: Data subject rights request handling, privacy inquiry responses
  • Marketing: Consent management, opt-out processing, privacy notice updates
  • Legal/Compliance: Contract review, regulatory liaison, policy development
  • All Staff: Data protection awareness, confidentiality, reporting of incidents

3. The Seven GDPR Principles

Voice AI Portal’s data processing activities adhere to the seven fundamental principles established by Article 5 UK GDPR:

Principle 1: Lawfulness, Fairness, and Transparency (Article 5(1)(a))

Implementation:

  • We process personal data only with a valid lawful basis documented in our Records of Processing Activities
  • Transparency maintained through clear Privacy Policy, Cookie Policy, and Data Processing Agreement
  • Fair processing practices that respect data subjects’ rights, expectations, and reasonable interests
  • No deceptive, misleading, or manipulative data collection practices
  • Privacy notices provided at point of data collection for all processing activities
  • Layered privacy notices for different audiences (administrators, end users, website visitors)

Evidence of Compliance:

  • Published Privacy Policy accessible at all times
  • Layered privacy notices for different data subject categories
  • Lawful basis assessment documentation for each processing activity
  • Regular privacy notice reviews and updates (minimum annually)
  • Transparency register mapping processing activities to privacy disclosures

Principle 2: Purpose Limitation (Article 5(1)(b))

Implementation:

  • Personal data collected for specified, explicit, and legitimate purposes clearly documented in privacy notices
  • Data not processed for purposes incompatible with original collection purposes
  • Voice AI analytics data processed solely for dashboard display, reporting, and ROI calculation
  • Any new processing purposes assessed for compatibility and communicated to data subjects
  • Purpose documentation maintained in Records of Processing Activities

Purpose Documentation:

  • Account Management: User authentication, subscription management, billing operations
  • Service Delivery: Dashboard analytics, workspace management, API integrations
  • Security: Fraud detection, access monitoring, threat prevention
  • Support: Technical assistance, issue resolution, communication
  • Legal Compliance: Tax obligations, regulatory reporting, dispute resolution
  • Marketing: Promotional communications (consent-based only)

Compatible Processing:

  • Archiving for public interest, scientific/historical research, or statistical purposes (with appropriate safeguards)
  • Processing necessary for legal claims or regulatory obligations
  • Compatibility assessments documented before any purpose expansion

Principle 3: Data Minimization (Article 5(1)(c))

Implementation:

  • Collection limited to data adequate, relevant, and necessary for specified purposes
  • Voice AI Portal does not store actual call recordings or full transcripts—only reference links and metadata
  • API requests limited to essential fields required for dashboard functionality
  • Regular data audits to identify and eliminate unnecessary data collection
  • Default settings configured for minimal data capture
  • “Need to know” principle applied to all data access

Minimization Practices:

  • Workspace configurations collect only essential user information (name, email)
  • Call metadata limited to duration, timestamp, cost, status—not call content
  • Device fingerprinting limited to security-essential attributes
  • Analytics anonymized and aggregated where individual identification unnecessary
  • Authentication database (Supabase) stores only credentials and RBAC data essential for access control
  • No collection of special category data (Article 9) without explicit consent and business necessity

Data Minimization Reviews:

  • Quarterly reviews of data collection practices
  • Annual audits to identify unnecessary data fields
  • Developer training on data minimization principles
  • Privacy impact considerations in feature development

Principle 4: Accuracy (Article 5(1)(d))

Implementation:

  • Reasonable steps taken to ensure personal data accuracy and currency
  • Mechanisms provided for data subjects to correct inaccuracies through account settings
  • Inaccurate data erased or rectified without undue delay upon notification
  • Regular data quality checks for critical information (billing, contact details)
  • Source data validation at point of collection

Accuracy Procedures:

  • User self-service correction through account dashboard
  • Rectification requests processed within 30 days per Article 16
  • Corrections propagated to all systems where data is replicated (Supabase auth database, GCP application database)
  • Third-party data sources (voice AI providers) periodically validated
  • Audit logs maintained for all data modifications
  • Annual prompts for users to review and update account information

Quality Assurance:

  • Automated validation checks at data entry points
  • Regular reconciliation between Supabase and GCP data
  • Monitoring for data inconsistencies and automatic alerts
  • Data quality metrics tracked and reported to Data Protection Committee

Principle 5: Storage Limitation (Article 5(1)(e))

Implementation:

  • Personal data retained only as long as necessary for processing purposes
  • Clear retention schedules established for different data categories
  • Automated deletion processes for expired data
  • Retention periods regularly reviewed and adjusted based on legal requirements
  • Documented justifications for all retention periods

Retention Schedule:

Data CategoryRetention PeriodLegal BasisDeletion MethodDeletion Timing
Active Account Data (Supabase)Duration of subscriptionContract performanceAutomated deletion with cryptographic erasure30 days post-cancellation
Authentication Credentials (Supabase)Duration of subscriptionContract performanceSecure deletion with password hash removalImmediate upon account deletion
RBAC Permissions (Supabase)Duration of subscriptionContract performanceCascading deletion with accountImmediate upon account deletion
Billing Records (GCP)7 years after transactionLegal obligation (UK tax law)Secure deletion after audit period7 years + 30 days
Call Analytics Metadata (GCP)90 days (Starter), 180 days (Professional/Agency)Contract performanceAutomated purgeDaily automated cleanup
Usage & Activity Logs (GCP)90 daysLegitimate interest (security)Automated rotationDaily log rotation
Security & Audit Logs (GCP/Supabase)12 monthsLegitimate interest (compliance)Automated archival then deletionMonthly archival process
Backup Data (GCP/Supabase)7 daysLegitimate interest (business continuity)Encrypted overwriteDaily backup rotation
Support Communications24 months from case closureLegitimate interest (quality/disputes)Manual review then deletionQuarterly review cycle
Marketing Consent RecordsUntil consent withdrawn + 3 yearsLegal obligation (proof of consent)Secure archival then deletionAnnual review
Email Delivery Logs (Resend)90 daysContract performanceAutomated deletionDaily automated cleanup
DSAR Response Records3 years from responseLegal obligation (compliance evidence)Secure archivalTriennial review
Data Breach RecordsIndefinitelyLegal obligation (regulatory)Permanent retention, anonymization where possibleN/A

