Table of contents
1. Data controller
Voice PA Limited (“Voice PA”, “we”, “us”, “our”) is the data controller responsible for your personal data.
- Company number: 17057403 (registered in England and Wales)
- Registered address: 128 City Road, London, EC1V 2NX
- Privacy contact: privacy@voicepa.ai
- Website: voicepa.ai
We operate an AI-powered phone receptionist service for tradespeople and small service businesses in the United Kingdom.
2. What data we collect
We collect and process the following categories of personal data:
- Account information — name, email address, and profile picture provided via Google or Microsoft OAuth sign-in.
- Business information — business name, trade category, services offered, pricing, working hours, service area, and contact details you provide during onboarding.
- Call data — phone numbers, call recordings, call transcripts, AI-generated summaries, service requests, and booking details from calls handled by our AI receptionist.
- Booking data — customer names, phone numbers, email addresses, postal addresses, postcodes, and appointment details collected during the booking process.
- Calendar data — we access your Google Calendar (with your permission) to check availability and create, update, or delete booking events.
- Payment data — processed securely by Stripe. We store your Stripe customer ID and subscription status but do not store card numbers or bank details on our servers.
- Website usage data — information about how you interact with our website and dashboard, collected through PostHog analytics (where you have given consent).
- Cookie data — essential cookies required for the service to function, and analytics cookies (with your consent). See section 6 for full details.
- Consent records — records of the consents you or your customers have given or withdrawn, including the type of consent, method, and timestamp.
3. Lawful basis for processing
Under UK GDPR Article 6, we must have a lawful basis for each processing activity. The table below sets out the lawful basis we rely on for each type of processing:
| Processing activity | Lawful basis |
|---|---|
| Providing the AI receptionist service (answering calls, booking appointments, sending confirmations) | Performance of a contract — Art 6(1)(b) |
| Recording phone calls handled by our AI receptionist | Consent — Art 6(1)(a). Callers are informed at the start of each call that it is AI-handled and may be recorded. |
| Sending SMS booking confirmations and appointment reminders | Performance of a contract — Art 6(1)(b) |
| Sending SMS marketing messages | Consent — Art 6(1)(a). You can opt out at any time by replying STOP. |
| Website analytics and cookies (PostHog) | Consent — Art 6(1)(a). Managed through our cookie consent banner. |
| Fraud prevention and service security | Legitimate interest — Art 6(1)(f). Our legitimate interest in protecting the service and users from fraud and abuse. |
| Tax compliance and financial record-keeping | Legal obligation — Art 6(1)(c). Required by HMRC regulations. |
| Managing your calendar on your behalf | Performance of a contract — Art 6(1)(b) |
| Processing subscription payments | Performance of a contract — Art 6(1)(b) |
4. Call recording
Our AI receptionist is powered by Retell AI. At the start of each call, callers are informed that they are speaking with an AI assistant and that the call may be recorded. By continuing the call after this disclosure, the caller provides implied verbal consent to recording.
We store the following call data:
- Call transcript — a text transcription of the conversation.
- Call summary — an AI-generated summary of the call including any service requests and booking details.
- Recording URL — a link to the audio recording, hosted by Retell AI.
- Caller phone number — the number the caller dialled from.
- Call metadata — duration, timestamp, and call disposition.
Call recordings and transcripts are retained for 12 months from the date of the call (see section 9 for full retention periods). You or the caller may request deletion of call data at any time by contacting privacy@voicepa.ai.
5. SMS and WhatsApp messaging
We send the following types of messages via SMS (using Twilio):
- Transactional messages — booking confirmations, appointment reminders, and missed call notifications. These are sent as part of the service you have requested and do not require separate marketing consent under PECR.
- Marketing messages — promotional messages sent only with your explicit consent. These comply with PECR Regulation 22.
How to opt out: You can opt out of marketing messages at any time by replying STOP to any message, or by using the consent management page linked in your messages. Opting out of marketing will not affect transactional messages necessary for delivering the service.
All marketing SMS messages include opt-out instructions in compliance with PECR.
