Privacy Policy
Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 2.0
1. INTRODUCTION
Voice AI Portal (“we”, “us”, “our”) is a white-label Software-as-a-Service (SaaS) analytics platform operated by ALIM Ltd (Company Number 14528810), a company registered in England and Wales. We provide unified analytics, client workspace management, and reporting services that enable AI automation agencies and businesses to track voice AI agent performance across multiple platforms including Retell AI, VAPI, ElevenLabs, and other supported providers.
This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use our services, including our website, platform, API, and related services (collectively, the “Services”). We are committed to protecting your privacy and complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), and the Data (Use and Access) Act 2025.
By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.
2. DATA CONTROLLER AND DATA PROTECTION OFFICER
Data Controller: ALIM Ltd T/A Voice AI Portal
Company Number 14528810
Registered in England and Wales
Email: [email protected]
Data Protection Officer:
Email: [email protected]
For privacy-related inquiries, data subject requests, or concerns about this Privacy Policy, please contact us using the information above. We will respond to your inquiry within 30 days as required by UK GDPR
3. INFORMATION WE COLLECT
3.1 Information You Provide Directly
We collect information that you voluntarily provide when using our Services:
Account Registration Information:
- Full name and business contact details
- Email address and phone number
- Business name, company registration details
- Billing address and VAT information
- Password and authentication credentials
Authentication Database (Supabase):
User credentials and role-based access control (RBAC) data are stored in a dedicated authentication database hosted by Supabase in the eu-central-1 region (Frankfurt, Germany)
- Email addresses and password hashes (bcrypt with per-user salt)
- Magic login tokens and session identifiers (JWT)
- Role-based access control (RBAC) permissions configured per workspace
- Authentication history (login timestamps, IP addresses, device information)
- Session management data with automatic expiry and refresh
Supabase Security Features:
- Row Level Security (RLS) policies enforce tenant isolation at database level
- AES-256 encryption for all data at rest
- TLS 1.3 encryption for all data in transit
- Private VPC deployment with no public database exposure
- SOC 2 Type II certified infrastructure
- Automated encrypted backups with 7-day retention
- Point-in-time recovery capability
Integration Configuration Data:
- API keys and authentication tokens for voice AI providers (Retell AI, VAPI, ElevenLabs)
- Connected platform account identifiers
- Workspace configuration settings
- Custom branding assets (logos, colors, domain names)
- Email service API credentials (optional Resend API keys for custom email delivery)
Client and Workspace Information:
- Client business names and contact information
- End user names and email addresses for workspace access
- Workspace-specific configuration and permissions
- Magic login link generation data
Payment Information:
- Payment card details (processed and stored by our payment processor Stripe)
- Billing history and transaction records
- Subscription plan details and usage limits
Communications and Support Data:
- Messages, feedback, and support tickets you send to us
- Survey responses and product feedback
- Email correspondence and chat communications
3.2 Voice AI Analytics Data
As a voice AI analytics platform, we collect and process specific types of voice-related data on behalf of our customers:
Call Metadata and Analytics:
- Call duration, timestamps, and date information
- Phone numbers (caller and recipient)
- Call status, outcome, and disposition codes
- Campaign identifiers and tracking parameters
- Cost data and billing information from voice AI providers
- Performance metrics and ROI calculations
Call Content References:
- Links to call transcripts hosted by third-party voice AI providers (we do not store actual transcript text)
- Links to call recordings hosted by third-party voice AI providers (we do not store actual audio files)
- Summary metadata about call content provided by voice AI platforms
End User Personal Information:
- Names, phone numbers, and email addresses collected during voice interactions
- Business information and contact details shared during calls
- Any personal information voluntarily provided by call recipients to voice AI agents
Important Note: We act as a data processor for voice AI analytics data. We do not store actual call recordings or full transcript content on our servers. We only maintain reference links and metadata pointing to content hosted by your chosen voice AI provider.
3.3 Automatically Collected Information
We automatically collect certain information when you access or use our Services:
Usage and Activity Data:
- Features accessed and actions performed within the Platform
- Pages viewed, buttons clicked, and navigation patterns
- Time spent on different sections of the Platform
- Search queries and filter preferences
- API requests and webhook activity
Device and Technical Information:
- IP address and geolocation data
- Browser type, version, and language settings
- Device type, operating system, and screen resolution
- Unique device identifiers and hardware specifications
- Referral source and entry/exit pages
Fraud Detection and Security Data:
- Device fingerprints and browser characteristics
- Account creation patterns and behavioral analytics
- Login attempt logs and authentication history
- Cross-account linking indicators for security purposes
- Suspicious activity flags and risk scoring
Log and Performance Data:
- Server logs and error reports
- System performance metrics
- Database query logs
- API response times and availability statistics
Cookies and Tracking Technologies:
- Essential session cookies for authentication and platform functionality
- Analytics cookies (Google Analytics) to understand usage patterns
- Performance monitoring cookies for service optimization
- Security cookies for fraud detection and prevention
4. LAWFUL BASIS FOR PROCESSING
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:
Contractual Necessity (Article 6(1)(b) UK GDPR):
- Processing necessary to provide the Services you have subscribed to
- Managing your account, workspaces, and integrations
- Processing payments and managing subscriptions
- Providing customer support and technical assistance
Legitimate Interests (Article 6(1)(f) UK GDPR):
- Analyzing platform usage to improve Services and develop new features
- Detecting and preventing fraud, security threats, and unauthorized access
- Marketing communications about our Services (with opt-out rights)
- Maintaining business records and analytics
Legal Obligation (Article 6(1)(c) UK GDPR):
- Complying with tax, accounting, and financial reporting requirements
- Responding to legal requests and court orders
- Fulfilling data protection and regulatory obligations
- Maintaining records for dispute resolution
Consent (Article 6(1)(a) UK GDPR):
- Sending promotional marketing communications where required
- Using non-essential cookies and tracking technologies
- Processing special category data (only with explicit consent)
You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before withdrawal.
5. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes:
5.1 Service Provision and Platform Operations
Account Management:
- Creating and maintaining user accounts in Supabase authentication database
- Managing authentication via bcrypt password hashing and JWT tokens
- Controlling access permissions through Row Level Security (RLS) policies
- Enforcing role-based access control (RBAC) per workspace
Platform Functionality:
- Providing dashboard analytics, workspace management, and white-label branding capabilities
- Storing application data in Google Cloud Platform europe-west1 (Belgium)
- Displaying real-time and historical call analytics from voice AI providers
Integration Services:
- Connecting to voice AI providers (Retell AI, VAPI, ElevenLabs)
- Synchronizing call data and managing API connections
- Maintaining secure API authentication
Billing and Payments:
- Processing subscription fees, usage-based charges, and payment transactions through Stripe
Customer Support:
- Responding to support requests, troubleshooting technical issues, and providing assistance
Email Delivery:
- Sending transactional and system emails through our default email service provider (Resend EU region)
- Using customer’s own Resend API configuration when provided
5.2 Analytics and Insights
Performance Analytics:
- Displaying call analytics, ROI metrics, and performance dashboards aggregated from voice AI providers
Usage Reporting:
- Generating workspace-level reports, usage statistics, and billing summaries
Platform Optimization:
- Analyzing user behavior, feature adoption, and system performance to improve Services
Benchmarking:
- Creating anonymized, aggregated industry benchmarks and performance comparisons
5.3 Security and Fraud Prevention
Threat Detection:
- Monitoring for unauthorized access attempts, suspicious activity, and security vulnerabilities
- 24/7 security monitoring through Cloudflare Security Analytics
Fraud Prevention:
- Detecting multiple account creation, circumvention of restrictions, and fraudulent behavior
- Device fingerprinting and behavioral analysis
Identity Verification:
- Verifying user identity during registration and high-risk transactions
Compliance Monitoring:
- Ensuring adherence to Terms of Service and acceptable use policies
Web Application Protection:
- Using Cloudflare Web Application Firewall (WAF) and DDoS protection to secure the Platform
5.4 Communications
Transactional Communications:
- Sending account notifications, payment confirmations, security alerts, and service updates
Support Communications:
- Responding to inquiries, providing technical assistance, and resolving issues
Operational Updates:
- Notifying you of platform maintenance, feature releases, and policy changes
Marketing Communications:
- Sending promotional emails about new features, upgrades, and special offers (with opt-out option)
5.5 Legal and Compliance
Regulatory Compliance:
- Fulfilling obligations under data protection, tax, and financial regulations
Legal Proceedings:
- Responding to legal requests, court orders, and law enforcement inquiries
Terms Enforcement:
- Investigating violations of Terms of Service and taking appropriate action
Dispute Resolution:
- Maintaining records necessary for resolving disputes and defending legal claims
6. DATA SHARING AND DISCLOSURE
We share your information with third parties only as described in this Privacy Policy:
6.1 Third-Party Service Providers
We engage trusted third-party service providers who process data on our behalf under strict data protection obligations:
| Service Provider | Purpose | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Supabase | Authentication database, RBAC management | Email addresses, password hashes, authentication tokens, RBAC permissions, session data | eu-central-1 (Frankfurt, Germany – EU) | Row Level Security (RLS), AES-256 encryption, SOC 2 Type II, EU hosting |
| Google Cloud Platform (GCP) | Cloud infrastructure and application hosting | All platform application data, call analytics metadata, workspace configurations | europe-west1 (Belgium – EU) | VPC isolation, encryption, ISO 27001, SOC 2, EU hosting |
| Cloudflare | Web Application Firewall (WAF), DDoS protection, white-label SSL certificates, CDN services, security monitoring | IP addresses, device information, security logs, domain configurations | Global network with EU data centers | EU data processing preference, encryption, SOC 2 |
| Resend | Transactional and system email delivery (default provider) | Email addresses, names, email content, delivery logs | EU region | EU hosting, encryption, SOC 2 |
| Stripe | Payment processing | Billing information, payment card details, transaction history | United States | Standard Contractual Clauses (SCCs), PCI-DSS, SOC 2 |
| Voice AI Providers (Retell AI, VAPI, ElevenLabs) | Voice AI platform integration | API authentication tokens, workspace configurations, call metadata references | Varies by provider | Individual DPAs and security assessments required |
| Google Analytics | Website and platform analytics | Usage data, device information, anonymized activity patterns | United States | Standard Contractual Clauses (SCCs), IP anonymization |
| Fraud Detection Services | Security and fraud prevention | Device information, behavioral data, account patterns | Varies by service | Encryption, contractual safeguards |
A complete list of sub-processors is available upon request to [email protected].