Grace Period and Suspension Retention:

  • Payment Grace Period (7-14 days): All data remains accessible and retained normally
  • Post-Suspension Retention: Customer Data retained for 90 days to enable payment resolution
  • Deletion Warning: Notification sent 15 days before permanent deletion
  • Read-Only Access: Administrators have read-only access for data export during 90-day retention period
  • Permanent Deletion: At end of 90-day period, all Customer Data permanently deleted with no recovery option

Automated Retention Enforcement:

  • Scheduled cron jobs execute retention policy daily
  • Deletion audit logs maintained for compliance verification
  • Monthly reporting to Data Protection Officer on deletion activities
  • Alerts for any retention policy failures or delays

Manual Review Cases:

  • Legal hold situations (ongoing litigation or investigations)
  • Regulatory inquiry requirements
  • Dispute resolution necessitating data preservation
  • Security incident investigations requiring forensic analysis
  • Legal hold register maintained with justifications and review dates

Principle 6: Integrity and Confidentiality (Security) (Article 5(1)(f))

Implementation:

  • Appropriate technical and organizational measures implemented per Article 32
  • Encryption, access controls, monitoring, and incident response procedures
  • Regular security assessments, penetration testing, and vulnerability management
  • Documented security policies and staff training programs
  • Continuous security improvement and adaptation to emerging threats

Technical Security Measures:

Encryption and Cryptography:

  • Data in Transit: TLS 1.3 for all data communications with strong cipher suites
  • Data at Rest: AES-256 encryption for databases, file storage, and backups (Supabase and GCP)
  • Authentication: Bcrypt password hashing with per-user salt (Supabase managed)
  • Key Management: Google Cloud KMS with automated key rotation, hardware security modules (HSMs)
  • Certificate Management: Automated SSL/TLS certificate provisioning and renewal via Cloudflare
  • Encryption Verification: Regular audits to ensure encryption is active and properly configured

Access Control and Authentication:

  • Role-Based Access Control (RBAC): Granular permissions managed through Supabase with workspace-level isolation
  • Multi-Factor Authentication (MFA): Time-based One-Time Password (TOTP) required for administrative access
  • Session Management: Secure JWT tokens with configurable expiration, automatic refresh, concurrent session limits
  • Passwordless Authentication: Magic link tokens with single-use enforcement and 15-minute expiration
  • API Authentication: API key rotation every 90 days, rate limiting per key, OAuth 2.0 support
  • Principle of Least Privilege: Default deny access, explicit grants required for all resources
  • Access Reviews: Quarterly reviews of user permissions and role assignments
  • Automated Account Lockout: Automatic lockout after 5 failed login attempts within 15 minutes

Database Security:

  • Supabase Security:
    • Row Level Security (RLS) policies enforce multi-tenant data isolation at database level
    • Database-level encryption with AES-256
    • Private VPC deployment with no public database exposure
    • Automated encrypted backups with 7-day retention
    • Point-in-time recovery capability
    • Connection pooling with secure credential management
    • Database activity monitoring and audit logging
  • GCP Security:
    • Cloud SQL with automated encryption and backup
    • VPC Service Controls for network perimeter security
    • Private IP connectivity between services
    • IAM-based access control with service accounts
    • Query audit logging for compliance monitoring

Network and Infrastructure Security:

  • Google Cloud Platform: VPC isolation, private networking, firewall rules, regional DDoS protection
  • Cloudflare Security: Web Application Firewall (WAF), DDoS mitigation, bot management, OWASP Top 10 protection
  • Network Segmentation: Separate production, staging, development environments with strict firewall rules
  • IP Restrictions: Administrative access restricted to authorized IP ranges where feasible
  • Zero Trust Architecture: No implicit trust; verification required for all access requests

Application Security:

  • Secure Development Lifecycle: OWASP guidelines, secure coding standards, mandatory code reviews
  • Input Validation: SQL injection prevention, XSS protection, CSRF tokens, parameterized queries
  • Output Encoding: Context-appropriate encoding, Content Security Policy (CSP) headers
  • Dependency Management: Weekly dependency updates, automated vulnerability scanning, software composition analysis
  • API Security: Rate limiting (1000 requests/hour per user), input validation, authentication requirements, versioning
  • Security Headers: HSTS, X-Frame-Options, X-Content-Type-Options, CSP properly configured

Monitoring and Detection:

  • 24/7 Security Monitoring: Real-time SIEM alerts for suspicious activity, automated response for critical threats
  • Intrusion Detection: Network and host-based IDS/IPS, behavioral analysis, anomaly detection
  • Log Aggregation: Centralized logging in Google Cloud Logging and Supabase logs with tamper-proof storage
  • Vulnerability Scanning: Weekly automated scans with Qualys/Nessus, monthly manual assessments
  • Penetration Testing: Annual third-party penetration tests, quarterly internal security testing
  • Threat Intelligence: Integration with threat feeds, proactive patching of known vulnerabilities

Data Segregation:

  • Multi-Tenant Isolation: Logical separation of client data using Supabase Row Level Security (RLS)
  • Workspace Partitioning: Strict tenant ID enforcement in all queries and API requests
  • Database Partitioning: Row-level security policies prevent cross-tenant data access
  • Access Restrictions: Application-level and database-level controls prevent unauthorized cross-tenant queries
  • Regular Testing: Quarterly penetration tests specifically targeting tenant isolation boundaries

