LegalGDPR CompliantCCPA Compliant

Privacy Policy

At Receptify, we handle data from your business, your callers, and your team. This policy explains exactly what we collect, why, and the controls you have written plainly, without legal jargon hiding important details.

Effective: May 15, 2026Last updated: May 15, 2026Version: 2.1

Overview

Plain-language summary

Receptify is an AI receptionist platform. We collect data to run your AI agents, improve call quality, process payments, and keep your account secure. We do not sell your data. You can request deletion at any time.

This Privacy Policy applies to Receptify Inc. ("Receptify", "we", "us", or "our") and all services, APIs, websites, and applications we operate, including the Receptify dashboard, AI receptionist agents, and any associated integrations (collectively, the "Services").

We act as a data controller for account and billing data, and as a data processor for call content and caller data processed on behalf of our customers. This distinction matters: when you use Receptify to handle your customers' calls, you are the controller for that call data and we process it only under your instructions.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

01.Information We Collect

We collect information in three ways: information you provide directly, information generated by your use of our Services, and information from third parties.

1.1 Account & Registration Information

  • Full name and business name / organization name
  • Work email address and phone number
  • Password (stored as bcrypt hash we never see your plaintext password)
  • Industry type and organization size
  • Billing address and VAT/tax identification number (for invoicing)
  • Organization slug used for your unique Receptify subdomain

1.2 Billing & Payment Information

Payment card details are processed directly by our PCI DSS Level 1 compliant payment processor (Stripe). Receptify does not store raw card numbers. We store only:

  • Stripe Customer ID and subscription/plan references
  • Last 4 digits and card brand (for display purposes only)
  • Billing address linked to your subscription
  • Invoice history, amounts, and payment status
  • Add-on minute balances and purchase history

1.3 AI Agent Configuration Data

  • Agent name, persona, greeting scripts, and voice selection
  • Knowledge base files you upload (e.g. FAQ documents, product lists)
  • Business hours, escalation rules, and call routing logic
  • Twilio phone number bindings and SIP configuration
  • Integration credentials (stored encrypted at rest)

1.4 Call & Interaction Data

Caller data your responsibility

When your AI agent handles calls, data about the caller (name, phone number, intent, transcript) is processed by Receptify on your behalf. You are responsible for having appropriate legal basis and notices in place for collecting this data from your own customers.
  • Caller phone number (E.164 format), call timestamp, and duration
  • Full call transcript (speech-to-text output)
  • Sentiment analysis labels (positive, neutral, negative) applied by our AI
  • Call classification: type (inquiry, order, appointment, complaint, other)
  • Appointment details booked through the agent (name, date, time, notes)
  • Order details captured during calls (item, quantity, delivery info)
  • AI agent responses, decision paths, and escalation triggers
  • Call recording audio files (if recording is enabled on your account)

1.5 Technical & Usage Data

  • IP address, browser type, operating system, and device identifiers
  • Pages visited within the dashboard, timestamps, and session durations
  • API request logs including endpoint, method, status code, and latency
  • Error logs and crash reports (anonymized where possible)
  • Feature usage patterns (e.g. which tabs are accessed, filter selections)

1.6 Communications Data

  • Email content when you contact our support team
  • Support ticket history, priority, status, and resolution notes
  • In-app messages or feedback submitted through the platform
  • Survey responses and NPS scores (when voluntarily submitted)

02.How We Use Your Information

We rely on the following legal bases under GDPR to process your data. Each purpose is mapped to its legal basis below.

PurposeLegal BasisDetail
Providing the AI receptionist serviceContract performanceRunning your AI agents, processing calls, managing appointments and orders
Account authentication & securityContract performance + Legitimate interestJWT tokens, bcrypt passwords, rate limiting, fraud prevention
Billing & subscription managementContract performance + Legal obligationStripe charges, invoice generation, VAT compliance
Platform analytics & improvementsLegitimate interestUnderstanding feature usage, improving AI accuracy and response quality
Sentiment & call quality analysisLegitimate interest (B2B) / Consent (B2C callers)Automated labeling of call transcripts to surface insights to you
Transactional emails & notificationsContract performanceReceipts, password resets, plan expiry notices, call alerts
Product & feature announcementsLegitimate interest (opt-out available)New agent capabilities, integrations, platform updates
Legal compliance & auditsLegal obligationTax records, GDPR compliance documentation, law enforcement requests
Aggregated, anonymized researchLegitimate interestIndustry benchmarks; data is anonymized and cannot identify you

03.AI & Automated Processing

Receptify uses AI models to power your agents, transcribe calls, and classify sentiment. This section explains how that processing works and your rights around automated decisions.