All third-party service providers are contractually obligated to:
- Process data only for specified purposes on our instructions
- Implement appropriate technical and organizational security measures
- Comply with applicable data protection laws including UK GDPR
- Notify us of data breaches and security incidents
- Delete or return data upon termination of services
6.2 Custom Email Service Configuration
Default Email Service:
- By default, all system and transactional emails are sent through Resend using EU region infrastructure
- Email delivery logs and metadata are stored in accordance with Resend’s data retention policies
Custom Resend API Integration:
- You may optionally configure your own Resend API credentials for email delivery
- When using custom Resend API keys:
- Emails are sent through your Resend account under your control
- You are responsible for compliance with Resend’s terms of service and privacy policy
- Email delivery data is subject to your Resend account settings and data location preferences
- Voice AI Portal stores your API credentials (encrypted) and uses them only to send emails on your behalf
6.3 Voice AI Platform Providers
When you connect voice AI platforms to Voice AI Portal, we share authentication credentials and configuration data with those providers. You are responsible for:
- Reviewing and complying with their respective privacy policies and terms of service
- Ensuring appropriate Data Processing Agreements (DPAs) are in place
- Configuring security settings for sensitive data handling
We are not responsible for the data handling practices of third-party voice AI platforms.
6.4 White-Label Clients and End Users
Data Controller Relationships:
- For agency account data (your business information, billing, platform usage), Voice AI Portal acts as the Data Controller
- For end user data (your clients and their call recipients), you act as the Data Controller and Voice AI Portal acts as the Data Processor
- You are responsible for providing appropriate privacy notices to your end users and obtaining necessary consents for voice data processing
6.5 Legal Requirements and Protection of Rights
We may disclose your information when required by law or when we believe disclosure is necessary to:
- Comply with legal obligations, court orders, or regulatory requests
- Respond to lawful requests from law enforcement or government authorities
- Enforce our Terms of Service and other agreements
- Protect our rights, property, safety, or the rights of users and the public
- Detect, prevent, or investigate fraud, security issues, or illegal activities
6.6 Business Transfers
If Voice AI Portal is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you via email and prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.
6.7 No Sale of Personal Information
We do not sell, rent, lease, or trade your personal information to third parties for monetary consideration or other valuable consideration. We do not engage in data brokering or share your data for third-party direct marketing purposes.
7. DATA SECURITY
7.1 Security Measures
We implement comprehensive technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction:
Encryption:
- Data in transit: TLS 1.3 protocols with strong cipher suites
- Data at rest: AES-256 encryption (Supabase and GCP)
- Database encryption: Sensitive information including API keys and authentication tokens
- End-to-end encryption: For sensitive communications
Access Controls:
- Role-based access control (RBAC): Managed through Supabase with principle of least privilege
- Row Level Security (RLS): Supabase RLS policies enforce multi-tenant data isolation at database level
- Session management: Secure JWT tokens with automatic timeout and expiration
- API authentication: API key rotation, OAuth 2.0 support, rate limiting per key
- Passwordless authentication: Magic link tokens with single-use enforcement and time-based expiration
Supabase Authentication Security:
- Bcrypt password hashing with per-user salt
- JWT token management with configurable expiration and automatic refresh
- Rate limiting and brute force protection (automatic account lockout after 5 failed attempts)
- Device fingerprinting for suspicious login detection
- Session history and audit logging
Infrastructure Security:
- Google Cloud Platform: VPC isolation, private networking, firewall rules, regional DDoS protection in europe-west1 (Belgium)
- Supabase: Deployment in eu-central-1 (Frankfurt),
- Cloudflare Security: Web Application Firewall (WAF), DDoS mitigation, bot management, OWASP Top 10 protection
- Network segmentation: Separate production, staging, development environments with strict firewall rules
Application Security:
- Secure Development: OWASP guidelines, secure coding standards, mandatory code review processes
- Input Validation: SQL injection prevention, XSS protection, CSRF tokens, parameterized queries
- Output Encoding: Context-appropriate encoding, Content Security Policy (CSP) headers
- Dependency Management: Weekly updates, automated vulnerability scanning, software composition analysis
- API Security: Rate limiting (1000 requests/hour per user), input validation, authentication requirements, versioning
SSL/TLS Security:
- Automatic SSL/TLS certificate provisioning for white-label domains via Cloudflare
- TLS 1.3 support with strong cipher suites
- HSTS (HTTP Strict Transport Security) enforcement
- Certificate transparency monitoring
Monitoring and Response:
- 24/7 Security Monitoring: Real-time SIEM alerts, anomaly detection via Cloudflare Security Analytics
- Intrusion Detection: Network and host-based IDS/IPS, behavioral analysis
- Log Aggregation: Centralized logging (Google Cloud Logging, Supabase audit logs) with tamper-proof storage
- Vulnerability Scanning: Weekly automated scans, monthly manual assessments
- Penetration Testing: Annual third-party penetration tests, quarterly internal security testing
Data Segregation:
- Multi-Tenant Isolation: Logical separation using Supabase Row Level Security (RLS) policies
- Workspace Partitioning: Strict tenant ID enforcement in all queries and API requests
- Database Partitioning: Row-level security prevents cross-tenant data access
- Access Restrictions: Application-level and database-level controls prevent unauthorized cross-tenant queries
Backup and Recovery:
- Automated Backups: Daily encrypted backups (Supabase 7-day retention, GCP snapshots to separate region)
- Backup Testing: Quarterly restore tests to verify integrity
- Disaster Recovery: RTO 4 hours, RPO 1 hour
- Backup Security: Stored in separate security domain with restricted access
Employee Security:
- Confidentiality agreements for all staff and contractors
- Least privilege access with regular reviews
- Immediate access revocation upon role change or departure
- Separation of duties for critical functions
Training and Awareness:
- Annual GDPR training mandatory for all personnel
- Role-specific training for data access roles (quarterly)
- Security awareness programs (monthly bulletins, phishing simulations)
- DPO consultation available for data protection questions
7.2 Voice Data Security
Important Security Architecture:
- We do not store actual call recordings or full transcript content on our servers
- We only maintain reference links (URLs) to recordings and transcripts hosted by third-party voice AI providers
- This architecture significantly reduces security risks associated with sensitive voice data
- Actual voice data security is governed by your chosen voice AI provider’s security practices
7.3 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the UK Information Commissioner’s Office (ICO) within 72 hours as required by UK GDPR
- We will notify affected individuals without undue delay if the breach poses a high risk
- Notifications will describe the nature of the breach, potential consequences, and mitigation measures
- We will document all breaches and remediation actions taken
7.4 Your Security Responsibilities
While we implement robust security measures, you are responsible for:
- Maintaining confidentiality of your account credentials, API keys, and Resend API credentials
- Using strong, unique passwords and enabling multi-factor authentication where available
- Promptly notifying us of suspected unauthorized access or security incidents
- Configuring appropriate access controls for workspaces and end users
- Ensuring your voice AI provider accounts have appropriate security settings
- Securing your custom Resend API credentials if you choose to use custom email integration
8. DATA RETENTION
8.1 Retention Principles
We retain personal data only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods are determined based on:
- The nature and sensitivity of the data
- The purposes for which we process the data
- Legal, regulatory, tax, and accounting requirements
- Potential need to defend or establish legal claims
8.2 Specific Retention Periods
| Data Category | Retention Period | Storage Location | Legal Basis |
|---|---|---|---|
| Active Account Data | Duration of subscription | Supabase eu-central-1 + GCP europe-west1 | Contract performance |
| Supabase Authentication Data | Subscription + 30 days | Supabase eu-central-1 (Germany) | Contract performance |
| GCP Application Data | Subscription + 30 days | GCP europe-west1 (Belgium) | Contract performance |
| Billing Records | 7 years after transaction | GCP europe-west1 | Legal obligation (UK tax law) |
| Call Analytics Metadata | 90 days (Starter), 180 days (Pro/Agency) | GCP europe-west1 | Contract performance |
| Usage & Activity Logs | 90 days | Google Cloud Logging | Legitimate interest (security) |
| Security & Audit Logs | 12 months | GCP + Supabase | Legitimate interest (compliance) |
| Backup Data | 7 days | Encrypted (Supabase + GCP) | Legitimate interest (business continuity) |
| Support Communications | 24 months from case closure | GCP europe-west1 | Legitimate interest (quality) |
| Marketing Consent Records | Until withdrawn + 3 years | GCP europe-west1 | Legal obligation (proof of consent) |
| Email Delivery Logs (Resend) | 90 days | Resend EU region | Contract performance |
| DSAR Response Records | 3 years from response | GCP europe-west1 | Legal obligation (compliance evidence) |
| Data Breach Records | Indefinitely | GCP europe-west1 | Legal obligation (regulatory) |
8.3 Grace Period and Suspension Retention
During Payment Grace Period (7-14 days):
- All data remains accessible and retained normally
- No data deletion occurs during grace period
After Account Suspension:
- Customer Data retained for 90 days to allow payment resolution and service restoration
- Warning notification sent 15 days before permanent deletion
- Administrators have read-only access for data export during retention period
Permanent Deletion:
- At end of 90-day retention period, all Customer Data is permanently deleted
- Deletion is irreversible and cannot be recovered
- Subscription records anonymized for billing compliance only
8.4 Data Deletion and Erasure
Upon Account Deletion or Request:
- Personal data deleted within 30 days of verified deletion request
- Data removed from:
- Supabase: User account, credentials, authentication tokens, RBAC permissions (cascading deletion)
- GCP: Application data, workspace configurations, usage logs, call metadata
- Backups: Encrypted overwrite within 7-day backup rotation
- Cloudflare: Cached data cleared and purged
- Email Systems: Delivery logs deleted according to retention schedules
Exceptions to Deletion:
- Data required for legal compliance, tax obligations, or regulatory requirements (7 years for billing)
- Information necessary to resolve disputes or enforce Terms of Service
- Aggregated, anonymized data that no longer identifies individuals
- Information in backup systems that will be deleted according to scheduled backup rotation
You may request data deletion at any time by contacting [email protected].