Backup and Recovery:

  • Automated Backups:
    • Supabase: Daily automated backups with point-in-time recovery, 7-day retention
    • GCP: Daily snapshots to geographically separate location (europe-north1)
    • Encryption: All backups encrypted at rest with separate encryption keys
  • Backup Testing: Quarterly restore tests to verify backup integrity and RTO/RPO targets
  • Disaster Recovery: Documented DR plan with RTO (Recovery Time Objective) of 4 hours, RPO (Recovery Point Objective) of 1 hour
  • Business Continuity: Multi-region deployment capability for critical services
  • Backup Security: Backups stored in separate security domain with restricted access

Organizational Security Measures:

Personnel Security:

  • Background Checks: Pre-employment DBS checks (UK) for roles with personal data access
  • Confidentiality Agreements: All staff and contractors sign NDAs and data protection agreements before access
  • Least Privilege Access: Access granted only as necessary for job function, reviewed quarterly
  • Access Revocation: Immediate access termination upon role change or departure (within 1 hour)
  • Separation of Duties: Critical functions require multiple personnel involvement (e.g., production deployments)
  • Contractor Management: Enhanced vetting and time-limited access for external contractors

Training and Awareness:

  • Annual GDPR Training: Mandatory training for all personnel covering principles, rights, breach response (completion required within 30 days of hire)
  • Role-Specific Training: Enhanced training for personnel with regular data access (quarterly updates)
  • Security Awareness: Monthly security bulletins, quarterly phishing simulations, incident case studies
  • Developer Security Training: Secure coding practices, OWASP Top 10, privacy by design principles (annual certification)
  • DPO Consultation: Accessible DPO for data protection questions and guidance (response within 24 hours)
  • Training Records: Completion tracking, certification maintenance, annual competency assessments

Policy and Governance:

  • Data Protection Policy: Comprehensive policy covering GDPR compliance obligations (reviewed annually)
  • Information Security Policy: Technical and organizational security requirements (reviewed annually)
  • Incident Response Plan: Breach detection, containment, notification, remediation procedures (tested quarterly)
  • Business Continuity Plan: Disaster recovery, service restoration, communication protocols (tested semi-annually)
  • Clear Desk Policy: Physical security requirements, screen locking (automatic after 5 minutes inactivity), document disposal
  • Acceptable Use Policy: Staff technology use guidelines, prohibited activities
  • Data Retention Policy: Retention schedules, deletion procedures, legal hold protocols
  • Change Management Policy: Security review required for all production changes
  • Vendor Management Policy: Due diligence requirements for all data processors

Vendor and Sub-Processor Management:

  • Due Diligence: Security and privacy assessments before engagement, minimum requirements for certifications (SOC 2, ISO 27001)
  • Contractual Requirements: Data Processing Agreements with Article 28 obligations for all processors
  • Compliance Monitoring: Annual review of sub-processor certifications, security practices, and incident history
  • Incident Notification: Sub-processor breach notification within 24 hours contractually required
  • Audit Rights: Contractual audit rights and annual compliance reviews
  • Sub-Processor Register: Maintained and available to clients, updated within 30 days of changes
  • Exit Strategy: Data return and deletion procedures defined for all vendors

Physical Security:

  • Data Center Security: Google Cloud Platform and Supabase facilities with SOC 2, ISO 27001 certifications
  • Access Control: Biometric authentication, mantrap entry, 24/7 video surveillance
  • Environmental Controls: Fire suppression, temperature monitoring, redundant power (N+1), seismic protection
  • Office Security: Secure facilities, visitor management, access card systems, CCTV monitoring
  • Equipment Disposal: Certified destruction for physical media, degaussing for magnetic media

Incident Response Organization:

  • Incident Response Team: Designated personnel (Incident Commander, Communications Lead, Technical Lead, DPO)
  • Escalation Procedures: Clear escalation paths based on severity (Critical: immediate; High: 1 hour; Medium: 4 hours; Low: 24 hours)
  • Communication Plans: Internal and external communication protocols, stakeholder notification templates
  • Forensic Capabilities: Log preservation, evidence collection, chain of custody procedures, root cause analysis
  • Post-Incident Review: Lessons learned within 14 days, corrective actions, policy updates
  • Incident Response Drills: Quarterly tabletop exercises, annual full-scale simulation

Principle 7: Accountability (Article 5(2))

Implementation:

  • Comprehensive documentation demonstrating GDPR compliance maintained and regularly updated
  • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing
  • Records of Processing Activities (RoPA) maintained per Article 30
  • Regular internal audits and compliance reviews
  • Ability to demonstrate compliance to supervisory authorities upon request
  • Continuous improvement culture with feedback loops

Accountability Documentation:

  • Records of Processing Activities (RoPA): Article 30 compliant records covering all processing operations, reviewed quarterly
  • Data Protection Impact Assessments (DPIAs): Article 35 assessments for high-risk processing, reviewed annually
  • Data Processing Agreements (DPAs): Executed with all processors per Article 28, reviewed biennially
  • Privacy Policy and Cookie Policy: Publicly available, reviewed annually or upon material changes
  • Internal Data Protection Policies: Comprehensive governance framework, reviewed annually
  • Staff Training Records: Completion certificates, test results, attendance logs (retained 3 years)
  • Data Breach Register: Article 33(5) compliant log of all breaches, maintained indefinitely
  • Data Subject Rights Request Logs: Complete records with timestamps, responses, outcomes (retained 3 years)
  • Audit Reports: Internal and external audit findings, remediation actions (retained 5 years)
  • Vendor Due Diligence: Sub-processor assessments, security questionnaires, certifications (retained during engagement + 3 years)
  • Consent Records: Proof of consent with timestamp, method, scope, withdrawal mechanism (retained consent duration + 3 years)
  • DPIA Register: Centralized repository of all completed DPIAs with review schedules
  • Policy Version Control: Historical versions of policies with change logs

