we keep less data than you'd expect.

This policy applies to operators (the businesses and individuals who sign up at callingscout.ai and run AI agents on our platform), recipients (the people those agents call), and visitors (anyone browsing the marketing site or trying the public preview at /play).

We are CallingScout, Inc., a Delaware C-corp. The legal entity is the data controller for operator accounts and a processor for the calls operators initiate.

When you create an account we ask Clerk (our authentication provider) for the minimum needed to sign you in: email, name, and an OAuth identifier from whichever provider you used. We read that into our database and tag it with a tenant ID.

When you set up a workspace we store the workspace name, your chosen agents and their system prompts, your phone-number assignments, billing info (handled by Stripe — we never see card numbers), and any integration tokens you connect (Google Calendar, HubSpot, Salesforce, Slack, etc.). Integration tokens are encrypted at rest with a per-tenant key.

We do not sell, rent, or share operator account data with advertisers. We do not run ads.

For every call placed or received through CallingScout we record:

• The two phone numbers, the call direction, and timestamps.
• A transcript of what was said, with PII automatically redacted (credit cards, SSNs, full DOBs) before the transcript is written to durable storage.
• The audio recording, if recording is enabled for the campaign and applicable consent has been collected.
• Outcome labels and structured fields the agent extracted — for example "appointment booked, 3pm Thursday."
• Telemetry about how the call went: latency, interruption counts, model + provider routing, cost in tokens.

We do not enable recording by default. Operators turn it on per campaign, and our compliance gate refuses to start an outbound call to a two-party-consent state unless the agent's first utterance discloses that the call is being recorded.

Every CallingScout call must begin with a spoken disclosure that the recipient is talking to an AI. We enforce this in code, not in a system prompt: the disclosure phrase is injected by the pipeline factory before any LLM token is generated, and tenants cannot remove it through configuration. If you find a way to bypass it, that is a security incident — email security@callingscout.ai.

Every outbound call passes through a code-level compliance gate that checks the National Do-Not-Call Registry, the operator's internal DNC list, and TCPA calling-hour rules (no calls before 8am or after 9pm in the recipient's local timezone). The gate is the only path to the dialer. There is no "skip compliance" flag.

The public Scout preview is rate-limited to five sessions per IP per hour, capped at ten minutes per session, and bound to a sentinel system tenant that is filtered out of every operator-facing query. We do not write the preview transcript to durable storage. We do not retain the preview audio. The system prompt explicitly forbids the demo agent from collecting personal data — if you offer it your email, the agent will refuse.

Production data lives in Google Cloud (us-central1). Postgres on Cloud SQL holds operator data, transcripts, and call metadata. Recordings live in Google Cloud Storage with per-tenant prefix isolation. Redis (managed by Upstash) caches short-lived state. RabbitMQ (CloudAMQP) routes call dispatch messages.

The voice stack uses a small set of upstream providers:

• Telephony: Twilio (primary) and Telnyx (fallback) for SIP and PSTN connectivity.
• Speech and language models:OpenAI, Google (Gemini), Anthropic (Claude), Deepgram, ElevenLabs, Cartesia, xAI. Which one runs depends on your agent's voice config.
• Authentication: Clerk.
• Billing: Stripe.
• Observability: Cloud Trace, Prometheus, Sentry.

We sign Data Processing Addenda with every upstream provider that can see call content. None of them are permitted to use the data to train their own models. If a provider's training policy changes in a way that would let them, we change providers.

• Operator accounts: as long as your workspace is active, plus 90 days after deletion for a recovery window.
• Call recordings: 30 days by default. Per-tenant retention can be lengthened or shortened in workspace settings, subject to applicable law.
• Transcripts and structured outcomes: kept for the lifetime of the workspace so analytics keep working. You can delete individual calls at any time.
• Telemetry and aggregated metrics: 18 months, de-identified after 30 days.
• Marketing-site analytics:we don't run them. No third-party trackers on callingscout.ai except the bare minimum required by Clerk and Stripe to make sign-in and checkout work.

If a CallingScout-powered agent called you and you would like to access, correct, or delete the records of that call, email privacy@callingscout.ai with the phone number that received the call. We will:

• Confirm receipt within 5 business days and verify your identity.
• Identify which operator placed the call and route the request to them, since the operator is the controller of the call's content. We will copy you on the response.
• Delete or anonymize the records on our side once the operator confirms, or within 30 days if they don't respond — whichever comes first.

You can also be added to our internal Do-Not-Call list, which applies across every operator on the platform. Email dnc@callingscout.ai with the phone number you want suppressed.

You can export your full workspace (calls, transcripts, recordings, agent configs, contacts, billing history) as a single archive from workspace settings. You can also delete your workspace, which removes everything within 30 days. Backups roll out within 90 days.

GDPR, CCPA, and similar regimes: we treat the rights of access, correction, deletion, portability, and objection as available to anyone who asks, regardless of their jurisdiction. Email privacy@callingscout.ai.

Transport-layer encryption (TLS 1.2+) for every byte over the network. Encryption at rest for every database and object store. Per-tenant row-level isolation enforced in code, not just by query convention. Secrets in Google Secret Manager, never in source. Access to production data requires SSO + hardware key, and is logged.

We are working toward SOC 2 Type II. The current posture and our incident-response plan are available under NDA — email security@callingscout.ai.

The marketing site sets one cookie for theme preference and uses Clerk's session cookie when you sign in. We do not run Google Analytics, Meta Pixel, Hotjar, or any third-party marketing tracker. The dashboard uses anonymous internal telemetry (Sentry for crash reports, Prometheus for performance) which never reads your message content.

CallingScout is not directed at children under 16. We do not knowingly collect data from them. If you believe a recipient on a call placed through our platform was a child, email privacy@callingscout.ai and we will work with the operator to delete the call.

When we materially change this policy we email every active operator at the address on file at least 14 days before the change takes effect. The "effective" date at the top of this page is always the source of truth. Past versions are available on request.

For privacy questions:
privacy@callingscout.ai

For security disclosures:
security@callingscout.ai

For everything else: hello@callingscout.ai