9. INTERNATIONAL DATA TRANSFERS
9.1 Data Processing Locations
Voice AI Portal is based in the United Kingdom. Your personal data is processed and stored in the following locations:
Primary Data Processing – European Union:
- Authentication Database: Supabase eu-central-1 region (Frankfurt, Germany) for user credentials, RBAC, and session management
- Application Hosting: Google Cloud Platform (GCP) europe-west1 region (Belgium) for primary hosting and data storage
- Email Delivery: Resend EU region for transactional and system emails (default configuration)
United Kingdom:
- Business operations and data controller location (ALIM Ltd, Company Number 14528810)
Global Network:
- Cloudflare’s global CDN and security network with primary data processing in EU/UK regions
Third-Party Service Locations:
- United States: Stripe (payment processing), Google Analytics (with adequate safeguards via SCCs)
- Variable: Voice AI provider locations depend on your chosen platforms
9.2 Adequate Safeguards for International Transfers
For transfers of personal data outside the UK and EEA, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs):
- We use UK Information Commissioner’s Office (ICO) approved International Data Transfer Agreement (IDTA)
- EU Commission Standard Contractual Clauses for EU GDPR compliance
- All data processors are contractually bound by SCCs
- UK Addendum to SCCs applied where required
Adequacy Decisions:
- EU to UK transfers benefit from UK adequacy decision (currently in place)
- Transfers to countries with adequacy decisions recognized by the UK or EU Commission
- Monitoring of adequacy status and implementation of alternative safeguards if withdrawn
Data Localization:
- Primary data storage in EU regions (Supabase eu-central-1, GCP europe-west1) minimizes need for international transfers
- Email processing through Resend EU region keeps communication data within EU
- Cloudflare processes security data within EU where possible
Additional Security Measures:
- Technical safeguards including encryption in transit (TLS 1.3) and at rest (AES-256)
- Organizational measures including access controls and data processing agreements
- Regular assessments of third-party security practices (annual sub-processor reviews)
- Data minimization to reduce transfer requirements
Transfer Impact Assessments (TIAs):
- We conduct Transfer Impact Assessments for transfers to countries without adequacy decisions
- Assessments consider local laws, government access provisions, and data subject rights
- Supplementary measures implemented where risks are identified (e.g., encryption, contractual obligations)
9.3 Your Rights Regarding International Transfers
You have the right to:
- Obtain information about the safeguards we use for international transfers
- Request copies of Standard Contractual Clauses
- Object to transfers that do not have appropriate safeguards
- Withdraw consent for transfers based on consent
For information about our international data transfers, contact [email protected].
10. YOUR RIGHTS AND CHOICES
10.1 UK GDPR Rights (UK and EEA Residents)
If you are located in the United Kingdom or European Economic Area, you have the following rights under UK GDPR and EU GDPR:
Right of Access (Article 15):
- Request confirmation of whether we process your personal data
- Obtain a copy of your personal data in a commonly used electronic format (JSON)
- Receive information about processing purposes, categories, recipients, and retention periods
- Response time: 30 days (may extend by 60 days for complex requests)
Right to Rectification (Article 16):
- Request correction of inaccurate or incomplete personal data
- Provide supplementary information to complete your data
- Updates propagated to Supabase (authentication), GCP (application data), and sub-processors
- Response time: 30 days
Right to Erasure / “Right to be Forgotten” (Article 17):
- Request deletion of your personal data when:
- Data is no longer necessary for the purposes collected
- You withdraw consent and no other legal basis applies
- You object to processing and no overriding legitimate grounds exist
- Data was unlawfully processed
- Deletion is required by legal obligation
- Complete removal from Supabase (auth database), GCP (application), backups, and sub-processors
- Response time: 30 days
Right to Restriction of Processing (Article 18):
- Request temporary restriction of processing when:
- You contest accuracy of data (during verification period)
- Processing is unlawful but you prefer restriction over deletion
- We no longer need data but you need it for legal claims
- You have objected to processing (pending verification of overriding grounds)
- Restricted data flagged in Supabase and GCP systems
- Response time: 72 hours
Right to Data Portability (Article 20):
- Receive your personal data in structured, machine-readable format (JSON)
- Request direct transmission to another controller where technically feasible
- Applies to data provided by you and processed based on consent or contract
- Export includes: Supabase (account, auth data), GCP (workspace, usage, call metadata)
- Response time: 30 days
Right to Object (Article 21):
- Direct Marketing: Object at any time to processing for direct marketing purposes (immediate cessation, no exceptions)
- Legitimate Interests: Object to processing based on legitimate interests; we must cease unless compelling legitimate grounds override your interests
- Response time: Immediate for marketing; 30 days for legitimate interests assessment
Right Not to Be Subject to Automated Decision-Making (Article 22):
- Right not to be subject to decisions based solely on automated processing with legal or significant effects
- Right to human intervention, express your point of view, and contest automated decisions
- Note: Voice AI Portal does not currently engage in automated decision-making with legal or significant effects
Right to Withdraw Consent:
- Withdraw consent at any time where processing is based on consent
- Withdrawal does not affect lawfulness of processing before withdrawal
- Marketing consent withdrawn via unsubscribe links or account settings (immediate effect)
Right to Lodge a Complaint:
- Lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority
- Contact: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK
- Tel: 0303 123 1113
- Website: ico.org.uk
10.2 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know:
- Request disclosure of categories and specific pieces of personal information collected
- Request information about sources, purposes, and third parties with whom data is shared
- Request information covering the 12 months preceding your request
- Response time: 45 days (may extend by 45 days with notice)
Right to Delete:
- Request deletion of personal information we collected from you
- Subject to exceptions for legal compliance, fraud prevention, and legitimate business purposes
- Response time: 45 days
Right to Correct:
- Request correction of inaccurate personal information we maintain about you
- Response time: 45 days
Right to Opt-Out of Sale or Sharing:
- We do not sell or share personal information for monetary consideration or cross-context behavioral advertising
- If this changes, we will provide a “Do Not Sell or Share My Personal Information” link
Right to Limit Use of Sensitive Personal Information:
- We do not use or disclose sensitive personal information for purposes other than providing Services
- If applicable, you may limit use of sensitive personal information
Right to Non-Discrimination:
- Exercise your privacy rights without receiving discriminatory treatment
- We will not deny services, charge different prices, or provide different quality of service based on exercising rights
Authorized Agents:
- You may designate an authorized agent to submit requests on your behalf
- We require written authorization and verification of identity for agent requests
Shine the Light Law:
- California residents may request information about disclosure of personal information to third parties for direct marketing purposes
- We do not share personal information with third parties for their direct marketing purposes
10.3 Other Regional Privacy Rights
Depending on your location, you may have additional rights under local privacy laws (e.g., Canada PIPEDA, Australia Privacy Act, Brazil LGPD).