Compliance Monitoring:

  • Quarterly Internal Audits: Self-assessment against GDPR requirements, policy adherence checks
  • Annual External Audits: Independent third-party compliance assessment and certification
  • Monthly Metrics Reporting: KPIs to Data Protection Committee (DSAR response times, breach incidents, training completion)
  • Continuous Control Monitoring: Automated checks for security configuration drift
  • Risk Assessments: Annual comprehensive risk assessment, ad-hoc for new processing activities

Demonstration of Compliance:

  • Documentation available to ICO within 48 hours of request
  • Audit trails for all key compliance activities (data access, deletion, rights requests)
  • Regular reporting to senior management on compliance status
  • Transparency with data subjects about processing and rights
  • Proactive engagement with supervisory authorities on compliance matters

4. Lawful Basis for Processing

Voice AI Portal relies on the following lawful bases for processing personal data under Article 6 UK GDPR:

Processing ActivityLawful BasisArticle 6 ReferenceDescriptionLegitimate Interests Assessment (if applicable)
Voice AI Analytics Service DeliveryContractArticle 6(1)(b)Processing necessary to perform our service contract with agency clientsN/A
Account Setup and ManagementContractArticle 6(1)(b)Processing necessary to create accounts, manage subscriptions, provide platform accessN/A
User Authentication (Supabase)ContractArticle 6(1)(b)Processing necessary to verify identity and provide secure access to ServicesN/A
Role-Based Access Control (RBAC)ContractArticle 6(1)(b)Processing necessary to enforce permissions and workspace access controlsN/A
Payment ProcessingContractArticle 6(1)(b)Processing necessary to bill subscriptions, process payments, issue invoicesN/A
Platform Security and Fraud DetectionLegitimate InterestsArticle 6(1)(f)Processing necessary for our legitimate interests in maintaining platform security, preventing fraud, protecting usersLIA: Our interest in security outweighs minimal impact on data subjects; appropriate safeguards (encryption, access controls) implemented
Customer Support ServicesContractArticle 6(1)(b)Processing necessary to provide technical assistance, resolve issues, respond to inquiriesN/A
Service Improvement and AnalyticsLegitimate InterestsArticle 6(1)(f)Processing necessary for our legitimate interests in improving Services, developing features, optimizing performanceLIA: Benefits to users (better service) outweigh minimal privacy impact; anonymization applied where possible
Usage Monitoring and Performance AnalyticsLegitimate InterestsArticle 6(1)(f)Processing necessary to monitor system performance, identify issues, ensure service qualityLIA: Essential for reliable service delivery; data minimized to technical logs only
Tax and Accounting ComplianceLegal ObligationArticle 6(1)(c)Processing necessary to comply with UK tax law (7-year retention), accounting standards, financial regulationsN/A
Legal Claims and Regulatory ComplianceLegal ObligationArticle 6(1)(c)Processing necessary to respond to legal requests, court orders, regulatory inquiries from ICO or other authoritiesN/A
Marketing Communications (opt-in)ConsentArticle 6(1)(a)Processing based on explicit, freely given consent for promotional emails, feature announcements, upgrade offersN/A
Non-Essential Cookies and AnalyticsLegitimate InterestsArticle 6(1)(f)Processing based on legitimate interests under Data (Use and Access) Act 2025 provisions for low-risk analytics (Google Analytics with anonymization)LIA: Interest in understanding usage patterns outweighs minimal privacy impact; IP anonymization and opt-out available

Legitimate Interests Assessments (LIA):

For processing based on legitimate interests (Article 6(1)(f)), we conduct and document Legitimate Interests Assessments (LIA) covering:

  1. Purpose Test:
    • Clear identification of legitimate interests pursued (security, service improvement, fraud prevention)
    • Explanation of why interest is legitimate and appropriate
  2. Necessity Test:
    • Demonstration that processing is necessary to achieve the purpose
    • Evaluation that no less intrusive means are available or practicable
    • Assessment of whether purpose could be achieved without processing
  3. Balancing Test:
    • Assessment that our interests do not override data subjects’ rights, freedoms, and interests
    • Consideration of nature of data, reasonable expectations, impact on data subjects
    • Evaluation of any vulnerable data subjects or special category data
    • Assessment of potential adverse effects
  4. Safeguards:
    • Implementation of appropriate technical and organizational measures
    • Data minimization, encryption, access controls, transparency
    • Provision of opt-out mechanisms where appropriate
    • Regular review of ongoing balancing test validity

LIA Documentation:

  • Completed LIAs for security monitoring, service analytics, and marketing analytics maintained
  • Reviewed annually or when processing changes materially
  • Available to ICO upon request

Consent Management (Article 7):

For processing based on consent, we ensure:

Valid Consent Requirements:

  • Freely Given: No detriment for refusal, no bundling with other terms, genuine choice provided
  • Specific: Granular consent for distinct processing purposes (e.g., separate consent for marketing vs. analytics)
  • Informed: Clear information provided about purposes, data use, right to withdraw
  • Unambiguous: Clear affirmative action required (opt-in checkboxes, consent buttons), not pre-ticked boxes or inactivity
  • Verifiable: Records maintained with timestamp, method, scope, and evidence of consent
  • Withdrawable: Easy withdrawal mechanisms provided (unsubscribe links, account settings, email to DPO)

Consent Collection Methods:

  • Opt-in checkboxes on registration forms (not pre-selected)
  • Separate consent forms for marketing communications
  • Cookie consent banners with granular choices
  • Clear language avoiding legal jargon (tested for readability)
  • Consent request separate from Terms of Service and Privacy Policy