3.1 AI Models We Use

  • Large language models (LLM) provided by Google (Gemini API) for natural language understanding and response generation
  • Text-to-speech synthesis via ElevenLabs for agent voice output
  • Speech-to-text transcription via Twilio Media Streams for converting caller audio to text
  • Sentiment analysis applied in real-time to call transcripts using our own classification models

3.2 How Call Transcripts Are Processed

When a call is handled by your AI agent, the caller's audio is streamed to our infrastructure via Twilio, transcribed to text, and passed to the LLM to generate a response. The transcript and response are stored in our database linked to your tenant account. Audio recordings (if enabled) are stored in encrypted object storage.

3.3 Automated Decision-Making

Receptify performs automated processing (sentiment scoring, call type classification) that generates labels visible in your dashboard. These labels are used to provide you with analytics and are not used by Receptify to make decisions that have legal or significant effects on callers. If you use these labels to make decisions about your own customers, you are the controller for those decisions and must ensure you have appropriate safeguards.

3.4 AI Training

We do not train on your call data

Your call transcripts, knowledge base content, and agent configurations are not used to train Receptify's AI models or shared with third-party AI providers for training purposes. Third-party providers (Google, ElevenLabs) are bound by their own data processing terms, which generally prohibit using API inputs for model training.

04.Information Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

4.1 Service Providers (Sub-processors)

ProviderPurposeLocationData Shared
StripePayment processing & subscription billingUSA (SCCs in place)Billing info, email
TwilioTelephony, call routing, audio streamingUSA (SCCs in place)Phone numbers, audio, transcripts
Google (Gemini API)AI language model inferenceUSA (SCCs in place)Call transcript segments (in-context only)
ElevenLabsText-to-speech voice synthesisUSA (SCCs in place)Agent response text
MongoDB AtlasDatabase hostingEU / ConfigurableAll structured platform data
Contabo / VPS providerApplication server hostingEUAll application-level data

4.2 Legal Disclosure

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to prevent fraud, protect our rights, or protect the safety of persons. Where legally permitted, we will notify you before disclosing.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website at least 30 days before data is transferred and becomes subject to a different privacy policy.

4.4 Aggregated & Anonymized Data

We may share aggregated, de-identified data (e.g. "average call duration across the platform") for research or marketing purposes. This data cannot reasonably be used to identify you or your callers.

05.Data Retention

We retain data for as long as necessary to provide our Services and comply with legal obligations. The table below outlines our default retention periods. Enterprise customers may negotiate custom retention terms in their Data Processing Agreement.

Data TypeRetention PeriodReason
Account & profile informationDuration of account + 90 days after deletionAccount management, legal compliance
Call transcripts12 months (configurable, min 30 days)Analytics, audit, dispute resolution
Call audio recordings90 days (configurable, auto-purge enabled)Quality review; audio is large and costly to store
Billing records & invoices7 yearsTax law and financial audit requirements
Knowledge base filesUntil deleted by you or account closureRequired for agent operation
Security & access logs90 daysFraud detection, incident response
Support tickets3 years from resolutionCustomer service quality, dispute history
Anonymized analyticsIndefinitePlatform improvement; no personal data retained

When you delete your account, we initiate a cascade deletion of your agents, call logs, knowledge base files, appointments, and orders within 30 days. Billing records are retained separately as required by law. Backups containing your data are purged within 90 days of deletion.

06.Data Security

We implement technical and organizational measures proportionate to the risks of processing. Our security practices include:

Encryption in Transit

All data transmitted between clients and our servers uses TLS 1.2+. API endpoints enforce HTTPS exclusively.

Encryption at Rest

Database volumes, audio recordings, and knowledge base files are encrypted at rest using AES-256.

Authentication

JWT access tokens (short-lived) with rotating refresh tokens stored in HttpOnly cookies. bcrypt for password hashing.

Rate Limiting

API endpoints are rate-limited (100 req/15min per IP by default) to mitigate brute force and DDoS attacks.

Multi-tenancy Isolation

All database queries are scoped by tenant ID. Cross-tenant data access is prevented at the middleware level.

Infrastructure

Servers are hardened with Helmet.js HTTP security headers, CORS with credentials validation, and cookie security flags.

Access Controls

Role-based access control (RBAC) separates admin and tenant access. Admin sessions use separate JWT secrets.

Incident Response

We maintain a documented incident response plan. Affected users will be notified within 72 hours of a confirmed breach.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@devzey.com.