Contact [email protected]
For information about rights applicable to your jurisdiction.
10.4 Exercising Your Rights
How to Submit Requests:
- Email: [email protected] with subject “Privacy Rights Request – [Type]”
- Account Dashboard: Self-service data export and correction features
- Written Notice: ALIM Ltd T/A Voice AI Portal, Company Number 14528810, England and Wales
Include in Your Request:
- Your full name and email address associated with your account
- Specific request details and type of request (access, deletion, rectification, etc.)
- Any supporting documentation or clarification
Verification Process:
- We will verify your identity before processing requests to protect against fraudulent access
- Verification may require:
- Account email confirmation via magic link
- Security question verification
- Government-issued ID for sensitive requests or non-registered individuals
- Additional verification steps for high-risk requests
Response Timeframes:
- UK GDPR Requests: 30 days (may extend by 60 days for complex requests with notification and justification)
- CCPA Requests: 45 days (may extend by 45 days with notice)
- Urgent Requests (restriction, objection): 72 hours
- We will notify you of any delays and reasons for extension
No Fee for Requests:
- We do not charge fees for requests unless they are manifestly unfounded, excessive, or repetitive
- If a fee applies (£10-£25 for administrative costs), we will notify you before processing the request
- First data access request always free of charge
Appeal Process:
- If we deny your request, you have the right to appeal our decision
- Appeal instructions will be provided in our response to your request
- You may also lodge a complaint with the relevant supervisory authority (ICO for UK)
11. COOKIES AND TRACKING TECHNOLOGIES
11.1 What Are Cookies
Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences, authenticate your session, and understand how you use the site. Voice AI Portal uses cookies and similar tracking technologies to provide and improve our Services.
11.2 Types of Cookies We Use
Strictly Necessary Cookies:
- Purpose: Essential for platform functionality, authentication, and security
- Examples: Session authentication tokens, security cookies, load balancing
- Legal Basis: Contractual necessity and legitimate interest
- Retention: Session duration or as needed for security
- Opt-Out: Cannot be disabled as they are essential for Service operation
Analytics and Performance Cookies:
- Purpose: Understand usage patterns, measure performance, and improve Services
- Provider: Google Analytics
- Data Collected: Pages viewed, navigation paths, time on site, device information (IP anonymized)
- Legal Basis: Legitimate interest (UK GDPR permits analytics cookies without consent under Data Use and Access Act 2025 for non-intrusive analytics)
- Retention: Up to 26 months
- Opt-Out: Disable in cookie settings or use browser controls; install Google Analytics Opt-out Browser Add-on
Functional Cookies:
- Purpose: Remember preferences and settings for personalized experience
- Examples: Language preferences, dashboard layouts, timezone settings
- Legal Basis: Legitimate interest
- Retention: 12 months or until changed
- Opt-Out: Disable in cookie settings
Security and Fraud Prevention Cookies:
- Purpose: Detect fraudulent activity, prevent unauthorized access, protect platform security
- Provider: Cloudflare and internal security systems
- Examples: Device fingerprinting, behavioral analysis tokens, bot detection
- Legal Basis: Legitimate interest in security and fraud prevention
- Retention: 90 days
- Opt-Out: Limited opt-out as essential for security
Future Marketing Cookies:
- We do not currently use marketing, advertising, or retargeting cookies
- If implemented in the future, we will obtain explicit consent and update this Privacy Policy
- Planned providers may include Facebook Pixel, LinkedIn Insight Tag, Google Ads
11.3 Managing Cookie Preferences
Cookie Consent Banner:
- First-time visitors see a cookie consent banner
- You may accept all cookies, reject non-essential cookies, or customize preferences
- Strictly necessary cookies are automatically enabled
Account Settings:
- Manage cookie preferences through your account settings under Privacy > Cookies
- Changes apply immediately to your session
Browser Controls:
- Configure cookie settings in your browser preferences
- Block all cookies, delete existing cookies, or set cookie expiration rules
- Note: Disabling strictly necessary cookies will prevent platform access
Third-Party Opt-Out:
- Google Analytics: Install Google Analytics Opt-out Browser Add-on from tools.google.com/dlpage/gaoptout
- Cloudflare: Limited opt-out as cookies are essential for security
Do Not Track Signals:
- We currently do not respond to browser Do Not Track (DNT) signals
- We comply with cookie preferences set in our platform and consent banner
11.4 Similar Tracking Technologies
Local Storage and Session Storage:
- Used to store application state, user preferences, and temporary session data
- Managed similarly to cookies with retention based on functionality
Web Beacons and Pixels:
- Not currently used for marketing or advertising
- May be used in transactional emails to confirm delivery and engagement
- If marketing pixels are added in the future, explicit consent will be obtained
Device Fingerprinting:
- Used for security and fraud detection purposes
- Analyzes device and browser characteristics to identify suspicious patterns
- Legal basis: Legitimate interest in security
12. CHILDREN’S PRIVACY
Voice AI Portal is not intended for use by individuals under the age of 18. We do not knowingly collect, use, or disclose personal information from children under 18.