Consent Records Maintained:

  • Data subject identity (email address or account ID)
  • Timestamp of consent
  • Method of consent (checkbox, form submission, cookie banner)
  • Scope of consent (specific purposes and data categories)
  • Version of privacy notice and consent text provided
  • Withdrawal timestamp if applicable
  • IP address and device information (for fraud prevention)

Consent Withdrawal:

  • Unsubscribe links in all marketing emails (honored within 24 hours)
  • Account settings for marketing preferences (real-time effect)
  • Email to [email protected] (processed within 48 hours)
  • Withdrawal does not affect lawfulness of processing before withdrawal
  • Confirmation email sent upon withdrawal

Consent Refresh:

  • Marketing consents reviewed every 24 months
  • Re-confirmation requested if no engagement for 12 months
  • New consent obtained if processing purposes change materially
  • Updated consent obtained when privacy notice substantially updated

5. Data Subject Rights

Voice AI Portal respects and facilitates the exercise of all data subject rights under Chapter III UK GDPR. We have implemented comprehensive procedures, technical systems, and organizational processes to ensure timely, effective rights fulfillment in compliance with regulatory timeframes.

5.1 Right to Transparent Information (Articles 13 & 14)

Implementation:

  • Comprehensive Privacy Policy provided at account registration, accessible at all times via website footer and account dashboard
  • Layered privacy notices appropriate to data subject category:
    • Agency administrators: Full privacy policy with DPA terms
    • End users: Simplified workspace privacy notice
    • Website visitors: Concise cookie and analytics notice
  • Clear information about data processing purposes, lawful bases, retention periods, rights, and contact details
  • Privacy information provided in concise, transparent, intelligible, and easily accessible language (Plain English, readability score: Flesch-Kincaid Grade 8)
  • Information provided free of charge unless requests are manifestly unfounded or excessive

Information Provided to Data Subjects:

  • Identity and contact details of data controller (ALIM Ltd, Company Number 14528810)
  • Contact details of Data Protection Officer ([email protected])
  • Purposes of processing for which personal data is intended
  • Lawful basis for processing (contract, legitimate interests, legal obligation, consent)
  • Categories of personal data processed
  • Recipients or categories of recipients (Supabase, GCP, Cloudflare, Resend, Stripe, voice AI providers)
  • International transfer information and safeguards (SCCs for Stripe, Google Analytics)
  • Retention periods or criteria for determining retention periods
  • Data subject rights (access, rectification, erasure, restriction, portability, objection)
  • Right to withdraw consent where processing is based on consent
  • Right to lodge complaint with UK Information Commissioner’s Office (ICO)
  • Whether provision of personal data is statutory/contractual requirement or necessary to enter contract
  • Consequences of failure to provide data (e.g., inability to provide Services)
  • Information about automated decision-making (currently not employed)
  • Source of data if not collected directly from data subject

Timing of Information Provision:

  • At point of collection: When data is obtained directly from data subject (registration, account creation)
  • Within one month: When data is obtained from third parties (within 1 month of obtaining, before first communication, or before disclosure to another recipient)
  • Upon request: Additional information provided if data subject requests clarification

Updates to Privacy Information:

  • Material changes communicated via email to all users
  • 30 days advance notice for significant changes affecting rights
  • Continued use constitutes acceptance; option to object or cancel account
  • Version history maintained for reference

5.2 Right of Access (Article 15)

Implementation:

  • Data subjects can request confirmation of whether we process their personal data
  • Upon request, we provide copy of personal data undergoing processing
  • Self-service data export available through account dashboard (“Download My Data” feature)
  • Comprehensive data package provided in structured, commonly used, machine-readable format (JSON)

Data Export Contents:

  • Account Information (Supabase):
    • User profile (name, email, phone number)
    • Authentication history (login timestamps, IP addresses, devices used)
    • RBAC roles and permissions
    • MFA settings and recovery codes
    • Account creation date and last login date
  • Workspace Data (GCP):
    • Workspace configurations and settings
    • Client associations and access levels
    • Custom branding assets (logos, colors)
  • Usage Data (GCP):
    • Activity logs (features accessed, actions performed)
    • API usage statistics
    • Session history
  • Call Analytics Metadata (GCP):
    • Call metadata (duration, timestamp, status, cost)
    • Performance metrics and ROI calculations
    • References to recordings/transcripts (URLs only, not content)
  • Communication Records:
    • Support tickets and correspondence
    • System notifications and alerts
  • Billing Information (GCP):
    • Subscription history and plan details
    • Invoice records (but not full payment card details stored by Stripe)
    • Payment history and transaction IDs

Response Process:

  1. Request Submission:
    • Email: [email protected] with subject “Data Subject Access Request”
    • Account Dashboard: Self-service “Download My Data” button
    • Written Notice: Postal mail to registered address
  2. Identity Verification:
    • Account email confirmation (magic link sent to registered email)
    • Security question verification for registered users
    • Government-issued ID and proof of relationship for non-registered individuals
    • Enhanced verification for sensitive requests (e.g., requests from third parties)
  3. Processing:
    • Acknowledgment sent within 5 business days of receipt
    • Data compilation from Supabase (authentication), GCP (application), and sub-processors
    • Quality check to ensure completeness and accuracy
    • Redaction of third-party personal data if present
  4. Delivery:
    • Response provided within 30 days of verification (one calendar month from receipt)
    • Extension by 60 days permitted for complex requests (with notification to data subject and reasons)
    • First copy provided free of charge
    • Additional copies subject to reasonable fee (£10 for administrative costs)
    • Delivery via secure email attachment, encrypted download link, or postal mail
  5. Accompanying Information:
    • Confirmation of processing
    • Purposes of processing
    • Categories of data processed
    • Recipients of data
    • Retention periods
    • Rights information (rectification, erasure, restriction, objection, complaint)