6. Cookies and analytics
We use the following types of cookies:
- Essential cookies — required for the website and service to function (for example, session cookies for authentication). These do not require consent under PECR Regulation 6 as they are strictly necessary.
- Analytics cookies — used by PostHog to understand how visitors use our website. These cookies are only set with your consent, which you can manage via our cookie consent banner (powered by Klaro).
What PostHog collects: page views, button clicks, session duration, device type, browser type, and approximate location (country/region level). PostHog does not collect precise geolocation. We use this data to improve the service and understand usage patterns.
You can change your cookie preferences at any time using the cookie consent banner, which is accessible via the link in the website footer.
7. Data sharing and sub-processors
We share personal data only with the following third-party service providers (sub-processors), solely to operate the service. We do not sell your personal data to any third party.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Retell AI | Voice AI platform for handling phone calls, call recording, and transcription | United States |
| Twilio | SMS messaging, phone number provisioning, and call routing | United States |
| Stripe | Payment processing and subscription management | United States |
| Authentication (OAuth) and calendar integration | United States / EEA | |
| PostHog | Website analytics (consent-gated) | United States |
| Vercel | Frontend website hosting | United States / Global CDN |
| DigitalOcean | Backend application and database hosting | United Kingdom / EEA |
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google Calendar access to check your availability and manage bookings. We do not share your Google data with third parties for advertising or other unrelated purposes.
8. International data transfers
Some of our sub-processors (including Retell AI, Twilio, Stripe, PostHog, and Vercel) process data in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place:
- UK adequacy regulations — where the UK Government has determined that a country provides an adequate level of data protection.
- Standard Contractual Clauses (SCCs) — where adequacy has not been determined, we use UK International Data Transfer Agreements or EU Standard Contractual Clauses (as adopted under UK law) to protect your data.
You can request a copy of the safeguards we use by contacting privacy@voicepa.ai.
9. Data retention
We retain your personal data only for as long as necessary for the purposes set out in this policy. The specific retention periods are:
| Data type | Retention period |
|---|---|
| Account and business data | While your account is active, plus 30 days after account deletion |
| Call recordings and transcripts | 12 months from the date of the call |
| Booking records | 24 months from the date of the booking |
| Consent records | 6 years (limitation period for contract claims under the Limitation Act 1980) |
| Payment and billing records | 7 years (HMRC requirement for financial records) |
| Analytics data (PostHog) | Governed by PostHog's retention settings; anonymised after 12 months |
After the applicable retention period, data is securely deleted or anonymised. You can request early deletion of your data at any time (see section 10).
10. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access (Article 15) — you have the right to request a copy of the personal data we hold about you. You can do this via the consent management page or by emailing privacy@voicepa.ai.
- Right to rectification (Article 16) — you have the right to ask us to correct any inaccurate personal data we hold about you. Contact us at privacy@voicepa.ai.
- Right to erasure (Article 17) — you have the right to request deletion of your personal data. We will comply unless we have a legal obligation to retain it. You can request this via the consent management page or by emailing us.
- Right to restriction of processing (Article 18) — you have the right to ask us to restrict how we process your data in certain circumstances, for example while we verify the accuracy of your data.
- Right to data portability (Article 20) — you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to have it transferred to another controller where technically feasible.
- Right to object (Article 21) — you have the right to object to processing based on legitimate interests (such as fraud prevention). We will stop processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent (Article 7(3)) — where we process your data based on consent (such as call recording, marketing SMS, or analytics cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
How to exercise your rights: You can exercise these rights via the consent management page (linked in your SMS messages), or by contacting us at privacy@voicepa.ai. We will respond to your request within one month, as required by UK GDPR.
11. Right to complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concern before you approach the ICO. Please contact us first at privacy@voicepa.ai.
12. Children
Voice PA is a business-to-business service designed for tradespeople and service businesses. All users must be at least 18 years old. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice on our website. The “Last updated” date at the top of this page indicates when the policy was last revised.
We encourage you to review this policy periodically. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
14. Contact
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
- Email: privacy@voicepa.ai
- Data controller: Voice PA Limited, 128 City Road, London, EC1V 2NX, company number 17057403