Age Verification:
- Account registration requires confirmation that you are at least 18 years of age
- We rely on users to provide accurate age information
Parental Consent:
- If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly
- Parents or guardians who believe we have collected information from a child may contact [email protected]
Voice AI Operations Involving Minors:
- For voice AI calls involving minors (made through your voice AI systems tracked via Voice AI Portal):
- You are responsible as Data Controller for obtaining appropriate consents
- You must comply with applicable laws governing collection of children’s data
- Additional protections may be required under COPPA (US), UK GDPR special category data, and other regulations
- Voice AI Portal is not responsible for compliance with laws governing your voice AI operations
13. THIRD-PARTY LINKS AND SERVICES
13.1 Third-Party Websites
Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by Voice AI Portal. This Privacy Policy does not apply to third-party websites or services.
Your Responsibility:
- Review privacy policies of third-party websites before providing personal information
- We are not responsible for privacy practices of third-party sites
- Links do not constitute endorsement of third-party services
13.2 Voice AI Platform Integrations
Voice AI Portal integrates with third-party voice AI platforms including Retell AI, VAPI, ElevenLabs, and others
Data Sharing:
- We share authentication credentials and configuration data with integrated platforms
- Call data, recordings, and transcripts are stored by voice AI providers, not by Voice AI Portal
- We retrieve metadata and analytics from these platforms to display in your dashboard
Third-Party Responsibility:
- Voice AI providers act as independent Data Controllers for voice data they collect
- You are responsible for reviewing and complying with their privacy policies and terms
- Voice AI Portal is not responsible for data handling practices of integrated platforms
- Security and privacy of actual call recordings and transcripts is governed by provider policies
Your Obligations:
- Ensure you have appropriate Data Processing Agreements (DPAs) with voice AI providers
- Configure provider settings to handle sensitive data according to applicable regulations
- Obtain necessary consents from call recipients for voice data collection and processing
13.3 Payment Processing
Payment processing is handled by Stripe, an independent third-party payment processor. Voice AI Portal does not store complete payment card details on our servers.
Stripe Privacy:
- Stripe processes payment information according to their privacy policy
- Stripe is PCI-DSS compliant and implements industry-standard security measures
- Review Stripe’s privacy policy at stripe.com/privacy
13.4 Email Service Providers
Default Email Service – Resend:
- Default transactional emails sent through Resend using EU region infrastructure
- Resend processes email data according to their privacy policy
- Review Resend’s privacy policy at resend.com/legal/privacy-policy
Custom Email Integration:
- If you configure custom Resend API credentials, emails are sent through your Resend account
- You are responsible for reviewing and complying with Resend’s privacy policy
- Email data subject to your Resend account settings and preferences
13.5 Security and Infrastructure Services
Cloudflare:
- Provides WAF, DDoS protection, SSL certificates, and CDN services
- Processes security and performance data according to their privacy policy
- Review Cloudflare’s privacy policy at cloudflare.com/privacypolicy
Google Cloud Platform:
- Provides infrastructure hosting in EU region (europe-west1, Belgium)
- Processes data as a sub-processor under our data processing agreement
- Review Google Cloud’s privacy commitments at cloud.google.com/security/privacy
Supabase:
- Provides authentication database in EU region (eu-central-1, Frankfurt, Germany)
- Processes authentication and RBAC data as a sub-processor
- Review Supabase’s privacy policy at supabase.com/privacy
14. AUTOMATED DECISION-MAKING AND PROFILING
14.1 Automated Decision-Making
Voice AI Portal does not engage in automated decision-making that produces legal effects or similarly significantly affects you as defined under UK GDPR Article 22. All significant decisions regarding account management, service provision, and terms enforcement involve human review.
