Ortavox Inc. – Privacy Policy
Last updated: 25 June 2025
1. Who We Are
Ortavox Inc. ("Ortavox", "we", "our") provides a cloud platform that enables businesses to create AI‑powered voice agents for customer calls. Our registered address is 131 Continental Dr, Suite 305, Newark, DE 19713 USA. Questions? Email privacy@ortavox.ai.
2. Scope
This Policy explains how we collect, use, disclose and protect Personal Data when you:
- Visit or interact with any Ortavox website, dashboard or developer portal;
- Use our APIs, SDKs, telephony endpoints or related services (Services); or
- Communicate with us (e.g., sales, support, events).
It does not cover third‑party sites or services that integrate with Ortavox.
3. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email, company, hashed passwords, auth tokens, billing address, VAT/ICE numbers | You |
| Payment Data | Last‑4 card digits, expiry, country, transaction IDs | Stripe |
| Telephony & Usage Data | Provisioned numbers, call start/stop time, duration, SIP headers, outcome codes | Automatically from your use |
| Audio & Transcripts | Call recordings, transcribed text, synthesized prompts | Automatically (configurable) |
| AI Interaction Data | Prompts, intents, model parameters, agent config, analytics | You / Automatically |
| Device & Log Data | IP address, browser, OS, referrer, cookies, session IDs | Your device / cookies |
| Marketing Data | Preferences, survey responses, event regs, newsletter opens | You |
| Google Workspace Data | Spreadsheet rows, metadata of Drive files you select, calendar event details | You / Automatically (see §4) |
We do not knowingly collect data from children under 16.
4. Google Workspace Data (Sheets, Drive & Calendar)
4.1 Scopes We Request
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/drive.file | Open Google file‑picker so you can select spreadsheets; limits access to files you pick. |
https://www.googleapis.com/auth/spreadsheets | Read rows/columns for call‑flow rules and write status updates post‑processing. |
https://www.googleapis.com/auth/calendar.events | Check free/busy and create/update events for meetings or follow‑up calls. |
4.2 How We Use This Data
- Link a sheet – you pick the spreadsheet; we store its file ID encrypted.
- Read rules – fetch only configured columns at runtime.
- Write status – mark completion, timestamp, etc.
- Check availability – query Calendar free/busy.
- Book events – create/update calendar events with call details.
4.3 Storage & Retention
No long‑term storage of sheet content or event details. OAuth tokens + minimal metadata cache ≤30 min or until job completes.
4.4 Revocation
Disconnect Google in Settings → Connected Accounts or via Google Account Permissions; cached data purged within 60 seconds.
4.5 Limited‑Use Commitment
Our use of Google API data complies with the Google API Services User Data Policy, including its Limited Use rules. We never use this data for ads or share it outside your tenancy.
5. How We Use Personal Data
| Purpose | Legal Basis* |
|---|---|
| Provide, maintain & secure Services | Contract performance |
| Authenticate users & prevent fraud | Legitimate interests |
| Improve ASR/TTS/LLM models (de‑identified) | Legitimate interests / Consent (EEA/UK/MA) |
| Deliver call analytics & dashboards | Contract performance |
| Customer support | Contract performance |
| Product updates & marketing (opt‑out) | Consent / Legitimate interests |
| Comply with telecom, tax, accounting laws | Legal obligation |
*See §11 for region‑specific rights.
6. Call Recordings & Voice Data
- Calls recorded & transcribed unless disabled via settings or
recording=false. - Audio may be temp‑processed on secure GPU clusters to fine‑tune speech models.
- Default retention: 30 days (configurable).
- You must inform callers and obtain any required consent.
We do not use customer audio to create public TTS voices or share it outside your tenancy.
7. Cookies & Similar Technologies
We use first‑party and third‑party cookies (Google Analytics, Sentry) to understand traffic, remember preferences and measure campaigns. Manage cookies in your browser or via our banner.
8. How We Share Personal Data
| Recipient | Purpose | Safeguards |
|---|---|---|
| Cloud providers (AWS, GCP) | Hosting, storage | SCCs, encryption at rest |
| Telecom carriers & numbering partners | Call routing, SMS, numbers | NDAs |
| AI model vendors (OpenAI, Vertex AI) | Optional inference | DPA, isolated prompts |
| Stripe | Billing | PCI‑DSS |
| Datadog, Sentry | Monitoring, error logs | Pseudonymisation |
| Authorities | Legal compliance | Narrow scope, legal review |
We do not sell your Personal Data.
9. Data Retention
- Account records – life of account + 24 months
- Call metadata – 24 months (aggregated thereafter)
- Audio & transcripts – 30 days (default, configurable)
- Financial records – 7 years (tax laws)
- Marketing opt‑out lists – indefinitely to honour preference
10. Security
Safeguards aligned with ISO 27001: TLS 1.3 in transit, AES‑256 at rest, RBAC, MFA, quarterly vulnerability scans, annual penetration tests and 24/7 IDS. Breach notifications within 72 hours.
11. Your Privacy Rights
| Region | Rights & How to Exercise |
|---|---|
| GDPR / UK GDPR | Access, rectify, erase, restrict, portability, object, automated‑decision review – email dpo@ortavox.ai |
| Morocco Law 25‑20 & 09‑08 | Similar rights – contact above |
| California CCPA/CPRA | Know, delete, correct, opt‑out of “sharing” (we don’t share) – toll‑free +1 888‑987‑CALL |
| Brazil LGPD | Confirmation, access, correction, anonymisation, deletion – same channels |
If unresolved, you may lodge a complaint with your supervisory authority.
12. International Transfers
Primary data centres: United States (us‑east‑1) & Germany (eu‑central‑1). Transfers rely on:
- EU Standard Contractual Clauses (2021/914/EU) or UK Addendum;
- Moroccan DPC authorisation where applicable;
- Additional encryption and access controls.
13. Automated Decision‑Making
Voice agents may route or end calls automatically. No decision with legal or similarly significant effects is made without human review unless you configure it that way.
14. Third‑Party Links
Our sites may link to third‑party resources. We’re not responsible for their privacy practices—please review their policies.
15. Changes to This Policy
We may update this Policy periodically. Significant changes will be posted 30 days in advance on this page or emailed to account owners. Continued use after the “Last updated” date constitutes acceptance.
16. Contact Us
General inquiries: privacy@ortavox.ai
Data Protection Officer (EU/UK): dpo@ortavox.ai
Ortavox Inc.
131 Continental Dr, Suite 305
Newark, DE 19713 USA
Need to adjust retention settings or cookie preferences? Visit your admin dashboard or contact support.