Access Request Log:

  • All access requests logged with receipt date, verification method, response date, data provided
  • Log maintained for 3 years for compliance demonstration
  • Annual reporting to Data Protection Committee on request volumes, response times, any delays

Excessive or Manifestly Unfounded Requests:

  • Reasonable fee charged (£25) or refusal if request is manifestly unfounded or excessive
  • Factors considered: repetitive nature, volume of requests, intent to cause disruption
  • Justification documented and communicated to data subject
  • Data subject informed of right to complain to ICO

5.3 Right to Rectification (Article 16)

Implementation:

  • Data subjects can request correction of inaccurate or incomplete personal data
  • Self-service correction available through account dashboard for most data types (name, email, phone, preferences)
  • Formal rectification requests processed for data not user-editable (billing address, company details)
  • No charge for rectification requests

Rectification Process:

  1. Request Submission:
    • Account Settings: Direct editing of profile information
    • Email: [email protected] specifying inaccurate data and correct information
    • Support Ticket: In-platform support for guided correction
  2. Verification:
    • User-initiated corrections verified automatically via account authentication
    • Third-party requests require identity verification
    • Supporting evidence requested if accuracy is unclear (e.g., updated billing address confirmation)
  3. Correction Implementation:
    • Self-service corrections: Immediate effect (real-time update)
    • Formal requests: Corrections implemented within 30 days of verified request
    • Updates propagated to all systems:
      • Supabase: User profile, email, authentication records updated
      • GCP: Application data, workspace associations, billing records updated
      • Backups: Rectified data included in next backup cycle (within 24 hours)
  4. Notification:
    • Data subject notified of rectification completion via email
    • Recipients of rectified data notified unless impossible or involves disproportionate effort
    • Recipients include: sub-processors (where data shared), other controllers (if data disclosed for compatible purposes)
    • Notification exemption documented if applied
  5. Audit Trail:
    • All rectifications logged with timestamp, user identification, old value, new value
    • Audit log retained for 3 years for compliance evidence
    • Quality assurance check to confirm rectification propagated correctly

Proactive Accuracy Measures:

  • Annual email prompts for users to review and update account information
  • Validation checks at data entry points (email format, phone number format, postal code validation)
  • Automated detection of outdated or inconsistent data (e.g., mismatched billing address and VAT country)
  • Quarterly data quality audits identifying potential inaccuracies

Supplementation of Incomplete Data:

  • Data subjects can provide supplementary information to complete incomplete records
  • Additional fields provided in account settings for optional information
  • Clarification requests sent if incomplete data affects service delivery

5.4 Right to Erasure / “Right to be Forgotten” (Article 17)

Implementation:

  • Data subjects can request deletion of personal data when grounds specified in Article 17(1) exist
  • Comprehensive deletion procedures ensure complete removal from all systems (Supabase, GCP, backups, sub-processors)
  • Clear communication of deletion completion, timeframes, and any applicable exemptions
  • No charge for erasure requests

Erasure Grounds (Article 17(1)):

  1. Personal data no longer necessary for purposes for which collected or processed
  2. Data subject withdraws consent (where consent is lawful basis) and no other legal ground exists
  3. Data subject objects to processing (Article 21) and no overriding legitimate grounds exist
  4. Personal data has been unlawfully processed (breach of GDPR)
  5. Erasure required to comply with legal obligation in UK or EU law
  6. Personal data collected in relation to offering information society services to children (not applicable to Voice AI Portal)

Deletion Process:

  1. Request Submission:
    • Email: [email protected] with subject “Right to Erasure Request”
    • Account Dashboard: “Delete My Account” option with confirmation workflow
    • Written Notice: Postal mail to registered address
  2. Verification and Assessment:
    • Identity verification required (same process as access requests)
    • Assessment of erasure grounds (verification that at least one Article 17(1) ground applies)
    • Evaluation of exemptions (Article 17(3)): legal claims, legal obligations, public interest, freedom of expression
    • Documentation of assessment and decision
  3. Deletion Execution:
    • Timing: Deletion processed within 30 days of verified request
    • Scope: Complete removal from:
      • Supabase: User account, credentials, authentication tokens, RBAC permissions (cascading deletion)
      • GCP: Application data, workspace associations, usage logs, call metadata
      • Backups: Encrypted overwrite of backup data within 7-day retention cycle
      • Logs: Anonymization of identifiable information in retained logs (security logs kept for compliance)
      • Email Systems: Removal from Resend contact lists, suppression of email address
    • Method:
      • Cryptographic erasure (deletion of encryption keys rendering data unrecoverable)
      • Secure deletion (DoD 5220.22-M standard: 3-pass overwrite)
      • Anonymization where complete deletion would compromise system integrity
  4. Third-Party Notification:
    • Recipients of deleted data notified unless impossible or involves disproportionate effort
    • Sub-processors instructed to delete data:
      • Voice AI providers: Notified to remove workspace associations and metadata
      • Stripe: Notified to anonymize billing records (retained for tax compliance)
      • Email providers: Notified to suppress and delete email address
    • Public disclosure: If data made public, reasonable steps taken to inform other controllers of erasure request
  5. Confirmation:
    • Data subject notified of deletion completion via final email to alternate address (if provided) or confirmation at time of request
    • Confirmation includes: deletion date, scope of deletion, any retained data (with exemption justification)
    • Information about right to complain to ICO if dissatisfied
  6. Audit Trail:
    • Deletion requests logged with request date, verification method, execution date, deletion method, exemptions applied
    • Log retained for 3 years for compliance demonstration (with minimal personal data: request ID, date, outcome)