07.International Data Transfers

Receptify is incorporated in the United States. If you are accessing our Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your jurisdiction.

For transfers of personal data from the EEA/UK to the US, we rely on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) EU Commission-approved SCCs are incorporated into our Data Processing Agreements with all US-based sub-processors
  • EU-US Data Privacy Framework where our sub-processors are certified under the DPF, we rely on this as an additional transfer mechanism
  • Adequacy decisions where transfers are to countries recognized by the EU Commission as providing adequate protection

You may request a copy of the SCCs applicable to your data transfers by contacting our DPO at privacy@devzey.com.

08.Cookies & Tracking Technologies

We use cookies and similar technologies on our website and dashboard. You can control non-essential cookies through our cookie preference center (accessible via the cookie banner on first visit).

CategoryExamplesCan Opt OutDuration
Strictly NecessarySession cookie, CSRF token, refresh token (HttpOnly)No required for the service to functionSession / 30 days (refresh token)
FunctionalTheme preference (dark/light mode), languageYes1 year
AnalyticsPage view counts, dashboard feature usage (anonymized)Yes90 days
MarketingReceptify does not use marketing or advertising cookiesN/AN/A

We do not use third-party advertising networks, tracking pixels, or behavioral advertising. Our analytics are self-hosted and privacy-preserving.

09.Your Privacy Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days (extendable by 60 days for complex requests, with notice).

Right of Access

GlobalEEA/UKCalifornia

Request a copy of the personal data we hold about you, including the purposes of processing and retention periods.

Right to Rectification

GlobalEEA/UK

Correct inaccurate or incomplete personal data. You can update most information directly in Settings.

Right to Erasure

GlobalEEA/UKCalifornia

Request deletion of your personal data where there is no legitimate reason for continued processing.

Right to Restrict Processing

EEA/UK

Request that we limit how we process your data in certain circumstances (e.g. while a dispute is resolved).

Right to Data Portability

EEA/UKCalifornia

Receive your data in a structured, machine-readable format (JSON/CSV) to transfer to another provider.

Right to Object

EEA/UK

Object to processing based on legitimate interests, including for direct marketing (instant opt-out).

Right to Opt-Out of Sale

California

We do not sell personal data. California residents may still submit this request for documentation purposes.

Right to Non-Discrimination

California

Exercising your privacy rights will not result in denial of service, different pricing, or reduced quality.

To exercise any right, email privacy@devzey.com with the subject line "Privacy Request [Right Name]". We will verify your identity before processing the request. EEA/UK residents also have the right to lodge a complaint with their national supervisory authority if they believe their rights have been infringed.

10.Children's Privacy

Our Services are not directed to children under the age of 16 (or 13 in jurisdictions where 13 is the applicable minimum age). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@devzey.com and we will take steps to delete such information.

If your business uses Receptify to interact with callers who may include children (e.g. a school or pediatric clinic), you are responsible for ensuring compliance with applicable children's privacy laws (COPPA, UK AADC, etc.) in your use of our platform.

11.Third-Party Services

Our Services may contain links to third-party websites or integrate with third-party tools (e.g. CRM systems, calendar platforms). This Privacy Policy applies only to Receptify's processing. We encourage you to review the privacy policies of any third-party services you connect to through our platform.

When you connect a third-party integration, you authorize us to share the data necessary for that integration to function (e.g. sending appointment details to your calendar). You can revoke integration access at any time from Settings → Integrations.

12.Contact & Data Protection Officer

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us through any of the following channels:

📧

General Privacy

privacy@devzey.com

🔐

Security Issues

security@devzey.com

📮

Postal Address

Receptify Inc., [Address on file]

EEA and UK residents may also contact our EU/UK representative (details on request) or lodge a complaint directly with their national data protection supervisory authority.

13.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. We distinguish between material and non-material changes:

  • Material changes (e.g. new purposes for processing, new categories of data, new sub-processors): We will notify you by email at least 14 days before the change takes effect and display a prominent notice in the dashboard.
  • Non-material changes (e.g. clarifications, formatting, contact details): We will update the 'Last updated' date at the top of this page without direct notification.
  • Emergency changes (e.g. required by law or to address a security issue): We may make changes immediately and notify you as soon as practicable.

Your continued use of our Services after the effective date of any change constitutes your acceptance of the updated policy. If you do not agree with a material change, you may terminate your account before the change takes effect.

A changelog of all previous versions of this Privacy Policy is available on request by emailing privacy@devzey.com.

Effective: May 15, 2026 · Version 2.1↑ Back to top