14.2 Profiling for Service Improvement
We may use profiling techniques for the following purposes:
Fraud Detection and Security:
- Automated analysis of account creation patterns and device characteristics
- Behavioral analysis to identify suspicious activity
- Risk scoring for security purposes
- Legal basis: Legitimate interest in security and fraud prevention
Platform Optimization:
- Analysis of usage patterns to improve features and user experience
- Identification of common user workflows for interface optimization
- Anonymized behavioral analytics for product development
- Legal basis: Legitimate interest in service improvement
Personalization:
- Customization of dashboard layouts and recommended features
- Usage-based suggestions for workspace configuration
- Legal basis: Legitimate interest in providing personalized service
You have the right to object to profiling and request human intervention in decisions that significantly affect you. Contact [email protected] to exercise this right.
15. DATA PROTECTION IMPACT ASSESSMENTS
As required by UK GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to individual rights and freedoms.
Our DPIAs cover:
- Multi-tenant authentication system (Supabase) with Row Level Security
- Integration with third-party voice AI platforms and data flows
- Processing of call metadata and analytics involving personal information
- Fraud detection and security monitoring activities
- International data transfers to countries without adequacy decisions (Stripe, Google Analytics)
- Use of Cloudflare security services and data processing
DPIA Process:
- Systematic description of processing operations and purposes
- Assessment of necessity and proportionality
- Identification and assessment of risks to data subjects
- Measures to address risks (technical, organizational, safeguards)
- DPO consultation and sign-off
DPIAs are regularly reviewed and updated to reflect changes in processing activities, technologies, and risks. Summaries of our DPIAs are available upon request to [email protected].
16. YOUR RESPONSIBILITIES AS DATA CONTROLLER
16.1 White-Label Client Obligations
When you use Voice AI Portal’s white-label services to provide analytics dashboards to your clients:
You Act as Data Controller:
- You determine purposes and means of processing for your clients’ data
- You are responsible for compliance with data protection laws
- You must provide appropriate privacy notices to your end users
- You must obtain necessary consents for voice data collection and processing
Your Compliance Obligations:
- Ensure lawful basis exists for processing all personal data
- Provide transparent privacy information to end users (Articles 13-14 UK GDPR)
- Enable data subject rights for your end clients (access, deletion, rectification, etc.)
- Conduct your own Data Protection Impact Assessments for high-risk processing
- Maintain records of processing activities (Article 30 UK GDPR)
- Implement appropriate security measures for your operations
- Report data breaches to supervisory authorities and data subjects as required
Voice AI Provider Relationships:
- Execute Data Processing Agreements (DPAs) with voice AI providers
- Configure provider settings for GDPR-compliant data handling
- Obtain call recording consents from call recipients (one-party or two-party consent depending on jurisdiction)
- Ensure voice AI scripts include appropriate privacy disclosures
Voice AI Portal’s Role:
- We act as your data processor for workspace and call analytics data
- Our DPA defines processing instructions, security obligations, and sub-processor approvals
- We provide tools to help you fulfill data subject rights (data export, deletion, access controls)
- We are not responsible for your compliance obligations as data controller
16.2 Data Subject Rights Fulfillment
For Your End Clients:
- End users should contact you (their data controller) to exercise rights
- You may forward verified requests to [email protected] for fulfillment
- We will assist with data access, export, deletion, and correction within our systems (Supabase, GCP)
- You remain responsible for communications with data subjects and legal compliance
16.3 Agency Best Practices
Privacy Notice Templates:
- Provide clear privacy notices for voice AI calls (disclosure at call outset)
- Include information about: AI technology use, recording/transcription, data processing purposes, rights
- Make privacy policy accessible to call recipients (URL reference in call scripts)
Consent Management:
- Maintain records of consents (timestamp, method, scope, call recording)
- Provide easy opt-out mechanisms (hang up, press key, do-not-call lists)
- Honor withdrawal requests immediately
Security Configuration:
- Enable MFA for agency administrator accounts in Voice AI Portal
- Restrict workspace access using RBAC (Supabase managed)
- Regularly review user permissions and access logs
- Configure voice AI providers for appropriate data retention and encryption
17. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons.
Notification of Changes:
- Material changes will be communicated via email to all registered users at least 30 days in advance
- Prominent notice posted on our website and within the Platform
- Updated effective date displayed at the top of this Privacy Policy
- Continued use of Services after effective date constitutes acceptance of changes
Your Options:
- Review the updated Privacy Policy before the effective date
- Object to changes or cancel your account if you do not agree
- Exercise your data deletion rights if changes are unacceptable
Non-Material Changes:
- Minor updates (e.g., contact information, clarifications) may be made without advance notice
- Check this Privacy Policy periodically for updates
- Version history available upon request to hello@voiceaiportal.com
18. GOVERNING LAW AND JURISDICTION
This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of law principles.
Dispute Resolution:
- Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales
- You may also have the right to bring proceedings in the courts of your country of residence
Supervisory Authority:
- UK residents may lodge complaints with the UK Information Commissioner’s Office (ICO)
- EEA residents may lodge complaints with their local data protection authority
19. CONTACT INFORMATION
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
Data Controller:
ALIM Ltd T/A Voice AI Portal
Company Number: 14528810
Registered in England and Wales
Data Protection Officer:
Email: [email protected]
Supervisory Authority:
UK Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: ico.org.uk
Last Reviewed: January 5, 2026
Effective Date: January 5, 2026
Version: 2.0
This Privacy Policy constitutes a legally binding agreement between you and ALIM Ltd. By using Voice AI Portal, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.