Exemptions to Erasure (Article 17(3)):
We may refuse erasure if processing is necessary for:

  • Freedom of Expression and Information: Not applicable to Voice AI Portal
  • Legal Obligation: Compliance with UK law requiring retention (e.g., 7-year tax records)
  • Public Interest / Official Authority: Not applicable to Voice AI Portal
  • Public Health: Not applicable to Voice AI Portal
  • Archiving, Research, Statistics: With appropriate safeguards, if erasure would render impossible or seriously impair objectives
  • Legal Claims: Establishment, exercise, or defense of legal claims (e.g., ongoing disputes, litigation hold)

Exemption Documentation:

  • All exemptions documented with legal basis, necessity justification, proportionality assessment
  • Data subject informed of exemption with clear explanation
  • Restricted processing applied where possible (instead of full deletion) if data subject prefers
  • Review date set for exemptions (annually) to reassess whether exemption still applies

Account Cancellation vs. Erasure:

  • Account Cancellation: 30-day grace period, then data retained for 90 days (suspended access) to enable payment resolution, then automatic deletion
  • Immediate Erasure Request: 30-day processing, no grace period, complete deletion (if no exemptions apply)
  • Users informed of distinction and can choose preferred approach

5.5 Right to Restriction of Processing (Article 18)

Implementation:

  • Data subjects can request temporary suspension of processing under specified circumstances
  • Restricted data marked in all systems (Supabase and GCP) to prevent further processing except storage
  • Restrictions lifted only when conditions resolved or data subject consents to lifting
  • No charge for restriction requests

Restriction Grounds (Article 18(1)):

  1. Accuracy Contested: Data subject contests accuracy of personal data (during verification period up to 30 days)
  2. Unlawful Processing: Processing is unlawful but data subject opposes erasure and requests restriction instead
  3. No Longer Needed: Controller no longer needs data but data subject requires it for establishment, exercise, or defense of legal claims
  4. Objection Pending: Data subject has objected to processing (Article 21) pending verification of whether controller’s legitimate grounds override data subject’s interests

Restriction Process:

  1. Request Submission:
    • Email: [email protected] with subject “Restriction of Processing Request”
    • Specify grounds for restriction and affected data
  2. Verification:
    • Identity verification required
    • Assessment of restriction grounds (verification that at least one Article 18(1) ground applies)
    • Documentation of grounds and justification
  3. Restriction Implementation:
    • Timing: Restriction implemented within 72 hours of verified request (expedited due to Article 18 obligations)
    • Method:
      • Supabase: “processing_restricted” flag set on user record, RLS policies updated to prevent data access except by admin
      • GCP: “restriction” status applied to application data, API requests blocked for restricted user
      • System Behavior: Data stored but not processed (no analytics generation, no reporting, no automated operations)
    • Permitted Operations: Storage, necessary processing with data subject’s consent, legal claims, protection of rights of another person
    • Scope: Restriction applies to all processing unless data subject consents to specific uses
  4. Notification:
    • Data subject notified of restriction implementation within 72 hours
    • Confirmation of restricted data scope and permitted operations
    • Information about when restriction will be lifted
    • Recipients of restricted data informed unless impossible or disproportionate effort
  5. Lifting Restriction:
    • Data subject notified before restriction is lifted (reasonable advance notice: 14 days)
    • Restriction lifted when:
      • Accuracy verification complete (if contested accuracy ground)
      • Data subject consents to lifting restriction
      • Protection of rights of another person or important public interest requires lifting
      • Legal basis for processing established (if objection ground)
    • Data subject confirmation obtained before lifting where possible
  6. Audit Trail:
    • All restrictions logged with request date, grounds, implementation date, lifting date
    • Review of active restrictions quarterly to assess whether grounds still apply
    • Manual review required before any processing of restricted data

Restriction vs. Erasure:

  • Data subjects can choose between restriction and erasure when processing is unlawful
  • Restriction preserves data for potential future use (e.g., legal claims) while preventing processing
  • Guidance provided to data subjects on implications of each option

5.6 Right to Data Portability (Article 20)

Implementation:

  • Data subjects can receive personal data in structured, commonly used, machine-readable format
  • Direct transmission to another controller provided where technically feasible
  • Portability applies to data provided by data subject and processed by automated means based on consent or contract
  • No charge for portability requests (first request; reasonable fee for subsequent requests if excessive)

Portability Scope:
Applies to data that meets ALL three conditions:

  1. Provided by Data Subject: Data actively and knowingly provided or observed from activity
  2. Automated Processing: Data processed by automated means (excludes paper records)
  3. Lawful Basis: Processing based on consent (Article 6(1)(a)) or contract (Article 6(1)(b))

Portable Data Categories:

  • Account Profile Information: Name, email, phone number, business details, preferences (provided by user)
  • Workspace Configurations: Settings, branding assets, custom domain configurations (user-configured)
  • Usage History: Activity logs, feature usage patterns, login history (observed from activity)
  • Communication Preferences: Marketing consents, notification settings (user-selected)
  • Call Metadata References: Links to recordings/transcripts, call timestamps, campaign associations (observed from activity via voice AI integrations)

Non-Portable Data:

  • Billing Records: Processed under legal obligation (tax law), not solely consent/contract
  • Security Logs: Processed under legitimate interest, not provided by data subject
  • Aggregated Analytics: Derived data not directly provided by data subject
  • Third-Party Data: Data about other users or call recipients (would infringe their rights)

Portability Process:

  1. Request Submission:
    • Email: [email protected] with subject “Data Portability Request”
    • Account Dashboard: “Export My Data” self-service option
    • Specify desired format if different from JSON default
    • Indicate if direct transmission to another controller requested (provide controller details)
  2. Verification:
    • Identity verification via account authentication
    • Verification of other controller’s identity and authorization for direct transmission (if applicable)
  3. Data Compilation:
    • Extraction of portable data from Supabase and GCP systems
    • Conversion to structured, machine-readable format (JSON primary, CSV alternative)
    • Exclusion of non-portable data categories
    • Redaction of third-party personal data
  4. Delivery:
    • Timing: Data provided within 30 days of verified request
    • Format: JSON (default), CSV, XML (upon request)
    • Delivery Method:
      • Secure Download: Encrypted download link valid for 7 days (password-protected)
      • Email Attachment: Encrypted ZIP file (for smaller datasets <10MB)
      • Direct Transmission: API transfer to nominated controller (if technically feasible and controller provides compatible endpoint)
    • Documentation: README file explaining data structure, field definitions, relationships
  5. Direct Transmission:
    • Feasibility assessed based on technical compatibility, security, and legal considerations
    • Requires: Other controller’s compatible API endpoint, mutual authentication, encryption, data mapping documentation
    • Transmission logged with recipient identity, timestamp, data transmitted, confirmation of receipt
    • Data subject notified of successful transmission
  6. Limitations:
    • Portability does not affect retention obligations (data remains with Voice AI Portal per retention policy)
    • Does not require deletion of original data (separate erasure request needed if desired)
    • Does not apply to data processed under legal obligation or legitimate interests
    • Third-party intellectual property excluded (e.g., proprietary algorithms, derived insights)

Technical Standards:

  • JSON Format: Structured hierarchy with nested objects, arrays, clear key-value pairs
  • Field Naming: Human-readable field names, consistent naming conventions
  • Data Relationships: Foreign keys and relationship documentation provided
  • Encoding: UTF-8 character encoding
  • Compression: Optional ZIP compression for large datasets
  • Encryption: AES-256 encryption for data in transit and at rest

Portability Request Log:

  • All requests logged with receipt date, format requested, delivery method, transmission details (if applicable)
  • Annual reporting on portability request volumes and direct transmission feasibility

5.7 Right to Object (Article 21)

Implementation:

  • Data subjects can object to processing based on legitimate interests or for direct marketing purposes
  • Clear objection mechanisms provided including opt-out links, account settings, and email contact
  • Processing ceased immediately for direct marketing; within 30 days for legitimate interests (after assessment)
  • No charge for objection requests

Objection Grounds:

Direct Marketing (Article 21(2)):

  • Absolute right to object at any time to processing for direct marketing purposes (no balancing test)
  • Applies to promotional emails, feature announcements, upgrade offers, marketing communications
  • Objection honored immediately with no exceptions or justifications required

Legitimate Interests (Article 21(1)):

  • Right to object to processing based on Article 6(1)(f) legitimate interests on grounds relating to data subject’s particular situation
  • Applies to security monitoring, usage analytics, service improvement, fraud detection
  • We must cease processing unless we demonstrate compelling legitimate grounds that override data subject’s interests, rights, and freedoms, OR processing is necessary for establishment, exercise, or defense of legal claims

Objection Process:

Direct Marketing Objection:

  1. Objection Methods:
    • Unsubscribe Links: One-click unsubscribe in all marketing emails (honored within 24 hours)
    • Account Settings: Marketing preferences toggle in account dashboard (immediate effect)
    • Email: [email protected] with subject “Marketing Opt-Out”
    • Written Notice: Postal mail to registered address
  2. Processing:
    • Timing: Processing ceased immediately upon receipt (within 24 hours for automated systems, 48 hours for manual processing)
    • Scope: All direct marketing communications stopped, including:
      • Promotional emails and newsletters
      • Feature announcements with marketing content
      • Upgrade and upsell communications
      • Event invitations and webinar promotions
    • Exceptions: Transactional communications still sent (account notifications, security alerts, billing invoices, service updates required for contract performance)
  3. Confirmation:
    • Opt-out confirmation email sent (final marketing communication)
    • Account settings updated to reflect opt-out status
    • Suppression list updated to prevent accidental re-addition
  4. Re-Consent:
    • Explicit opt-in required for any future marketing communications
    • No automated re-subscription or pre-ticked consent boxes
    • Clear explanation of what user is consenting to if they re-opt-in

Legitimate Interests Objection:

  1. Objection Submission:
    • Email: [email protected] with subject “Objection to Processing – Legitimate Interests”
    • Specify processing activity objected to and particular situation justifying objection
    • Provide explanation of grounds (e.g., privacy concerns, sensitive data, specific impact)
  2. Assessment:
    • Timing: Assessment completed within 30 days of receipt
    • Balancing Test: Evaluation of:
      • Data Subject’s Interests: Nature of objection, particular situation, potential impact on rights and freedoms
      • Our Legitimate Grounds: Necessity of processing, importance of purpose, alternatives available
      • Compelling Legitimate Grounds: Whether our interests override data subject’s interests (high threshold)
      • Legal Claims: Whether processing necessary for establishment, exercise, or defense of legal claims
    • Documentation: Detailed assessment documented including factors considered, evidence reviewed, conclusion
  3. Outcome:
    • Objection Upheld (Processing Ceased):
      • Processing stopped within 72 hours of decision
      • Alternative measures implemented if necessary (e.g., aggregated analytics instead of individual-level)
      • Data subject notified of cessation and any alternative approaches
    • Objection Overridden (Processing Continues):
      • Data subject notified of decision with detailed explanation of compelling legitimate grounds
      • Evidence and reasoning provided demonstrating why our grounds override data subject’s interests
      • Information about right to complain to ICO and seek judicial remedy
    • Restriction Applied (Compromise):
      • Processing restricted to specific purposes or limited scope as compromise
      • Safeguards enhanced to address data subject’s concerns
      • Data subject consulted on acceptability of restricted approach